[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Jun 13 19:36:06 BST 2024



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dcc4a98a by Moritz Muehlenhoff at 2024-06-13T20:35:33+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4322,42 +4322,62 @@ CVE-2024-24851 (A heap-based buffer overflow vulnerability exists in the Program
 	NOT-FOR-US: AutomationDirect
 CVE-2024-24686 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1929
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2024-24685 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1929
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2024-24684 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1929
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2024-24584 (Multiple out-of-bounds read vulnerabilities exist in the readMSH funct ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1928
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2024-24583 (Multiple out-of-bounds read vulnerabilities exist in the readMSH funct ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1928
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2024-23951 (Multiple improper array index validation vulnerabilities exist in the  ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1926
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2024-23950 (Multiple improper array index validation vulnerabilities exist in the  ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1926
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2024-23949 (Multiple improper array index validation vulnerabilities exist in the  ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1926
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2024-23948 (Multiple improper array index validation vulnerabilities exist in the  ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1926
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2024-23947 (Multiple improper array index validation vulnerabilities exist in the  ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1926
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2024-23601 (A code injection vulnerability exists in the scan_lib.bin functionalit ...)
@@ -4370,12 +4390,16 @@ CVE-2024-22187 (A write-what-where vulnerability exists in the Programming Softw
 	NOT-FOR-US: AutomationDirect
 CVE-2024-22181 (An out-of-bounds write vulnerability exists in the readNODE functional ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1930
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2024-21785 (A leftover debug code vulnerability exists in the Telnet Diagnostic In ...)
 	NOT-FOR-US: AutomationDirect
 CVE-2023-49600 (An out-of-bounds write vulnerability exists in the PlyFile ply_cast_as ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1879
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2023-46694 (Vtenext 21.02 allows an authenticated attacker to upload arbitrary fil ...)
@@ -4402,22 +4426,32 @@ CVE-2023-37411 (IBM Aspera Faspex 5.0.0 through 5.0.6 is vulnerable to cross-sit
 	NOT-FOR-US: IBM
 CVE-2023-35953 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1784
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2023-35952 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1784
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2023-35951 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1784
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2023-35950 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1784
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2023-35949 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...)
 	- slic3r-prusa <unfixed>
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - slic3r-prusa <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1784
 	NOTE: https://github.com/libigl/libigl/issues/2387
 CVE-2024-4741 [Use After Free with SSL_free_buffers]
@@ -14492,10 +14526,14 @@ CVE-2023-50231 (NETGEAR ProSAFE Network Management System saveNodeLabel Cross-Si
 	NOT-FOR-US: Netgear
 CVE-2023-50230 (BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code ...)
 	- bluez 5.70-1
+	[bookworm] - bluez <no-dsa> (Minor issue)
+	[bullseye] - bluez <no-dsa> (Minor issue)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1812/
 	NOTE: https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443 (5.70)
 CVE-2023-50229 (BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code ...)
 	- bluez 5.70-1
+	[bookworm] - bluez <no-dsa> (Minor issue)
+	[bullseye] - bluez <no-dsa> (Minor issue)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1811/
 	NOTE: https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443 (5.70)
 CVE-2023-50228 (Parallels Desktop Updater Improper Verification of Cryptographic Signa ...)
@@ -28161,6 +28199,8 @@ CVE-2024-29196 (phpMyFAQ is an open source FAQ web application for PHP 8.1+ and
 	NOT-FOR-US: phpMyFAQ
 CVE-2024-29195 (The azure-c-shared-utility is a C library for AMQP/MQTT communication  ...)
 	- azure-uamqp-python 1.6.9-2 (bug #1068457)
+	[bookworm] - azure-uamqp-python <no-dsa> (Minor issue)
+	[bullseye] - azure-uamqp-python <no-dsa> (Minor issue)
 	NOTE: https://github.com/Azure/azure-c-shared-utility/security/advisories/GHSA-m8wp-hc7w-x4xg
 	NOTE: https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2
 CVE-2024-29189 (PyAnsys Geometry is a Python client library for the Ansys Geometry ser ...)
@@ -35739,6 +35779,8 @@ CVE-2024-27507 (libLAS 1.8.1 contains a memory leak vulnerability in /libLAS/app
 	[buster] - liblas <no-dsa> (Minor issue)
 CVE-2024-27099 (The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud Ser ...)
 	- azure-uamqp-python 1.6.8-2 (bug #1064996)
+	[bookworm] - azure-uamqp-python <no-dsa> (Minor issue)
+	[bullseye] - azure-uamqp-python <no-dsa> (Minor issue)
 	NOTE: https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-6rh4-fj44-v4jj
 	NOTE: https://github.com/Azure/azure-uamqp-c/commit/2ca42b6e4e098af2d17e487814a91d05f6ae4987
 CVE-2024-26473 (A reflected cross-site scripting (XSS) vulnerability in SocialMediaWeb ...)
@@ -39294,6 +39336,8 @@ CVE-2024-25112 (Exiv2 is a command-line utility and C++ library for reading, wri
 	NOTE: the Quicktime decoder
 CVE-2024-25110 (The UAMQP is a general purpose C library for AMQP 1.0. During a call t ...)
 	- azure-uamqp-python 1.6.8-2 (bug #1064051)
+	[bookworm] - azure-uamqp-python <no-dsa> (Minor issue)
+	[bullseye] - azure-uamqp-python <no-dsa> (Minor issue)
 	NOTE: https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695
 	NOTE: https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-c646-4whf-r67v
 	NOTE: https://github.com/Azure/azure-uamqp-python/issues/380
@@ -46329,6 +46373,8 @@ CVE-2024-21648 (XWiki Platform is a generic wiki platform offering runtime servi
 	NOT-FOR-US: XWiki
 CVE-2024-21646 (Azure uAMQP is a general purpose C library for AMQP 1.0. The UAMQP lib ...)
 	- azure-uamqp-python 1.6.8-1
+	[bookworm] - azure-uamqp-python <no-dsa> (Minor issue)
+	[bullseye] - azure-uamqp-python <no-dsa> (Minor issue)
 	NOTE: https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-j29m-p99g-7hpv
 	NOTE: https://github.com/Azure/azure-uamqp-c/commit/12ddb3a31a5a97f55b06fa5d74c59a1d84ad78fe
 	NOTE: https://github.com/Azure/azure-uamqp-python/issues/372
@@ -95706,6 +95752,8 @@ CVE-2023-27350 (This vulnerability allows remote attackers to bypass authenticat
 CVE-2023-27349 (BlueZ Audio Profile AVRCP Improper Validation of Array Index Remote Co ...)
 	{DLA-3820-1}
 	- bluez 5.68-1
+	[bookworm] - bluez <no-dsa> (Minor issue)
+	[bullseye] - bluez <no-dsa> (Minor issue)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-386/
 	NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f54299a850676d92c3dafd83e9174fcfe420ccc9 (5.67)
 CVE-2023-27348 (PDF-XChange Editor TIF File Parsing Use-After-Free Remote Code Executi ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -31,7 +31,7 @@ gpac/oldstable
 --
 h2o (jmm)
 --
-libndp
+libndp (jmm)
   Maintainer proposed to prepare updates himself
 --
 libreswan (jmm)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcc4a98abec412f3764f26771a27dab95c7e178a

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcc4a98abec412f3764f26771a27dab95c7e178a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240613/5173b0c7/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list