[Git][security-tracker-team/security-tracker][master] 12 commits: Add cyrus-imapd to dla-needed.txt

Sun Jun 9 23:00:41 BST 2024


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e1e5c213 by Markus Koschany at 2024-06-10T00:00:08+02:00
Add cyrus-imapd to dla-needed.txt

- - - - -
0dd0b456 by Markus Koschany at 2024-06-10T00:00:08+02:00
Add plasma-workspace to dla-needed.txt

- - - - -
ae5e77e1 by Markus Koschany at 2024-06-10T00:00:08+02:00
CVE-2024-36472,gnome-shell: buster is postponed

This is partly disputed by upstream as mostly works as expected. No solution so far.
We already track thatin ELTS. If the upstream fix can be backported we can
address this problem at a later point in time.

- - - - -
3f8781a6 by Markus Koschany at 2024-06-10T00:00:09+02:00
CVE-2024-5629,pymongo: link to pull request

- - - - -
e253f694 by Markus Koschany at 2024-06-10T00:00:09+02:00
Add pymongo to dla-needed.txt

Trivial fix.

- - - - -
27ddd9b5 by Markus Koschany at 2024-06-10T00:00:09+02:00
Add nano to dla-needed.txt

- - - - -
7b777f2b by Markus Koschany at 2024-06-10T00:00:09+02:00
CVE-2024-37407,libarchive: buster is not affected

The vulnerable code was introduced later. The tmp_length variable does not
exist. There is a filename_length variable though which could be zero when the
code enters the else statement but the last parameter of the archive_strncat
function is of size_t which means it will always be non-negative.

- - - - -
2907afc8 by Markus Koschany at 2024-06-10T00:00:09+02:00
Add libvpx to dla-needed.txt

- - - - -
2f6666fe by Markus Koschany at 2024-06-10T00:00:09+02:00
Add r-base to dla-needed.txt

- - - - -
9ef1812b by Markus Koschany at 2024-06-10T00:00:09+02:00
CVE-2024-27322,r-base: link to potential fixing commit and patch

- - - - -
c94c2dbc by Markus Koschany at 2024-06-10T00:00:09+02:00
Add php7.3 to dla-needed.txt

- - - - -
7179a78b by Markus Koschany at 2024-06-10T00:00:10+02:00
Add unbound to dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -229,6 +229,7 @@ CVE-2024-37407 (Libarchive before 3.7.4 allows name out-of-bounds access when a
 	- libarchive <unfixed> (bug #1072855)
 	[bookworm] - libarchive <no-dsa> (Minor issue)
 	[bullseye] - libarchive <no-dsa> (Minor issue)
+	[buster] - libarchive <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://github.com/libarchive/libarchive/pull/2145
 	NOTE: https://github.com/libarchive/libarchive/commit/b6a979481b7d77c12fa17bbed94576b63bbcb0c0 (v3.7.4)
 CVE-2024-35756 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
@@ -1002,6 +1003,7 @@ CVE-2023-6956 (The EasyAzon \u2013 Amazon Associates Affiliate Plugin plugin for
 CVE-2024-5629 (An out-of-bounds read in the 'bson' module of PyMongo 4.6.2 or earlier ...)
 	- pymongo <unfixed>
 	NOTE: https://jira.mongodb.org/browse/PYTHON-4305
+	NOTE: https://github.com/mongodb/mongo-python-driver/pull/1564
 CVE-2024-5571 (The EmbedPress \u2013 Embed PDF, Google Docs, Vimeo, Wistia, Embed You ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-5536 (The GamiPress \u2013 Link plugin for WordPress is vulnerable to Stored ...)
@@ -2794,6 +2796,7 @@ CVE-2024-36472 (In GNOME Shell through 45.7, a portal helper can be launched aut
 	- gnome-shell <unfixed> (bug #1072124)
 	[bookworm] - gnome-shell <no-dsa> (Minor issue)
 	[bullseye] - gnome-shell <no-dsa> (Minor issue)
+	[buster] - gnome-shell <postponed> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688
 CVE-2024-36110 (ansibleguy-webui is an open source WebUI for using Ansible. Multiple f ...)
 	NOT-FOR-US: ansibleguy-webui
@@ -15756,6 +15759,8 @@ CVE-2024-27322 (Deserialization of untrusted data can occur in the R statistical
 	- r-base 4.4.0-2
 	NOTE: https://hiddenlayer.com/research/r-bitrary-code-execution/
 	NOTE: https://kb.cert.org/vuls/id/238194
+	NOTE: https://src.fedoraproject.org/rpms/R/blob/f39/f/R-CVE-2024-27322.patch
+	NOTE: https://github.com/r-devel/r-svn/commit/f7c46500f455eb4edfc3656c3fa20af61b16abb7
 CVE-2024-23995 (Cross Site Scripting (XSS) in Beekeeper Studio 4.1.13 and earlier allo ...)
 	NOT-FOR-US: Beekeeper Studio
 CVE-2024-1969 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ...)


