[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed May 22 16:03:46 BST 2024



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a5e371d0 by Moritz Muehlenhoff at 2024-05-22T16:57:21+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2335,6 +2335,8 @@ CVE-2024-3155 (The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post
 	NOT-FOR-US: WordPress plugin
 CVE-2024-35195 (Requests is a HTTP library. Prior to 2.32.0, when making requests thro ...)
 	- requests <unfixed> (bug #1071593)
+	[bookworm] - requests <no-dsa> (Minor issue)
+	[bullseye] - requests <no-dsa> (Minor issue)
 	NOTE: https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
 	NOTE: https://github.com/psf/requests/pull/6655
 	NOTE: https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356 (v2.32.0)
@@ -4493,6 +4495,8 @@ CVE-2023-47282 (Out-of-bounds write in Intel(R) Media SDK all versions and some
 	NOT-FOR-US: Intel
 CVE-2023-47210 (Improper input validation for some Intel(R) PROSet/Wireless WiFi softw ...)
 	- firmware-nonfree <unfixed>
+	[bookworm] - firmware-nonfree <no-dsa> (Minor issue)
+	[bullseye] - firmware-nonfree <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html
 	TODO: check, likely fixed in 20240513 tag update
 CVE-2023-47169 (Improper buffer restrictions in Intel(R) Media SDK software all versio ...)
@@ -4577,6 +4581,8 @@ CVE-2023-38420 (Improper conditions check in Intel(R) Power Gadget software for
 	NOT-FOR-US: Intel
 CVE-2023-38417 (Improper input validation for some Intel(R) PROSet/Wireless WiFi softw ...)
 	- firmware-nonfree <unfixed>
+	[bookworm] - firmware-nonfree <no-dsa> (Minor issue)
+	[bullseye] - firmware-nonfree <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html
 	TODO: check, likely fixed in 20240513 tag update
 CVE-2023-38399 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
@@ -4865,6 +4871,7 @@ CVE-2024-35183 (wolfictl is a command line tool for working with Wolfi. A git au
 CVE-2024-35176 (REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a den ...)
 	- ruby3.2 <unfixed>
 	- ruby3.1 <unfixed>
+	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
 	- ruby2.5 <removed>
 	NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
@@ -5743,22 +5750,24 @@ CVE-2024-4764 (Multiple WebRTC threads could have claimed a newly connected audi
 	- firefox 126.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4764
 CVE-2024-4855 (Use after free issue in editcap could cause denial of service via craf ...)
-	- wireshark 4.2.5-1
-	[buster] - wireshark <postponed> (can be piggyback'd with the next update)
+	- wireshark 4.2.5-1 (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2024-09.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19782
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19783
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19784
 CVE-2024-4854 (MONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4. ...)
 	- wireshark 4.2.5-1
+	[bookworm] - wireshark <no-dsa> (Minor issue)
+	[bullseye] - wireshark <no-dsa> (Minor issue)
 	[buster] - wireshark <postponed> (can be piggyback'd with the next update)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2024-07.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19726
 	NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15047
 	NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15499
 CVE-2024-4853 (Memory handling issue in editcap could cause denial of service via cra ...)
-	- wireshark 4.2.5-1
-	[buster] - wireshark <postponed> (can be piggyback'd with the next update)
+	- wireshark 4.2.5-1 (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2024-08.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19724
 CVE-2024-4840 (An flaw was found in the OpenStack Platform (RHOSP) director, a toolse ...)
@@ -6081,7 +6090,10 @@ CVE-2024-28866 (GoCD is a continuous delivery server. GoCD versions from 19.4.0
 	NOT-FOR-US: GoCD
 CVE-2024-28285 (A Fault Injection vulnerability in the SymmetricDecrypt function in cr ...)
