[Git][security-tracker-team/security-tracker][master] bugnums

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sat May 4 17:15:26 BST 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
62d476ff by Moritz Muehlenhoff at 2024-05-04T18:15:00+02:00
bugnums

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -237,11 +237,11 @@ CVE-2024-34408 (Tencent libpag through 4.3.51 has an integer overflow in DecodeS
 CVE-2024-34404 (A vulnerability was discovered in the Alta Recovery Vault feature of V ...)
 	NOT-FOR-US: Veritas NetBackup
 CVE-2024-34403 (An issue was discovered in uriparser through 0.9.7. ComposeQueryMalloc ...)
-	- uriparser <unfixed>
+	- uriparser <unfixed> (bug #1070376)
 	NOTE: https://github.com/uriparser/uriparser/issues/183
 	NOTE: https://github.com/uriparser/uriparser/pull/186
 CVE-2024-34402 (An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine ...)
-	- uriparser <unfixed>
+	- uriparser <unfixed> (bug #1070376)
 	NOTE: https://github.com/uriparser/uriparser/pull/185
 	NOTE: https://github.com/uriparser/uriparser/issues/183
 CVE-2024-34401 (Savsoft Quiz 6.0 allows stored XSS via the index.php/quiz/insert_quiz/ ...)
@@ -269,7 +269,7 @@ CVE-2024-34066 (Pterodactyl wings is the server control plane for Pterodactyl Pa
 CVE-2024-34063 (vodozemac is an implementation of Olm and Megolm in pure Rust. Version ...)
 	TODO: check
 CVE-2024-34062 (tqdm is an open source progress bar for Python and CLI. Any optional n ...)
-	- tqdm <unfixed>
+	- tqdm <unfixed> (bug #1070372)
 	NOTE: https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p
 	NOTE: Fixed by: https://github.com/tqdm/tqdm/commit/b53348c73080b4edeb30b4823d1fa0d8d2c06721 (v4.66.3)
 CVE-2024-34061 (changedetection.io is a free open source web page change detection, we ...)
@@ -3101,7 +3101,7 @@ CVE-2024-3411 (Implementations of IPMI Authenticated sessions does not provide e
 CVE-2024-3072 (The ACF Front End Editor plugin for WordPress is vulnerable to unautho ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-34088 (In FRRouting (FRR) through 9.1, it is possible for the get_edge() func ...)
-	- frr <unfixed>
+	- frr <unfixed> (bug #1070377)
 	[bullseye] - frr <not-affected> (Vulnerable code introduced later)
 	[buster] - frr <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/FRRouting/frr/pull/15674
@@ -3243,7 +3243,7 @@ CVE-2024-33401 (Cross Site Scripting vulnerability in DedeCMS v.5.7.113 allows a
 CVE-2024-33350 (Directory Traversal vulnerability in TaoCMS v.3.0.2 allows a remote at ...)
 	NOT-FOR-US: TaoCMS
 CVE-2024-31837 (DMitry (Deepmagic Information Gathering Tool) 1.3a has a format-string ...)
-	- dmitry <unfixed>
+	- dmitry <unfixed> (bug #1070370)
 	[bookworm] - dmitry <no-dsa> (Minor issue)
 	[bullseye] - dmitry <no-dsa> (Minor issue)
 	[buster] - dmitry <postponed> (Minor issue, crash in CLI tool, requires malicious parameter)
@@ -3889,7 +3889,7 @@ CVE-2024-33343 (D-Link DIR-822+ V1.0.5 was found to contain a command injection
 CVE-2024-33342 (D-Link DIR-822+ V1.0.5 was found to contain a command injection in Set ...)
 	NOT-FOR-US: D-Link
 CVE-2024-33263 (QuickJS commit 3b45d15 was discovered to contain an Assertion Failure  ...)
-	- quickjs <unfixed>
+	- quickjs <unfixed> (bug #1070373)
 	NOTE: https://github.com/bellard/quickjs/issues/277
 CVE-2024-33260 (Jerryscript commit cefd391 was discovered to contain a segmentation vi ...)
 	- iotjs <removed>
@@ -4033,11 +4033,11 @@ CVE-2024-33666 (An issue was discovered in Zammad before 6.3.0. Users with custo
 CVE-2024-33665 (angular-translate through 2.19.1 allows XSS via a crafted key that is  ...)
 	NOT-FOR-US: angular-translate
 CVE-2024-33664 (python-jose through 3.3.0 allows attackers to cause a denial of servic ...)
