[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue May 7 14:13:01 BST 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
da0f822e by Moritz Muehlenhoff at 2024-05-07T15:12:29+02:00
bookworm/bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2564,8 +2564,12 @@ CVE-2022-48670 (In the Linux kernel, the following vulnerability has been resolv
 	NOTE: https://git.kernel.org/linus/1c11289b34ab67ed080bbe0f1855c4938362d9cf (6.0-rc4)
 CVE-2024-4418 [stack use-after-free in virNetClientIOEventLoop()]
 	- libvirt 10.3.0-1 (bug #1070330)
+	[bookworm] - libvirt <not-affected> (Vulnerable code not present)
+	[bullseye] - libvirt <not-affected> (Vulnerable code not present)
+	[buster] - libvirt <not-affected> (Vulnerable code not present)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2278616
 	NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/8074d64dc2eca846d6a61efe1a9b7428a0ce1dd1
+	NOTE: Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/7cb03e6a28e465c49f0cabe8fe2e7d21edb5aadf (v10.0.0-rc2)
 CVE-2024-4140 (An excessive memory use issue (CWE-770) exists in Email-MIME, before v ...)
 	- libemail-mime-perl 1.954-1 (bug #960062)
 	[bookworm] - libemail-mime-perl <no-dsa> (Minor issue)
@@ -2755,6 +2759,8 @@ CVE-2023-49606 (A use-after-free vulnerability exists in the HTTP Connection Hea
 	NOTE: https://github.com/tinyproxy/tinyproxy/commit/12a8484265f7b00591293da492bb3c9987001956
 CVE-2023-47212 (A heap-based buffer overflow vulnerability exists in the comment funct ...)
 	- libstb <unfixed> (bug #1070394)
+	[bookworm] - libstb <no-dsa> (Minor issue)
+	[bullseye] - libstb <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1846
 CVE-2023-47166 (A firmware update vulnerability exists in the luci2-io file-import fun ...)
 	NOT-FOR-US: Milesight UR32L
@@ -8251,6 +8257,8 @@ CVE-2024-3508 (A flaw was found in Bombastic, which allows authenticated users t
 	NOT-FOR-US: Bombastic's use of bzip2
 CVE-2024-3651 [potential DoS via resource consumption via specially crafted inputs to idna.encode()]
 	- python-idna <unfixed> (bug #1069127)
+	[bookworm] - python-idna <no-dsa> (Minor issue)
+	[bullseye] - python-idna <no-dsa> (Minor issue)
 	NOTE: https://github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38h
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274779
 	NOTE: Fixed by: https://github.com/kjd/idna/commit/5beb28b9dd77912c0dd656d8b0fdba3eb80222e7 (v3.7)
@@ -13421,6 +13429,8 @@ CVE-2024-29020 (JumpServer is an open source bastion host and an operation and m
 	NOT-FOR-US: JumpServer
 CVE-2024-28960 (An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28. ...)
 	- mbedtls 2.28.8-1
+	[bookworm] - mbedtls <no-dsa> (Minor issue)
+	[bullseye] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-03/
 	NOTE: https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2024-03.md
 CVE-2024-28867 (Swift Prometheus is a Swift client for the Prometheus monitoring syste ...)
@@ -18253,6 +18263,8 @@ CVE-2024-27440 (The Toyoko Inn official App for iOS versions prior to 1.13.0 and
 	NOT-FOR-US: Toyoko Inn official App
 CVE-2024-27305 (aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on  ...)
 	- python-aiosmtpd <unfixed> (bug #1066820)
+	[bookworm] - python-aiosmtpd <no-dsa> (Minor issue)
+	[bullseye] - python-aiosmtpd <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65
 	NOTE: https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb (1.4.5)
 CVE-2024-26529 (An issue in mz-automation libiec61850 v.1.5.3 and before, allows a rem ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da0f822e01eca304c4a0ffa209fdecab22270683

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da0f822e01eca304c4a0ffa209fdecab22270683
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240507/22bfa0e2/attachment.htm>

More information about the debian-security-tracker-commits mailing list