[Git][security-tracker-team/security-tracker][master] 24 commits: CVE-2024-22201,jetty9: link to fixing commits for 9.x branch

Mon Mar 4 12:07:27 GMT 2024


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7cadf7f5 by Markus Koschany at 2024-03-04T13:06:38+01:00
CVE-2024-22201,jetty9: link to fixing commits for 9.x branch

- - - - -
488675e6 by Markus Koschany at 2024-03-04T13:06:38+01:00
Add jetty9 to dla-needed.txt

- - - - -
dda9149f by Markus Koschany at 2024-03-04T13:06:38+01:00
Add libuv1 to dla-needed.txt

- - - - -
10cd94f3 by Markus Koschany at 2024-03-04T13:06:38+01:00
Add yard to dla-needed.txt

- - - - -
f7c91a4b by Markus Koschany at 2024-03-04T13:06:39+01:00
CVE-2024-21742,apache-mime4j: buster is no-dsa

Minor issue

- - - - -
eb5598a8 by Markus Koschany at 2024-03-04T13:06:41+01:00
CVE-2023-49100,arm-trusted-firmware: buster is no-dsa

Minor issue

- - - - -
bf920f98 by Markus Koschany at 2024-03-04T13:06:42+01:00
CVE-2024-25629,c-ares: buster is no-dsa

Minor issue

- - - - -
25af6d89 by Markus Koschany at 2024-03-04T13:06:43+01:00
CVE-2024-24258,CVE-2024-24259,freeglut: buster is no-dsa

Minor issue

- - - - -
372269cb by Markus Koschany at 2024-03-04T13:06:44+01:00
Triage krb5 memory leaks as no-dsa for buster

Minor issues.

- - - - -
7b0caec9 by Markus Koschany at 2024-03-04T13:06:46+01:00
CVE-2022-48624,less: buster is no-dsa

Minor issue. Can be fixed when more important issues arise.

- - - - -
32b6a875 by Markus Koschany at 2024-03-04T13:06:46+01:00
Add libcommons-compress-java to dla-needed.txt

- - - - -
afd34344 by Markus Koschany at 2024-03-04T13:06:47+01:00
CVE-2023-45918,ncurses: buster is no-dsa

Minor NULL pointer dereference bug.

- - - - -
23a5576e by Markus Koschany at 2024-03-04T13:06:48+01:00
CVE-2024-27088,node-es5-ext: buster is no-dsa

Minor issue

- - - - -
1c70cc2b by Markus Koschany at 2024-03-04T13:06:48+01:00
Add nvidia-graphics-drivers to dla-needed.txt

- - - - -
59de8769 by Markus Koschany at 2024-03-04T13:06:49+01:00
Add php-phpseclib to dla-needed.txt

- - - - -
e4f2317e by Markus Koschany at 2024-03-04T13:06:49+01:00
Add phpseclib to dla-needed.txt

- - - - -
86daa2d7 by Markus Koschany at 2024-03-04T13:06:50+01:00
CVE-2024-1433,plasma-workspace: buster is no-dsa

Minor issue

- - - - -
4b93f9ea by Markus Koschany at 2024-03-04T13:06:51+01:00
CVE-2024-26130,python-cryptography: buster is no-dsa

Minor issue

- - - - -
294142c4 by Markus Koschany at 2024-03-04T13:06:52+01:00
CVE-2024-1892,python-scrapy: buster is no-dsa

Minor issue

- - - - -
8e6542f2 by Markus Koschany at 2024-03-04T13:06:54+01:00
CVE-2023-50868,CVE-2023-50387,systemd: buster is no-dsa

DNSSEC is disabled by default and an experimental feature.

- - - - -
ab2db50c by Markus Koschany at 2024-03-04T13:06:55+01:00
CVE-2024-25262,texlive-bin: buster is no-dsa

Minor issue

- - - - -
f7b7db95 by Markus Koschany at 2024-03-04T13:06:55+01:00
Add cpio to dla-needed.txt

- - - - -
e38cce11 by Markus Koschany at 2024-03-04T13:06:55+01:00
Add dnsmasq to dla-needed.txt

- - - - -
336ad067 by Markus Koschany at 2024-03-04T13:06:56+01:00
CVE-2024-24246,qpdf: buster is not-affected

The vulnerable code was introduced later, creating a PDF from an input source
that contains JSON.

https://github.com/qpdf/qpdf/commit/4fe2e06b4787ffb639f965ac840b51018308ec07#diff-8e435b97a9914d4318cc5829a9400e1e49c5b9bc16799de9aef9ef04c4b3f5c0