-	- python-jose <unfixed>
+	- python-jose <unfixed> (bug #1070375)
 	NOTE: https://github.com/mpdavis/python-jose/issues/344
 	NOTE: https://github.com/mpdavis/python-jose/pull/345
 CVE-2024-33663 (python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA k ...)
-	- python-jose <unfixed>
+	- python-jose <unfixed> (bug #1070375)
 	NOTE: https://github.com/mpdavis/python-jose/issues/346
 CVE-2024-33661 (Portainer before 2.20.0 allows redirects when the target is not index. ...)
 	NOT-FOR-US: Portainer
@@ -4403,7 +4403,7 @@ CVE-2024-32948 (Missing Authorization vulnerability in Repute Infosystems ARMemb
 CVE-2024-32947 (Cross-Site Request Forgery (CSRF) vulnerability in AlumniOnline Web Se ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-32879 (Python Social Auth is a social authentication/registration mechanism.  ...)
-	- social-auth-app-django <unfixed>
+	- social-auth-app-django <unfixed> (bug #1070374)
 	[bookworm] - social-auth-app-django <no-dsa> (Minor issue)
 	[bullseye] - social-auth-app-django <no-dsa> (Minor issue)
 	[buster] - social-auth-app-django <postponed> (Minor issue)
@@ -4958,7 +4958,7 @@ CVE-2024-31992 (Mealie is a self hosted recipe manager and meal planner. Prior t
 CVE-2024-31991 (Mealie is a self hosted recipe manager and meal planner. Prior to 1.4. ...)
 	NOT-FOR-US: Mealie
 CVE-2024-31584 (Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the  ...)
-	- pytorch <unfixed>
+	- pytorch <unfixed> (bug #1070379)
 	[bookworm] - pytorch <no-dsa> (Minor issue)
 	[bullseye] - pytorch <no-dsa> (Minor issue)
 	NOTE: https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6
@@ -5015,7 +5015,7 @@ CVE-2024-32644 (Evmos is a scalable, high-throughput Proof-of-Stake EVM blockcha
 CVE-2024-32478 (Git Credential Manager (GCM) is a secure Git credential helper. Prior  ...)
 	- git-credential-manager <itp> (bug #1002300)
 CVE-2024-32473 (Moby is an open source container framework that is a key component of  ...)
-	- docker.io <unfixed>
+	- docker.io <unfixed> (bug #1070378)
 	NOTE: https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9
 	NOTE: https://github.com/moby/moby/commit/841c4c8057bcf5317d6565875595a3f0c046e3fa
 	TODO: check, said to be specific to the 26.0.0 and 26.0.1 versions but needs double-checking
@@ -5577,25 +5577,25 @@ CVE-2024-1426 (The Element Pack Elementor Addons (Header Footer, Free Template L
 CVE-2023-4509 (It is possible for an API key to be logged in clear text in the audit  ...)
 	NOT-FOR-US: Octopus Deploy
 CVE-2023-4235 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack  ...)
-	- ofono <unfixed>
+	- ofono <unfixed> (bug #1070371)
 	[bookworm] - ofono <no-dsa> (Minor issue)
 	[bullseye] - ofono <no-dsa> (Minor issue)
 	[buster] - ofono <postponed> (Minor issue, follow bullseye)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255402
 CVE-2023-4234 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack  ...)
-	- ofono <unfixed>
+	- ofono <unfixed> (bug #1070371)
 	[bookworm] - ofono <no-dsa> (Minor issue)
 	[bullseye] - ofono <no-dsa> (Minor issue)
 	[buster] - ofono <postponed> (Minor issue, follow bullseye)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255399
 CVE-2023-4233 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack  ...)
-	- ofono <unfixed>
+	- ofono <unfixed> (bug #1070371)
 	[bookworm] - ofono <no-dsa> (Minor issue)
 	[bullseye] - ofono <no-dsa> (Minor issue)
 	[buster] - ofono <postponed> (Minor issue, follow bullseye)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255396
 CVE-2023-4232 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack  ...)