=====================================
data/dla-needed.txt
=====================================
@@ -49,6 +49,9 @@ cacti
   NOTE: 20240519: I'd have postponed them but let's fix it before buster
   NOTE: 20240519: goes EOL. (utkarsh)
 --
+cyrus-imapd
+  NOTE: 20240609: Added by Front-Desk (apo)
+--
 dcmtk (Adrian Bunk)
   NOTE: 20240428: Added by Front-Desk (ta)
 --
@@ -173,12 +176,18 @@ libstb
   NOTE: 20240314: several CVEs fixed in DLA-3305-1 remain unfixed (no-dsa) in bullseye
   NOTE: 20240314: and bookwork. Uploads to spu and ospu should be coordinated. (roberto)
 --
+libvpx
+  NOTE: 20240609: Added by Front-Desk (apo)
+--
 linux (Ben Hutchings)
   NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
 --
 linux-5.10
   NOTE: 20231005: perma-added for LTS package-specific delegation (bwh)
 --
+nano
+  NOTE: 20240609: Added by Front-Desk (apo)
+--
 netty (Markus Koschany)
   NOTE: 20240511: Added by (apo)
 --
@@ -225,6 +234,12 @@ pdns-recursor
   NOTE: 20240306: Added by Front-Desk (opal)
   NOTE: 20240319: Upload postponed due to #1067124 (dleidert)
 --
+php7.3
+  NOTE: 20240609: Added by Front-Desk (apo)
+--
+plasma-workspace
+  NOTE: 20240609: Added by Front-Desk (apo)
+--
 putty
   NOTE: 20231224: Added by Front-Desk (ta)
   NOTE: 20240104: massive code change against bullseye. May be better to backport bullseye (rouca)
@@ -233,6 +248,9 @@ putty
   NOTE: 20240412: Wait for comments by maintainer
   NOTE: 20240430: Backport fixes for  CVE-2024-31497 wait review
 --
+pymongo
+  NOTE: 20240609: Added by Front-Desk (apo)
+--
 pypy3
   NOTE: 20240503: Added by Front-Desk (Beuc)
   NOTE: 20240503: Fix newly triaged (but old) issues;
@@ -243,6 +261,9 @@ python-asyncssh
   NOTE: 20240116: Added by Front-Desk (lamby)
   NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert)
 --
+r-base
+  NOTE: 20240609: Added by Front-Desk (apo)
+--
 rails
   NOTE: 20220909: Re-added due to regression (abhijith)
   NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
@@ -325,6 +346,9 @@ tryton-server
   NOTE: 20240421: Fix causes regressions in tryton client. Waiting for that
   NOTE: 20240421: being resolved upstream.
 --
+unbound
+  NOTE: 20240609: Added by Front-Desk (apo)
+--
 varnish
   NOTE: 20231117: Added by Front-Desk (apo)
   NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c0e1ea0688ab83b5cb9dc6c3210c57b45f29ba51...7179a78bb23cd44df7ead233907bb70ca041d026

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c0e1ea0688ab83b5cb9dc6c3210c57b45f29ba51...7179a78bb23cd44df7ead233907bb70ca041d026
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240609/41cb2125/attachment-0001.htm>
