[Git][security-tracker-team/security-tracker][master] Tinymce is not affected in buster, removing from dla-needed.

Thu Mar 14 22:24:27 GMT 2024


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
21503da9 by Ola Lundqvist at 2024-03-14T23:21:32+01:00
Tinymce is not affected in buster, removing from dla-needed.

  Checked the version difference for each CVE where the issue is claimed to be implemented.
  It was not trivial to find the fix but I think I did that in all the cases. What is clear
  that none of the surrounding code existed in the buster version. This is why I concluded
  that the vulnerable code is not present in buster. This does not mean that the buster version
  is free of this issue but the vulnerable code is not present.

  If the vulnerability is possible to trigger the code would be very hard to back-port
  since the code in buster is completely different from the version fixed. In that case
  the CVE would have been marked as ignored instead of not-affected.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -15870,14 +15870,17 @@ CVE-2024-0222 (Use after free in ANGLE in Google Chrome prior to 120.0.6099.199
 	[buster] - chromium <end-of-life> (see DSA 5046)
 CVE-2024-21911 (TinyMCE versions before 5.6.0 are affected by a stored cross-site scri ...)
 	- tinymce <removed>
+	[buster] - tinymce <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-w7jx-j77m-wp65
 CVE-2024-21910 (TinyMCE versions before 5.10.0 are affected by a cross-site scripting  ...)
 	- tinymce <removed>
+	[buster] - tinymce <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39
 CVE-2024-21909 (PeterO.Cbor versions 4.0.0 through 4.5.0 are vulnerable to a denial of ...)
 	NOT-FOR-US: PeterO.Cbor
 CVE-2024-21908 (TinyMCE versions before 5.9.0 are affected by a stored cross-site scri ...)
 	- tinymce <removed>
+	[buster] - tinymce <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wg
 CVE-2024-21907 (Newtonsoft.Json before version 13.0.1 is affected by a mishandling of  ...)
 	NOT-FOR-US: Newtonsoft.Json
@@ -24498,6 +24501,7 @@ CVE-2023-4602 (The Namaste! LMS plugin for WordPress is vulnerable to Reflected
 	NOT-FOR-US: WordPress plugin
 CVE-2023-48219 (TinyMCE is an open source rich text editor. A mutation cross-site scri ...)
 	- tinymce <removed>
+	[buster] - tinymce <not-affected> (Vulnerable code not present)
 CVE-2023-48089 (xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via / ...)
 	NOT-FOR-US: XXL-Job
 CVE-2023-48088 (xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /x ...)


=====================================
data/dla-needed.txt
=====================================
@@ -297,13 +297,6 @@ tiff
   NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye and
   NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto)
 --
-tinymce (Ola)
-  NOTE: 20231123: Added by Front-Desk (ola)
-  NOTE: 20231216: Someone with more XSS experience needed to assess the
-  NOTE: 20231216: severity of CVE-2023-48219.  Also not clear to me that
-  NOTE: 20231216: upstream's patch is backportable, as the code has changed a
-  NOTE: 20231216: lot.  (spwhitton)
---
 tomcat9
   NOTE: 20240121: Added by Front-Desk (apo)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21503da906963c312a371bf78d64f3c95b8ec67a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21503da906963c312a371bf78d64f3c95b8ec67a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240314/c8bc82ae/attachment-0001.htm>
