[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Thu Jun 27 16:44:50 BST 2024


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0ebcf4e1 by Moritz Muehlenhoff at 2024-06-27T17:43:28+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -105,9 +105,13 @@ CVE-2024-39241 (Cross Site Scripting (XSS) vulnerability in skycaiji 2.8 allows
 	NOT-FOR-US: skycaiji
 CVE-2024-38950 (Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attacker ...)
 	- libde265 <unfixed>
+	[bookworm] - libde265 <no-dsa> (Minor issue)
+	[bullseye] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/460
 CVE-2024-38949 (Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows attacker ...)
 	- libde265 <unfixed>
+	[bookworm] - libde265 <no-dsa> (Minor issue)
+	[bullseye] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/460
 CVE-2024-38527 (ZenUML is JavaScript-based diagramming tool that requires no server, u ...)
 	NOT-FOR-US: ZenUML
@@ -276,6 +280,8 @@ CVE-2024-6299 (Lack of consideration of key expiry when validating signatures in
 	NOT-FOR-US: Conduit
 CVE-2024-6257 (HashiCorp\u2019s go-getter library can be coerced into executing Git u ...)
 	- golang-github-hashicorp-go-getter <unfixed>
+	[bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+	[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081
 CVE-2024-6238 (pgAdmin <= 8.8 has an installation Directory permission issue.Because  ...)
 	- pgadmin4 <itp> (bug #834129)
@@ -640,6 +646,8 @@ CVE-2024-6160 (SQL Injection vulnerability in MegaBIP software allows attacker t
 	NOT-FOR-US: MegaBIP
 CVE-2024-6104 (go-retryablehttp prior to 0.7.7 did not sanitize urls when writing the ...)
 	- golang-github-hashicorp-go-retryablehttp <unfixed>
+	[bookworm] - golang-github-hashicorp-go-retryablehttp <no-dsa> (Minor issue)
+	[bullseye] - golang-github-hashicorp-go-retryablehttp <no-dsa> (Minor issue)
 CVE-2024-5862 (Improper Restriction of Excessive Authentication Attempts vulnerabilit ...)
 	NOT-FOR-US: Mia Technology Inc. Mia-Med Health Aplication
 CVE-2024-5683 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...)
@@ -15656,9 +15664,13 @@ CVE-2024-30268 (Cacti provides an operational monitoring and fault management fr
 	NOTE: https://github.com/Cacti/cacti/commit/a38b9046e9772612fda847b46308f9391a49891e
 CVE-2024-30259 (FastDDS is a C++ implementation of the DDS (Data Distribution Service) ...)
 	- fastdds 2.14.1+ds-1
+	[bookworm] - fastdds <no-dsa> (Minor issue)
+	[bullseye] - fastdds <no-dsa> (Minor issue)
 	NOTE: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-qcj9-939p-p662
 CVE-2024-30258 (FastDDS is a C++ implementation of the DDS (Data Distribution Service) ...)
 	- fastdds 2.14.1+ds-1
+	[bookworm] - fastdds <no-dsa> (Minor issue)
+	[bullseye] - fastdds <no-dsa> (Minor issue)
 	NOTE: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-53xw-465j-rxfh
 	NOTE: https://github.com/eProsima/Fast-DDS/commit/65236f93e9c4ea3ff9a49fba4dfd9e43eb94037b
 CVE-2024-29895 (Cacti provides an operational monitoring and fault management framewor ...)
@@ -66821,6 +66833,8 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource
 	- jetty9 9.4.53-1
 	- netty 1:4.1.48-8 (bug #1054234)
 	- dnsdist 1.8.2-2
+	[bookworm] - dnsdist <no-dsa> (Minor issue)
+	[bullseye] - dnsdist <no-dsa> (Minor issue)
 	[buster] - dnsdist <not-affected> (HTTP/2 support was added later)
 	- varnish <unfixed> (bug #1056156)
 	[bookworm] - varnish <ignored> (Minor issue, too intrusive to backport)


=====================================
data/dsa-needed.txt
=====================================
@@ -14,11 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa
 --
 cacti
 --
-composer/oldstable (jmm)
-  Regression update for #1073931
---
-dnsdist (jmm)
---
 dnsmasq
 --
 frr
@@ -32,8 +27,8 @@ gpac/oldstable
 --
 h2o (jmm)
 --
-libreswan (jmm)
-  Maintainer prepared bookworm-security update, but needs work on bullseye-security backports
+libreswan
+  Waiting on feedback from maintainer, proposal to EOL Bullseye
 --
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
@@ -45,6 +40,7 @@ nbconvert/oldstable
 nodejs (aron)
 --
 opennds/stable
+  pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --
 php-cas/oldstable
 --
@@ -61,11 +57,9 @@ python-aiohttp
 --
 python-asyncssh
 --
-ring/oldstable
-  might make sense to rebase to current version
+ring
 --
 ruby2.7/oldstable
-  Utkarsh Gupta offered help in preparing updates
 --
 ruby-nokogiri/oldstable
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ebcf4e1fac473a2b3644d2510dd9f813c925583

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ebcf4e1fac473a2b3644d2510dd9f813c925583
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240627/08c6c749/attachment-0001.htm>