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -872,6 +872,7 @@ CVE-2024-24818 (EspoCRM is an Open Source Customer Relationship Management softw
 	NOT-FOR-US: EspoCRM
 CVE-2024-24246 (Heap Buffer Overflow vulnerability in qpdf 11.9.0 allows attackers to  ...)
 	- qpdf 11.9.0-1
+	[buster] - qpdf <not-affected> (Vulnerable code was introduced later)
 	NOTE: https://github.com/qpdf/qpdf/issues/1123
 	NOTE: https://github.com/qpdf/qpdf/commit/cb0f390cc1f98a8e82b27259f8f3cd5f162992eb (v11.9.0)
 CVE-2024-24110 (SQL Injection vulnerability in crmeb_java before v1.3.4 allows attacke ...)
@@ -1843,6 +1844,7 @@ CVE-2024-1892 (Parts of the Scrapy API were found to be vulnerable to a ReDoS at
 	- python-scrapy 2.11.1-1 (bug #1065111)
 	[bookworm] - python-scrapy <no-dsa> (Minor issue)
 	[bullseye] - python-scrapy <no-dsa> (Minor issue)
+	[buster] - python-scrapy <no-dsa> (Minor issue)
 	NOTE: https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b/
 	NOTE: https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5 (2.11.1)
 CVE-2024-1866
@@ -2068,6 +2070,7 @@ CVE-2024-21742 (Improper input validation allows for header injection in MIME4J
 	- apache-mime4j 0.8.10-1 (bug #1064966)
 	[bookworm] - apache-mime4j <no-dsa> (Minor issue)
 	[bullseye] - apache-mime4j <no-dsa> (Minor issue)
+	[buster] - apache-mime4j <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/02/27/5
 	NOTE: https://github.com/apache/james-mime4j/commit/9dec5df2a588fed8027839815daefa79ee66efd1 (apache-mime4j-project-0.8.10)
 	NOTE: https://github.com/apache/james-mime4j/pull/91
@@ -2384,6 +2387,7 @@ CVE-2024-27088 (es5-ext contains ECMAScript 5 extensions. Passing functions with
 	- node-es5-ext <unfixed> (bug #1064933)
 	[bookworm] - node-es5-ext <no-dsa> (Minor issue)
 	[bullseye] - node-es5-ext <no-dsa> (Minor issue)
+	[buster] - node-es5-ext <no-dsa> (Minor issue)
 	NOTE: https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h
 	NOTE: https://github.com/medikoo/es5-ext/issues/201
 	NOTE: https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2 (v1.10.63)
@@ -2406,16 +2410,19 @@ CVE-2024-26462 (Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerabilit
 	- krb5 <unfixed> (bug #1064965)
 	[bookworm] - krb5 <no-dsa> (Minor issue)
 	[bullseye] - krb5 <no-dsa> (Minor issue)
+	[buster] - krb5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md
 CVE-2024-26461 (Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in / ...)
 	- krb5 <unfixed> (bug #1064965)
 	[bookworm] - krb5 <no-dsa> (Minor issue)
 	[bullseye] - krb5 <no-dsa> (Minor issue)
+	[buster] - krb5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md
 CVE-2024-26458 (Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/r ...)
 	- krb5 <unfixed> (bug #1064965)
 	[bookworm] - krb5 <no-dsa> (Minor issue)
 	[bullseye] - krb5 <no-dsa> (Minor issue)
+	[buster] - krb5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md
 CVE-2024-26455 (fluent-bit 2.2.2 contains a Use-After-Free vulnerability in /fluent-bi ...)
 	NOT-FOR-US: Fluent Bit
@@ -2520,6 +2527,7 @@ CVE-2024-22201 (Jetty is a Java based web server and servlet engine. An HTTP/2 S
 	- jetty9 <unfixed> (bug #1064923)
 	NOTE: https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98
 	NOTE: https://github.com/jetty/jetty.project/issues/11256
+	NOTE: 9.x branch fixed by https://github.com/jetty/jetty.project/commit/86586df0a8a4d9c6b5af9a621ad1adf1b494d39b
 CVE-2024-21836 (A heap-based buffer overflow vulnerability exists in the GGUF library  ...)
 	NOT-FOR-US: llama.cpp
 CVE-2024-21825 (A heap-based buffer overflow vulnerability exists in the GGUF library  ...)
@@ -2765,6 +2773,7 @@ CVE-2024-25629 (c-ares is a C library for asynchronous DNS requests. `ares__read
 	- c-ares 1.27.0-1
 	[bookworm] - c-ares <no-dsa> (Minor issue)
 	[bullseye] - c-ares <no-dsa> (Minor issue)
+	[buster] - c-ares <no-dsa> (Minor issue)
 	NOTE: https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q
 	NOTE: https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183 (cares-1_27_0)
 CVE-2024-23320 (Improper Input Validation vulnerability in Apache DolphinScheduler. An ...)
@@ -3257,6 +3266,7 @@ CVE-2024-26130 (cryptography is a package designed to expose cryptographic primi
 	- python-cryptography <unfixed> (bug #1064778)
 	[bookworm] - python-cryptography <no-dsa> (Minor issue)
 	[bullseye] - python-cryptography <no-dsa> (Minor issue)
+	[buster] - python-cryptography <no-dsa> (Minor issue)
 	NOTE: https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
 	NOTE: https://github.com/pyca/cryptography/pull/10423