 	- libcrypto++ <unfixed>
-	TODO: check details
+	[bookworm] - libcrypto++ <no-dsa> (Minor issue)
+	[bullseye] - libcrypto++ <no-dsa> (Minor issue)
+	NOTE: https://groups.google.com/g/cryptopp-users/c/UkVcH2IWR2M?pli=1
+	NOTE: https://github.com/weidai11/cryptopp/issues/1262
 CVE-2024-28279 (Code-projects Computer Book Store 1.0 is vulnerable to SQL Injection v ...)
 	NOT-FOR-US: Code-projects Computer Book Store
 CVE-2024-28277 (In Sourcecodester School Task Manager v1.0, a vulnerability was identi ...)
@@ -6175,6 +6187,8 @@ CVE-2024-29212 (Due to an  unsafe de-serialization method used by the Veeam Serv
 	NOT-FOR-US: Veeam
 CVE-2024-26306 (iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server wi ...)
 	- iperf3 <unfixed>
+	[bookworm] - iperf3 <no-dsa> (Minor issue)
+	[bullseye] - iperf3 <no-dsa> (Minor issue)
 CVE-2023-5052 (vulnerability in Uniform Server Zero, version 10.2.5, consisting of an ...)
 	NOT-FOR-US: Uniform Zero Server
 CVE-2024-4799 (A vulnerability, which was classified as critical, was found in Kaship ...)
@@ -8315,11 +8329,15 @@ CVE-2024-34404 (A vulnerability was discovered in the Alta Recovery Vault featur
 	NOT-FOR-US: Veritas NetBackup
 CVE-2024-34403 (An issue was discovered in uriparser through 0.9.7. ComposeQueryMalloc ...)
 	- uriparser <unfixed> (bug #1070376)
+	[bookworm] - uriparser <no-dsa> (Minor issue)
+	[bullseye] - uriparser <no-dsa> (Minor issue)
 	[buster] - uriparser <postponed> (Minor issue)
 	NOTE: https://github.com/uriparser/uriparser/issues/183
 	NOTE: https://github.com/uriparser/uriparser/pull/186
 CVE-2024-34402 (An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine ...)
 	- uriparser <unfixed> (bug #1070376)
+	[bookworm] - uriparser <no-dsa> (Minor issue)
+	[bullseye] - uriparser <no-dsa> (Minor issue)
 	[buster] - uriparser <postponed> (Minor issue)
 	NOTE: https://github.com/uriparser/uriparser/pull/185
 	NOTE: https://github.com/uriparser/uriparser/issues/183
@@ -11400,9 +11418,13 @@ CVE-2024-29040
 	NOTE: https://github.com/tpm2-software/tpm2-tss/commit/710cd0b6adf3a063f34a8e92da46df7a107d9a99 (4.1.0)
 CVE-2024-29039
 	- tpm2-tools 5.7-1 (bug #1070139)
+	[bookworm] - tpm2-tools <no-dsa> (Minor issue)
+	[bullseye] - tpm2-tools <no-dsa> (Minor issue)
 	NOTE: https://github.com/tpm2-software/tpm2-tools/commit/98599df9392a346216c5a059b8d35271286100bb (5.7)
 CVE-2024-29038
 	- tpm2-tools 5.7-1 (bug #1070139)
+	[bookworm] - tpm2-tools <no-dsa> (Minor issue)
+	[bullseye] - tpm2-tools <no-dsa> (Minor issue)
 	NOTE: https://github.com/tpm2-software/tpm2-tools/commit/66d922d6547b7b4fe4f274fb2ec10b376e0e259c (5.7)
 CVE-2024-4327 (A vulnerability was found in Apryse WebViewer up to 10.8.0. It has bee ...)
 	NOT-FOR-US: Apryse WebViewer
@@ -13840,6 +13862,8 @@ CVE-2024-3825 (Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a
 	NOT-FOR-US: Jenkins plugin
 CVE-2024-3817 (HashiCorp\u2019s go-getter library is vulnerable to argument injection ...)
 	- golang-github-hashicorp-go-getter <unfixed>
+	[bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+	[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
 	[buster] - golang-github-hashicorp-go-getter <not-affected> (Vulnerable code not present)
 	NOTE: https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040
 CVE-2024-3333 (The Essential Addons for Elementor plugin for WordPress is vulnerable  ...)
@@ -55293,6 +55317,8 @@ CVE-2023-38552 (When the Node.js policy feature checks the integrity of a resour
 	NOTE: https://github.com/nodejs/node/commit/1c538938ccadfd35fbc699d8e85102736cd5945c
 CVE-2023-36321 (Connected Vehicle Systems Alliance (COVESA) up to v2.18.8 was discover ...)
 	- dlt-daemon 2.18.9-1
+	[bookworm] - dlt-daemon <no-dsa> (Minor issue)
+	[bullseye] - dlt-daemon <no-dsa> (Minor issue)
 	NOTE: https://github.com/COVESA/dlt-daemon/issues/436
 	NOTE: https://github.com/COVESA/dlt-daemon/commit/8ac9a080bee25e67e49bd138d81c992ce7b6d899 (v2.18.9-alpha)
