[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Sun Jul 28 14:12:29 BST 2024


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
523d1e51 by Moritz Muehlenhoff at 2024-07-28T15:11:39+02:00
bookworm/bullseye triage
fix one dnsjava commit reference

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -844,8 +844,10 @@ CVE-2024-26020 (An arbitrary script execution vulnerability exists in the MPV fu
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1993
 CVE-2024-25638 (dnsjava is an implementation of DNS in Java. Records in DNS replies ar ...)
 	- dnsjava <unfixed>
+	[bookworm] - dnsjava <no-dsa> (Minor issue)
+	[bullseye] - dnsjava <no-dsa> (Minor issue)
 	NOTE: https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw
-	NOTE: https://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d (v3.6.0)
+	NOTE: https://github.com/dnsjava/dnsjava/commit/2073a0cdea2c560465f7ac0cc56f202e6fc39705 (v3.6.0)
 CVE-2024-23321 (For RocketMQ versions 5.2.0 and below, under certain conditions, there ...)
 	NOT-FOR-US: Apache RocketMQ
 CVE-2024-21552 (All versions of `SuperAGI` are vulnerable to Arbitrary Code Execution  ...)
@@ -5775,6 +5777,8 @@ CVE-2024-32229 (FFmpeg 7.0 contains a heap-buffer-overflow at libavfilter/vf_til
 	NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a528a54ee119dcba47e7c9e30d3a56206fbad416
 CVE-2024-32228 (FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a SEGV at libavc ...)
 	- ffmpeg <unfixed>
+	[bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
+	[bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
 	NOTE: https://trac.ffmpeg.org/ticket/10951
 	NOTE: https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=459648761f5412acdc3317d5bac982ceaa257584
 CVE-2024-2819 (Incorrect Default Permissions, Improper Preservation of Permissions vu ...)
@@ -6192,6 +6196,8 @@ CVE-2024-38518 (BigBlueButton is an open-source virtual classroom designed to he
 	NOT-FOR-US: BigBlueButton
 CVE-2019-25211 (parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0 mishandle ...)
 	- golang-github-gin-contrib-cors <unfixed> (bug #1075962)
+	[bookworm] - golang-github-gin-contrib-cors <no-dsa> (Minor issue)
+	[bullseye] - golang-github-gin-contrib-cors <no-dsa> (Minor issue)
 	NOTE: https://github.com/gin-contrib/cors/pull/57
 	NOTE: https://github.com/gin-contrib/cors/pull/106
 	NOTE: https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d (v1.6.0)
@@ -6852,6 +6858,8 @@ CVE-2024-21739 (Geehy APM32F103CCT6, APM32F103RCT6, APM32F103RCT7, and APM32F103
 	NOT-FOR-US: Geehy
 CVE-2024-21520 (Versions of the package djangorestframework before 3.15.2 are vulnerab ...)
 	- djangorestframework 3.15.2-1
+	[bookworm] - djangorestframework <no-dsa> (Minor issue)
+	[bullseye] - djangorestframework <no-dsa> (Minor issue)
 	NOTE: https://github.com/encode/django-rest-framework/pull/9435
 	NOTE: https://github.com/encode/django-rest-framework/commit/3b41f0124194430da957b119712978fa2266b642 (3.15.2)
 CVE-2024-6308 (A vulnerability was found in itsourcecode Simple Online Hotel Reservat ...)
@@ -10186,6 +10194,8 @@ CVE-2024-0103 (NVIDIA Triton Inference Server for Linux contains a vulnerability
 	NOT-FOR-US: NVIDIA
 CVE-2024-0102
 	- nvidia-cuda-toolkit <unfixed> (bug #1076164)
+	[bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+	[bullseye] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
 	NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5548
 CVE-2024-0099 (NVIDIA vGPU software for Linux contains a vulnerability in the Virtual ...)
 	NOT-FOR-US: NVIDIA


=====================================
data/DSA/list
=====================================
@@ -49,7 +49,7 @@
 	[bullseye] - libvpx 1.9.0-1+deb11u3
 	[bookworm] - libvpx 1.12.0-1+deb12u3
 [26 Jun 2024] DSA-5721-1 ffmpeg - security update
-	{CVE-2022-48434 CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51798}
+	{CVE-2022-48434 CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51798 CVE-2024-32230}
 	[bullseye] - ffmpeg 7:4.3.7-0+deb11u1
 [25 Jun 2024] DSA-5720-1 chromium - security update
 	{CVE-2024-6290 CVE-2024-6291 CVE-2024-6292 CVE-2024-6293}
@@ -82,7 +82,7 @@
 	[bullseye] - libndp 1.6-1+deb11u1
 	[bookworm] - libndp 1.8-1+deb12u1
 [15 Jun 2024] DSA-5712-1 ffmpeg - security update
-	{CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795 CVE-2023-51798 CVE-2024-31585}
+	{CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795 CVE-2023-51798 CVE-2024-31585 CVE-2024-32230}
 	[bookworm] - ffmpeg 7:5.1.5-0+deb12u1
 [15 Jun 2024] DSA-5711-1 thunderbird - security update
 	{CVE-2024-5688 CVE-2024-5690 CVE-2024-5691 CVE-2024-5693 CVE-2024-5696 CVE-2024-5700 CVE-2024-5702}


=====================================
data/dsa-needed.txt
=====================================
@@ -52,6 +52,12 @@ nodejs (aron)
 nova
   Maintainer prepared updates for review
 --
+openjdk-11/oldstable (jmm)
+  version in sid needs update first
+--
+openjdk-17 (jmm)
+  version in sid needs update first
+--
 opennds/stable
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/523d1e51aa6923fe8c32f12fa08368ba67673d82

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/523d1e51aa6923fe8c32f12fa08368ba67673d82
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240728/4b1582f1/attachment-0001.htm>