 	NOTE: Fixed by: https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 (main)
@@ -3354,6 +3364,7 @@ CVE-2023-49100 (Trusted Firmware-A (TF-A) before 2.10 has a potential read out-o
 	- arm-trusted-firmware 2.10.0+dfsg-1
 	[bookworm] - arm-trusted-firmware <no-dsa> (Minor issue)
 	[bullseye] - arm-trusted-firmware <no-dsa> (Minor issue)
+	[buster] - arm-trusted-firmware <no-dsa> (Minor issue)
 	NOTE: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624c74f5217419b1a27b7ebd2aa
 CVE-2023-47795 (Stored cross-site scripting (XSS) vulnerability in the Document and Me ...)
 	NOT-FOR-US: Liferay
@@ -3633,6 +3644,7 @@ CVE-2024-25262 (texlive-bin commit c515e was discovered to contain heap buffer o
 	- texlive-bin 2023.20230311.66589-9 (bug #1064517)
 	[bookworm] - texlive-bin <no-dsa> (Minor issue)
 	[bullseye] - texlive-bin <no-dsa> (Minor issue)
+	[buster] - texlive-bin <no-dsa> (Minor issue)
 	NOTE: https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/ChangeLog?revision=69605&view=co
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912
 	NOTE: https://github.com/TeX-Live/texlive-source/pull/63
@@ -4177,6 +4189,7 @@ CVE-2022-48624 (close_altfile in filename.c in less before 606 omits shell_quote
 	- less <unfixed> (bug #1064293)
 	[bookworm] - less <no-dsa> (Minor issue)
 	[bullseye] - less <no-dsa> (Minor issue)
+	[buster] - less <no-dsa> (Minor issue)
 	NOTE: https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144 (v606)
 CVE-2020-36774 (plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x b ...)
 	- glade 3.38.2-1
@@ -4355,6 +4368,7 @@ CVE-2023-45918 (ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr i
 	- ncurses 6.4+20230625-1
 	[bookworm] - ncurses <no-dsa> (Minor issue)
 	[bullseye] - ncurses <no-dsa> (Minor issue)
+	[buster] - ncurses <no-dsa> (Minor issue)
 	NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html
 	NOTE: https://invisible-island.net/ncurses/NEWS.html#index-t20230615
 	NOTE: Fixed in ncurses-6.4-20230615 patchlevel
@@ -5380,6 +5394,7 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4
 	- systemd 255.4-1
 	[bookworm] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
 	[bullseye] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
+	[buster] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
 	NOTE: https://kb.isc.org/docs/cve-2023-50387
 	NOTE: https://gitlab.isc.org/isc-projects/bind9/-/commit/c12608ca934c0433d280e65fe6c631013e200cfe (v9.16.48)
 	NOTE: https://gitlab.isc.org/isc-projects/bind9/-/commit/751b7cc4750ede6d8c5232751d60aad8ad84aa67 (v9.16.48)
@@ -5418,6 +5433,7 @@ CVE-2023-50868 (The Closest Encloser Proof aspect of the DNS protocol (in RFC 51
 	- systemd 255.4-1
 	[bookworm] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
 	[bullseye] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
+	[buster] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
 	NOTE: https://kb.isc.org/docs/cve-2023-50868
 	NOTE: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html
 	NOTE: https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html
@@ -5723,6 +5739,7 @@ CVE-2024-1433 (A vulnerability, which was classified as problematic, was found i
 	- plasma-workspace <unfixed> (bug #1064063)
 	[bookworm] - plasma-workspace <no-dsa> (Minor issue)
 	[bullseye] - plasma-workspace <no-dsa> (Minor issue)
+	[buster] - plasma-workspace <no-dsa> (Minor issue)
 	NOTE: https://github.com/KDE/plasma-workspace/commit/6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01
 CVE-2023-52429 (dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6 ...)
 	- linux <unfixed>
@@ -6986,6 +7003,7 @@ CVE-2024-24259 (freeglut through 3.4.0 was discovered to contain a memory leak v
 	- freeglut <unfixed> (bug #1063801)
 	[bookworm] - freeglut <no-dsa> (Minor issue)
 	[bullseye] - freeglut <no-dsa> (Minor issue)
+	[buster] - freeglut <no-dsa> (Minor issue)
 	NOTE: https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_2.md
 	NOTE: https://github.com/freeglut/freeglut/pull/155
 	NOTE: Fixed by: https://github.com/freeglut/freeglut/commit/9ad320c1ad1a25558998ddfe47674511567fec57
@@ -6993,6 +7011,7 @@ CVE-2024-24258 (freeglut 3.4.0 was discovered to contain a memory leak via the m
 	- freeglut <unfixed> (bug #1063801)
 	[bookworm] - freeglut <no-dsa> (Minor issue)
 	[bullseye] - freeglut <no-dsa> (Minor issue)
+	[buster] - freeglut <no-dsa> (Minor issue)
 	NOTE: https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_1.md
 	NOTE: https://github.com/freeglut/freeglut/pull/155
 	NOTE: Fixed by: https://github.com/freeglut/freeglut/commit/9ad320c1ad1a25558998ddfe47674511567fec57