 CVE-2023-35084 (Unsafe Deserialization of User Input could lead to Execution of Unauth ...)
@@ -92753,6 +92779,8 @@ CVE-2023-26258 (Arcserve UDP through 9.0.6034 allows authentication bypass. The
 	NOT-FOR-US: Arcserve
 CVE-2023-26257 (An issue was discovered in the Connected Vehicle Systems Alliance (COV ...)
 	- dlt-daemon 2.18.9-1
+	[bookworm] - dlt-daemon <no-dsa> (Minor issue)
+	[bullseye] - dlt-daemon <no-dsa> (Minor issue)
 	NOTE: https://github.com/COVESA/dlt-daemon/issues/440
 	NOTE: https://github.com/COVESA/dlt-daemon/commit/b6149e203f919c899fefc702a17fbb78bdec3700 (v2.18.9-alpha)
 CVE-2023-26256 (An unauthenticated path traversal vulnerability affects the "STAGIL Na ...)
@@ -133639,9 +133667,13 @@ CVE-2022-39838 (Systematic FIX Adapter (ALFAFX) 2.4.0.25 13/09/2017 allows remot
 	NOT-FOR-US: Systematic FIX Adapter (ALFAFX)
 CVE-2022-39837 (An issue was discovered in Connected Vehicle Systems Alliance (COVESA) ...)
 	- dlt-daemon 2.18.9-1
+	[bookworm] - dlt-daemon <no-dsa> (Minor issue)
+	[bullseye] - dlt-daemon <no-dsa> (Minor issue)
 	NOTE: https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272 (v2.18.9-alpha)
 CVE-2022-39836 (An issue was discovered in Connected Vehicle Systems Alliance (COVESA) ...)
 	- dlt-daemon 2.18.9-1
+	[bookworm] - dlt-daemon <no-dsa> (Minor issue)
+	[bullseye] - dlt-daemon <no-dsa> (Minor issue)
 	NOTE: https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272 (v2.18.9-alpha)
 CVE-2022-39835 (An issue was discovered in Gajim through 1.4.7. The vulnerability allo ...)
 	- gajim 1.5.0-1
@@ -169661,6 +169693,7 @@ CVE-2022-0997 (Improper file permissions in the CommandPost, Collector, and Sens
 CVE-2022-0996 (A vulnerability was found in the 389 Directory Server that allows expi ...)
 	{DLA-3399-1}
 	- 389-ds-base 2.0.15-1
+	[bullseye] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2064769
 	NOTE: https://github.com/389ds/389-ds-base/issues/5221
 	NOTE: https://github.com/389ds/389-ds-base/commit/b7fd028e5e67686afea617beb1791e9f3e7a4cb9 (389-ds-base-2.1.1)
@@ -170780,6 +170813,7 @@ CVE-2022-0919 (The Salon booking system Free and pro WordPress plugins before 7.
 CVE-2022-0918 (A vulnerability was discovered in the 389 Directory Server that allows ...)
 	{DLA-3399-1}
 	- 389-ds-base 2.0.15-1.1 (bug #1016445)
+	[bullseye] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2055815
 	NOTE: https://github.com/389ds/389-ds-base/issues/5242
 	NOTE: https://github.com/389ds/389-ds-base/commit/caad47ab207d7c5d61521ec4d33091db559c315a (master)
@@ -190970,6 +191004,7 @@ CVE-2021-4092 (yetiforcecrm is vulnerable to Cross-Site Request Forgery (CSRF))
 CVE-2021-4091 (A double-free was found in the way 389-ds-base handles virtual attribu ...)
 	{DLA-3399-1}
 	- 389-ds-base 2.0.15-1
+	[bullseye] - 389-ds-base <no-dsa> (Minor issue)
 	[stretch] - 389-ds-base <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2030307
 	NOTE: Introduced by: https://github.com/389ds/389-ds-base/commit/74c666b83e3e1789c2ef3f7935c327bd7555193e (389-ds-base-1.3.6.4)


=====================================
data/dsa-needed.txt
=====================================
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source package.
 
+--
+cacti
 --
 chromium (dilinger)
 --
@@ -21,6 +23,8 @@ dnsmasq
 frr
   Tobias Frost (tobi) proposed to work on preparing an update
 --
+git
+--
 gpac/oldstable
 --
 h2o (jmm)
@@ -53,6 +57,8 @@ pymatgen/stable
 --
 python-asyncssh
 --
+python-pymysql
+--
 redmine/stable
 --
 ring/oldstable
@@ -63,7 +69,7 @@ ruby2.7/oldstable
 --
 ruby-nokogiri/oldstable
 --
-ruby-rack
+ruby-rack (jmm)
   Adrian Bunk proposed debdiffs for review
 --
 ruby-rails-html-sanitizer



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5e371d0501503e50bbc46e8c864230bc8b5bdb2

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5e371d0501503e50bbc46e8c864230bc8b5bdb2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240522/43b57a61/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list