[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Mar 13 08:58:57 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2a8f25ba by Moritz Mühlenhoff at 2024-03-13T09:58:16+01:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -583,6 +583,8 @@ CVE-2024-1487 (The Photos and Files Contest Gallery WordPress plugin before 21.3
 	NOT-FOR-US: WordPress plugin
 CVE-2024-1441 (An off-by-one error flaw was found in the udevListInterfacesByStatus() ...)
 	- libvirt <unfixed> (bug #1066058)
+	[bookworm] - libvirt <no-dsa> (Minor issue)
+	[bullseye] - libvirt <no-dsa> (Minor issue)
 	NOTE: Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/5a33366f5c0b18c93d161bd144f9f079de4ac8ca (v1.0.0-rc1)
 	NOTE: Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/d6064e2759a24e0802f363e3a810dc5a7d7ebb15 (v5.10.0-rc1)
 	NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/c664015fe3a7bf59db26686e9ed69af011c6ebb8 (v10.1.0)
@@ -636,9 +638,13 @@ CVE-2024-2363 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in AOL
 	NOT-FOR-US: AOL AIM Triton
 CVE-2024-2314 (If kernel headers need to be extracted, bcc will attempt to load them  ...)
 	- bpfcc <unfixed>
+	[bookworm] - bpfcc <no-dsa> (Minor issue)
+	[bullseye] - bpfcc <no-dsa> (Minor issue)
 	NOTE: https://github.com/iovisor/bcc/commit/008ea09e891194c072f2a9305a3c872a241dc342
 CVE-2024-2313 (If kernel headers need to be extracted, bpftrace will attempt to load  ...)
 	- bpftrace <unfixed>
+	[bookworm] - bpftrace <no-dsa> (Minor issue)
+	[bullseye] - bpftrace <no-dsa> (Minor issue)
 	NOTE: https://github.com/bpftrace/bpftrace/commit/4be4b7191acb8218240e6b7178c30fa8c9b59998
 CVE-2024-2184 (Buffer overflow in identifier field of WSD probe request process of Sm ...)
 	NOT-FOR-US: Small Office Multifunction Printers and Laser Printers (Canon)
@@ -1478,7 +1484,9 @@ CVE-2024-24785 (If errors returned from MarshalJSON methods contain user control
 	- golang-1.22 1.22.1-1
 	- golang-1.21 1.21.8-1
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
 	NOTE: https://github.com/golang/go/issues/65697
@@ -1488,7 +1496,9 @@ CVE-2024-24784 (The ParseAddressList function incorrectly handles comments (text
 	- golang-1.22 1.22.1-1
 	- golang-1.21 1.21.8-1
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
 	NOTE: https://github.com/golang/go/issues/65083
@@ -1498,7 +1508,9 @@ CVE-2024-24783 (Verifying a certificate chain which contains a certificate with
 	- golang-1.22 1.22.1-1
 	- golang-1.21 1.21.8-1
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
 	NOTE: https://github.com/golang/go/issues/65390
@@ -1516,7 +1528,9 @@ CVE-2023-45290 (When parsing a multipart form (either explicitly with Request.Pa
 	- golang-1.22 1.22.1-1
 	- golang-1.21 1.21.8-1
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
 	NOTE: https://github.com/golang/go/issues/65383
@@ -1526,7 +1540,9 @@ CVE-2023-45289 (When following an HTTP redirect to a domain which is not a subdo
 	- golang-1.22 1.22.1-1
 	- golang-1.21 1.21.8-1
 	- golang-1.19 <removed>
+	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
 	NOTE: https://github.com/golang/go/issues/65065
@@ -7405,6 +7421,7 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4
 	[bullseye] - knot-resolver <ignored> (Too intrusive to backport, if DNSSEC is used Bookworm can be used)
 	[buster] - knot-resolver <ignored> (Too intrusive to backport)
 	- pdns-recursor 4.9.3-1 (bug #1063852)
+	[bullseye] - pdns-recursor <ignored> (Too intrusive to backport, if DNSSEC is used Bookworm can be used)
 	- unbound 1.19.1-1 (bug #1063845)
 	- systemd 255.4-1
 	[bookworm] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
@@ -7445,6 +7462,7 @@ CVE-2023-50868 (The Closest Encloser Proof aspect of the DNS protocol (in RFC 51
 	[bullseye] - knot-resolver <ignored> (Too intrusive to backport, if DNSSEC is used Bookworm can be used)
 	[buster] - knot-resolver <ignored> (Too intrusive to backport, if DNSSEC is used Bookworm can be used)
 	- pdns-recursor 4.9.3-1 (bug #1063852)
+	[bullseye] - pdns-recursor <ignored> (Too intrusive to backport, if DNSSEC is used Bookworm can be used)
 	- unbound 1.19.1-1 (bug #1063845)
 	- systemd 255.4-1
 	[bookworm] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release)
@@ -8985,6 +9003,8 @@ CVE-2024-24768 (1Panel is an open source Linux server operation and maintenance
 	NOT-FOR-US: 1Panel
 CVE-2024-24762 (`python-multipart` is a streaming multipart parser for Python. When us ...)
 	- python-multipart 0.0.9-1 (bug #1063538)
+	[bookworm] - python-multipart <no-dsa> (Minor issue)
+	[bullseye] - python-multipart <no-dsa> (Minor issue)
 	NOTE: Original report at fastapi: https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389
 	NOTE: But the fix is within python-multipart:
 	NOTE: https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4 (0.0.7)


=====================================
data/dsa-needed.txt
=====================================
@@ -22,8 +22,12 @@ dav1d
 --
 dnsdist (jmm)
 --
+dnsmasq
+--
 expat (carnil)
 --
+fontforge
+--
 frr
 --
 gpac/oldstable
@@ -85,6 +89,8 @@ ruby3.1/stable
 --
 ruby-nokogiri/oldstable
 --
+ruby-rack
+--
 ruby-rails-html-sanitizer
 --
 ruby-sinatra/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a8f25ba580442788930760d6b1673e6712772b7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a8f25ba580442788930760d6b1673e6712772b7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240313/888f864f/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list