[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Jun 19 21:38:53 BST 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d53ba7c1 by Moritz Muehlenhoff at 2024-06-19T22:37:40+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -970,6 +970,8 @@ CVE-2024-37891 (urllib3 is a user-friendly HTTP client library for Python. When
 	NOTE: https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e (2.2.2)
 CVE-2024-37890 (ws is an open source WebSocket client and server for Node.js. A reques ...)
 	- node-ws <unfixed>
+	[bookworm] - node-ws <no-dsa> (Minor issue)
+	[bullseye] - node-ws <no-dsa> (Minor issue)
 	NOTE: https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q
 	NOTE: https://github.com/websockets/ws/issues/2230
 	NOTE: https://github.com/websockets/ws/pull/2231
@@ -1157,7 +1159,7 @@ CVE-2024-38427 (In International Color Consortium DemoIccMAX before 85ce74e, a l
 CVE-2024-38395 (In iTerm2 before 3.5.2, the "Terminal may report window title" setting ...)
 	NOT-FOR-US: iTerm2
 CVE-2024-38394 (Mismatches in interpreting USB authorization policy between GNOME Sett ...)
-	- gnome-settings-daemon <unfixed>
+	- gnome-settings-daemon <unfixed> (unimportant)
 	NOTE: https://pulsesecurity.co.nz/advisories/usbguard-bypass
 	NOTE: https://gitlab.gnome.org/GNOME/gnome-settings-daemon/-/issues/780
 	NOTE: https://gitlab.gnome.org/GNOME/gnome-settings-daemon/-/issues/780#note_2047914
@@ -2816,6 +2818,7 @@ CVE-2023-50763 (A vulnerability has been identified in SIMATIC CP 1542SP-1 (6GK7
 	NOT-FOR-US: Siemens
 CVE-2023-4727 (A flaw was found in dogtag-pki and pki-core. The token authentication  ...)
 	- dogtag-pki <unfixed>
+	[bullseye] - dogtag-pki <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2232218
 CVE-2023-48273 (Missing Authorization vulnerability in WP OnlineSupport, Essential Plu ...)
 	NOT-FOR-US: WordPress plugin
@@ -3468,7 +3471,9 @@ CVE-2024-30464 (Missing Authorization vulnerability in WPZOOM Social Icons Widge
 	NOT-FOR-US: WordPress plugin
 CVE-2024-2408 (The openssl_private_decrypt function in PHP, when using PKCS1 padding  ...)
 	- php8.2 <unfixed>
+	[bookworm] - php8.2 <postponed> (Minor issue, revisit when fixed upstream)
 	- php7.4 <removed>
+	[bookworm] - php7.4 <postponed> (Minor issue, revisit when fixed upstream)
 	- php7.3 <removed>
 	NOTE: https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864
 CVE-2024-25929 (Missing Authorization vulnerability in MultiVendorX Product Catalog En ...)
@@ -3990,6 +3995,8 @@ CVE-2024-5482 (A Server-Side Request Forgery (SSRF) vulnerability exists in the
 	NOT-FOR-US: parisneo/lollms-webui
 CVE-2024-5480 (A vulnerability in the PyTorch's torch.distributed.rpc framework, spec ...)
 	- pytorch <unfixed> (bug #1072969)
+	[bookworm] - pytorch <no-dsa> (Minor issue)
+	[bullseye] - pytorch <no-dsa> (Minor issue)
 	NOTE: https://huntr.com/bounties/39811836-c5b3-4999-831e-46fee8fcade3
 CVE-2024-5478 (A Cross-site Scripting (XSS) vulnerability exists in the SAML metadata ...)
 	NOT-FOR-US: lunary-ai/lunary
@@ -23848,6 +23855,7 @@ CVE-2024-5458 (In PHP versions8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* be
 	{DLA-3833-1}
 	- php8.2 <unfixed> (bug #1072885)
 	- php7.4 <removed>
+	[bullseye] - php7.4 <no-dsa> (Minor issue)
 	- php7.3 <removed>
 	NOTE: Fixed in 8.3.8, 8.2.20, 8.1.29
 	NOTE: https://github.com/php/php-src/security/advisories/GHSA-w8qr-v226-r27w


=====================================
data/dsa-needed.txt
=====================================
@@ -45,6 +45,8 @@ nodejs (aron)
 --
 opennds/stable
 --
+php8.2/stable (jmm)
+--
 php-cas/oldstable
 --
 php-horde-mime-viewer/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d53ba7c1fc8314f32913e49e1f5801ccb90b00cd

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d53ba7c1fc8314f32913e49e1f5801ccb90b00cd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240619/f3cefff0/attachment.htm>

More information about the debian-security-tracker-commits mailing list