-	- ofono <unfixed>
+	- ofono <unfixed> (bug #1070371)
 	[bookworm] - ofono <no-dsa> (Minor issue)
 	[bullseye] - ofono <no-dsa> (Minor issue)
 	[buster] - ofono <postponed> (Minor issue, follow bullseye)
@@ -5762,7 +5762,7 @@ CVE-2024-31585 (FFmpeg version n5.1 to n6.1 was discovered to contain an Off-by-
 	NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06 (n7.0)
 	NOTE: Introduced by https://github.com/FFmpeg/FFmpeg/commit/81df787b53eb5c6433731f6eaaf7f2a94d8a8c80 (n5.1)
 CVE-2024-31583 (Pytorch before version v2.2.0 was discovered to contain a use-after-fr ...)
-	- pytorch <unfixed>
+	- pytorch <unfixed> (bug #1070379)
 	[bookworm] - pytorch <no-dsa> (Minor issue)
 	[bullseye] - pytorch <no-dsa> (Minor issue)
 	NOTE: https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2
@@ -5781,7 +5781,7 @@ CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper valida
 	[buster] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
 	NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196 (n7.0)
 CVE-2024-31580 (PyTorch before v2.2.0 was discovered to contain a heap buffer overflow ...)
-	- pytorch <unfixed>
+	- pytorch <unfixed> (bug #1070379)
 	[bookworm] - pytorch <no-dsa> (Minor issue)
 	[bullseye] - pytorch <no-dsa> (Minor issue)
 	NOTE: https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81
@@ -10173,15 +10173,15 @@ CVE-2024-3347 (A vulnerability was found in SourceCodester Airline Ticket Reserv
 CVE-2024-3346 (A vulnerability was found in Byzoro Smart S80 up to 20240328. It has b ...)
 	NOT-FOR-US: Byzro Smart S80
 CVE-2024-31852 (LLVM before 18.1.3 generates code in which the LR register can be over ...)
-	- llvm-toolchain-14 <unfixed>
+	- llvm-toolchain-14 <unfixed> (bug #1070384)
 	[bookworm] - llvm-toolchain-14 <no-dsa> (Minor issue)
-	- llvm-toolchain-15 <unfixed>
+	- llvm-toolchain-15 <unfixed> (bug #1070383)
 	[bookworm] - llvm-toolchain-15 <no-dsa> (Minor issue)
-	- llvm-toolchain-16 <unfixed>
+	- llvm-toolchain-16 <unfixed> (bug #1070382)
 	[bookworm] - llvm-toolchain-16 <no-dsa> (Minor issue)
 	[bullseye] - llvm-toolchain-16 <no-dsa> (Minor issue)
-	- llvm-toolchain-17 <unfixed>
-	- llvm-toolchain-18 <unfixed>
+	- llvm-toolchain-17 <unfixed> (bug #1070381)
+	- llvm-toolchain-18 <unfixed> (bug #1070380)
 	NOTE: https://github.com/llvm/llvm-project/issues/80287
 	NOTE: https://bugs.chromium.org/p/llvm/issues/detail?id=69
 	NOTE: https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2
@@ -292148,7 +292148,7 @@ CVE-2020-14932 (compose.php in SquirrelMail 1.4.22 calls unserialize for the $ma
 	- squirrelmail <removed>
 	NOTE: https://www.openwall.com/lists/oss-security/2020/06/20/1
 CVE-2020-14931 (A stack-based buffer overflow in DMitry (Deepmagic Information Gatheri ...)
-	- dmitry <unfixed>
+	- dmitry <unfixed> (bug #1070370)
 	[bookworm] - dmitry <no-dsa> (Minor issue)
 	[bullseye] - dmitry <no-dsa> (Minor issue)
 	[buster] - dmitry <postponed> (Minor issue, requires hostile whois server)
@@ -472289,7 +472289,7 @@ CVE-2017-7940 (The iw_read_gif_file function in imagew-gif.c in libimageworsener
 CVE-2017-7939 (The read_next_pam_token function in imagew-pnm.c in libimageworsener.a ...)
 	NOT-FOR-US: ImageWorsener
 CVE-2017-7938 (Stack-based buffer overflow in DMitry (Deepmagic Information Gathering ...)
-	- dmitry <unfixed>
+	- dmitry <unfixed> (bug #1070370)
 	[bookworm] - dmitry <no-dsa> (Minor issue)
 	[bullseye] - dmitry <no-dsa> (Minor issue)
 	[buster] - dmitry <postponed> (Minor issue, crash in CLI tool, requires malicious parameter)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62d476ff298fb21c4d9abbcb698af3f587a286a5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62d476ff298fb21c4d9abbcb698af3f587a286a5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240504/28516d6f/attachment.htm>

More information about the debian-security-tracker-commits mailing list