[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
916134f6 by Moritz Muehlenhoff at 2024-06-09T16:26:46+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -18,10 +18,14 @@ CVE-2024-4146 (In lunary-ai/lunary version v1.2.13, an improper authorization vu
 	NOT-FOR-US: lunary-ai/lunary
 CVE-2024-37408 (fprintd through 1.94.3 lacks a security attention mechanism, and thus  ...)
 	- fprintd <unfixed> (bug #1072854)
+	[bookworm] - fprintd <no-dsa> (Minor issue)
+	[bullseye] - fprintd <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/05/30/3
 	NOTE: https://lists.freedesktop.org/archives/fprint/2024-May/001231.html
 CVE-2024-37407 (Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP ar ...)
 	- libarchive <unfixed> (bug #1072855)
+	[bookworm] - libarchive <no-dsa> (Minor issue)
+	[bullseye] - libarchive <no-dsa> (Minor issue)
 	NOTE: https://github.com/libarchive/libarchive/pull/2145
 	NOTE: https://github.com/libarchive/libarchive/commit/b6a979481b7d77c12fa17bbed94576b63bbcb0c0 (v3.7.4)
 CVE-2024-35756 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
@@ -437,6 +441,8 @@ CVE-2023-32475 (Dell BIOS contains a missing support for integrity check vulnera
 	NOT-FOR-US: Dell
 CVE-2022-4968 (netplan leaks the private key of wireguard to local users. A security  ...)
 	- netplan.io <unfixed> (bug #1072789)
+	[bookworm] - netplan.io <no-dsa> (Minor issue)
+	[bullseye] - netplan.io <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/netplan/+bug/1987842
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2065738
 CVE-2024-5684 (An attacker with access to the private network (the charger is connect ...)
@@ -516,12 +522,16 @@ CVE-2024-5221 (The Qi Blocks plugin for WordPress is vulnerable to Stored Cross-
 	NOT-FOR-US: WordPress plugin
 CVE-2024-5206 (A sensitive data leakage vulnerability was identified in scikit-learn' ...)
 	- scikit-learn <unfixed>
+	[bookworm] - scikit-learn <no-dsa> (Minor issue)
+	[bullseye] - scikit-learn <no-dsa> (Minor issue)
 	NOTE: https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c
 	NOTE: https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8 (1.5.0rc1)
 CVE-2024-5188 (The Essential Addons for Elementor \u2013 Best Elementor Templates, Wi ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-5187 (A vulnerability in the `download_model_with_test_data` function of the ...)
 	- onnx <unfixed>
+	[bookworm] - onnx <no-dsa> (Minor issue)
+	[bullseye] - onnx <no-dsa> (Minor issue)
 	NOTE: https://huntr.com/bounties/50235ebd-3410-4ada-b064-1a648e11237e
 	NOTE: https://github.com/onnx/onnx/pull/6164
 CVE-2024-5186 (A Server-Side Request Forgery (SSRF) vulnerability exists in the file  ...)
@@ -11171,7 +11181,9 @@ CVE-2024-24790 (The various Is methods (IsPrivate, IsLoopback, etc) did not work
 	- golang-1.22 1.22.4-1
 	- golang-1.21 1.21.11-1
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	NOTE: https://groups.google.com/g/golang-announce/c/XbxouI9gY7k
 	NOTE: https://github.com/golang/go/issues/67680
@@ -11179,7 +11191,9 @@ CVE-2024-24789 (The archive/zip package's handling of certain types of invalid z
 	- golang-1.22 1.22.4-1
 	- golang-1.21 1.21.11-1
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	NOTE: https://groups.google.com/g/golang-announce/c/XbxouI9gY7k
 	NOTE: https://github.com/golang/go/issues/66869
@@ -723798,6 +723812,8 @@ CVE-2004-2387 (Buffer overflow in the HandleCPCCommand function of sercd before
 	- sredird 2.2.1-1.1 (bug #267098)
 CVE-2004-2386 (Format string vulnerability in the LogMsg function in sercd before 2.3 ...)
 	- sredird 2.2.2-0.1 (bug #267098; bug #1072340)
+	[bookworm] - sredird <no-dsa> (Minor issue)
+	[bullseye] - sredird <no-dsa> (Minor issue)
 CVE-2004-2385 (EMU Webmail 5.2.7 allows remote attackers to obtain sensitive path inf ...)
 	NOT-FOR-US: EMU Webmail
 CVE-2004-2384 (NullSoft Winamp 5.02 allows remote attackers to cause a denial of serv ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -49,6 +49,8 @@ php-horde-mime-viewer/oldstable
 --
 php-horde-turba/oldstable
 --
+plasma-workspace
+--
 pymatgen/stable
 --
 python-aiohttp
@@ -74,5 +76,7 @@ ruby-tzinfo/oldstable
 --
 squid
 --
+tinyproxy/oldstable
+--
 zabbix
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/916134f66bbaa906e56a5e220eb1951fbdf977ee

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/916134f66bbaa906e56a5e220eb1951fbdf977ee
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240609/fbb8ab60/attachment-0001.htm>