[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-49090 and CVE-2024-29034

Salvatore Bonaccorso (@carnil) carnil at debian.org
Mon Mar 25 14:44:48 GMT 2024 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
22058869 by Salvatore Bonaccorso at 2024-03-25T15:44:08+01:00
Update information for CVE-2023-49090 and CVE-2024-29034

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -13,7 +13,11 @@ CVE-2024-29187 (WiX toolset lets developers create installers for Windows Instal
 CVE-2024-29071 (HGW BL1500HM Ver 002.001.013 and earlier contains a use of week creden ...)
 	NOT-FOR-US: HGW BL1500HM
 CVE-2024-29034 (CarrierWave is a solution for file uploads for Rails, Sinatra and othe ...)
-	TODO: check
+	- ruby-carrierwave <not-affected> (Incomplete fix for CVE-2023-49090 not applied)
+	NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-vfmv-jfc5-pjjw
+	NOTE: Fixed by: https://github.com/carrierwaveuploader/carrierwave/commit/25b1c800d45ef8e78dc445ebe3bd8a6e3f0a3477
+	NOTE: Fixed by: https://github.com/carrierwaveuploader/carrierwave/commit/431787193795dda9b01a0ee748bd93e2ec7101c2 (v2.2.6)
+	NOTE: CVE is for incomplete fix of CVE-2023-49090
 CVE-2024-29009 (Cross-site request forgery (CSRF) vulnerability in easy-popup-show all ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-28041 (HGW BL1500HM Ver 002.001.013 and earlier allows a network-adjacent una ...)
@@ -25030,7 +25034,12 @@ CVE-2023-6070 (A server-side request forgery vulnerability in ESM prior to versi
 CVE-2023-49091 (Cosmos provides users the ability self-host a home server by acting as ...)
 	NOT-FOR-US: Cosmos
 CVE-2023-49090 (CarrierWave is a solution for file uploads for Rails, Sinatra and othe ...)
-	NOT-FOR-US: CarrierWave
+	- ruby-carrierwave <unfixed>
+	NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj
+	NOTE: Fixed by: https://github.com/carrierwaveuploader/carrierwave/commit/39b282db5c1303899b3d3381ce8a837840f983b5 (v2.2.5)
+	NOTE: Fixed by: https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3 (v3.0.5)
+	NOTE: Fixing this issue incompletely opens up CVE-2024-29034 and so apply complete set
+	NOTE: of fixes.
 CVE-2023-49083 (cryptography is a package designed to expose cryptographic primitives  ...)
 	- python-cryptography <unfixed> (bug #1057108)
 	[bookworm] - python-cryptography <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2205886941ed476f08838b0aadf36687a307c7bc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2205886941ed476f08838b0aadf36687a307c7bc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240325/005420f2/attachment.htm>

More information about the debian-security-tracker-commits mailing list