=====================================
data/dla-needed.txt
=====================================
@@ -63,6 +63,9 @@ cinder
 composer (rouca)
   NOTE: 20240209: Added by Front-Desk (utkarsh)
 --
+cpio
+  NOTE: 20240303: Added by Front-Desk (apo)
+--
 curl
   NOTE: 20231229: Added by Front-Desk (lamby)
   NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby)
@@ -72,6 +75,9 @@ dask.distributed (guilhem)
   NOTE: 20231228: Added by Front-Desk (lamby)
   NOTE: 20231228: CVE-2021-42343 fixed in bullseye via DSA or point release. (lamby)
 --
+dnsmasq
+  NOTE: 20240303: Added by Front-Desk (apo)
+--
 docker.io
   NOTE: 20230303: Added by Front-Desk (Beuc)
   NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)
@@ -130,9 +136,15 @@ jenkins-htmlunit-core-js
   NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may
   NOTE: 20231231: … indeed be vulnerable. (lamby)
 --
+jetty9
+  NOTE: 20240303: Added by Front-Desk (apo)
+--
 knot-resolver
   NOTE: 20231029: Added by Front-Desk (gladk)
 --
+libcommons-compress-java (Markus Koschany)
+  NOTE: 20240303: Added by Front-Desk (apo)
+--
 libreswan
   NOTE: 20230817: Added by Front-Desk (ta)
   NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to
@@ -162,6 +174,9 @@ libstb
   NOTE: 20221119: and in the past CVE fixes have caused regressions.
   NOTE: 20221119: Wait for upstream merge of fixes (and fixing in unstable). (bunk)
 --
+libuv1
+  NOTE: 20240303: Added by Front-Desk (apo)
+--
 linux (Ben Hutchings)
   NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
 --
@@ -202,6 +217,21 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi)
 --
+nvidia-graphics-drivers
+  NOTE: 20240303: Added by Front-Desk (apo)
+  NOTE: 20240303: Do we still support the NVIDIA drivers? Can we upgrade to a new upstream release?
+  NOTE: 20240303: Maybe it's time to mark them EOL?
+--
+nvidia-graphics-drivers-legacy-390xx
+  NOTE: 20240303: Added by Front-Desk (apo)
+  NOTE: 20240303: See comment for nvidia-graphics-drivers.
+--
+php-phpseclib
+  NOTE: 20240303: Added by Front-Desk (apo)
+--
+phpseclib
+  NOTE: 20240303: Added by Front-Desk (apo)
+--
 putty
   NOTE: 20231224: Added by Front-Desk (ta)
   NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca)
@@ -294,6 +324,9 @@ varnish (Abhijith PA)
   NOTE: 20240122: Still fixing tests (abhijith)
   NOTE: 20240213: Fixing tests.(abhijith)
 --
+yard
+  NOTE: 20240303: Added by Front-Desk (apo)
+--
 zabbix
   NOTE: 20240212: Added by Front-Desk (utkarsh)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c30dda8b322d2d70ad80b9389a76ab0759f147ab...336ad06773fa61bbfdd0ca3f2784a5d48ac5ff34

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c30dda8b322d2d70ad80b9389a76ab0759f147ab...336ad06773fa61bbfdd0ca3f2784a5d48ac5ff34
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240304/fa98c624/attachment-0001.htm>
