[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Wed May 22 16:03:46 BST 2024
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
a5e371d0 by Moritz Muehlenhoff at 2024-05-22T16:57:21+02:00
bookworm/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2335,6 +2335,8 @@ CVE-2024-3155 (The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post
NOT-FOR-US: WordPress plugin
CVE-2024-35195 (Requests is a HTTP library. Prior to 2.32.0, when making requests thro ...)
- requests <unfixed> (bug #1071593)
+ [bookworm] - requests <no-dsa> (Minor issue)
+ [bullseye] - requests <no-dsa> (Minor issue)
NOTE: https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
NOTE: https://github.com/psf/requests/pull/6655
NOTE: https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356 (v2.32.0)
@@ -4493,6 +4495,8 @@ CVE-2023-47282 (Out-of-bounds write in Intel(R) Media SDK all versions and some
NOT-FOR-US: Intel
CVE-2023-47210 (Improper input validation for some Intel(R) PROSet/Wireless WiFi softw ...)
- firmware-nonfree <unfixed>
+ [bookworm] - firmware-nonfree <no-dsa> (Minor issue)
+ [bullseye] - firmware-nonfree <no-dsa> (Minor issue)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html
TODO: check, likely fixed in 20240513 tag update
CVE-2023-47169 (Improper buffer restrictions in Intel(R) Media SDK software all versio ...)
@@ -4577,6 +4581,8 @@ CVE-2023-38420 (Improper conditions check in Intel(R) Power Gadget software for
NOT-FOR-US: Intel
CVE-2023-38417 (Improper input validation for some Intel(R) PROSet/Wireless WiFi softw ...)
- firmware-nonfree <unfixed>
+ [bookworm] - firmware-nonfree <no-dsa> (Minor issue)
+ [bullseye] - firmware-nonfree <no-dsa> (Minor issue)
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html
TODO: check, likely fixed in 20240513 tag update
CVE-2023-38399 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
@@ -4865,6 +4871,7 @@ CVE-2024-35183 (wolfictl is a command line tool for working with Wolfi. A git au
CVE-2024-35176 (REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a den ...)
- ruby3.2 <unfixed>
- ruby3.1 <unfixed>
+ [bookworm] - ruby3.1 <no-dsa> (Minor issue)
- ruby2.7 <removed>
- ruby2.5 <removed>
NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
@@ -5743,22 +5750,24 @@ CVE-2024-4764 (Multiple WebRTC threads could have claimed a newly connected audi
- firefox 126.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4764
CVE-2024-4855 (Use after free issue in editcap could cause denial of service via craf ...)
- - wireshark 4.2.5-1
- [buster] - wireshark <postponed> (can be piggyback'd with the next update)
+ - wireshark 4.2.5-1 (unimportant)
+ NOTE: Crash in CLI tool, no security impact
NOTE: https://www.wireshark.org/security/wnpa-sec-2024-09.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19782
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19783
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19784
CVE-2024-4854 (MONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4. ...)
- wireshark 4.2.5-1
+ [bookworm] - wireshark <no-dsa> (Minor issue)
+ [bullseye] - wireshark <no-dsa> (Minor issue)
[buster] - wireshark <postponed> (can be piggyback'd with the next update)
NOTE: https://www.wireshark.org/security/wnpa-sec-2024-07.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19726
NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15047
NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15499
CVE-2024-4853 (Memory handling issue in editcap could cause denial of service via cra ...)
- - wireshark 4.2.5-1
- [buster] - wireshark <postponed> (can be piggyback'd with the next update)
+ - wireshark 4.2.5-1 (unimportant)
+ NOTE: Crash in CLI tool, no security impact
NOTE: https://www.wireshark.org/security/wnpa-sec-2024-08.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19724
CVE-2024-4840 (An flaw was found in the OpenStack Platform (RHOSP) director, a toolse ...)
@@ -6081,7 +6090,10 @@ CVE-2024-28866 (GoCD is a continuous delivery server. GoCD versions from 19.4.0
NOT-FOR-US: GoCD
CVE-2024-28285 (A Fault Injection vulnerability in the SymmetricDecrypt function in cr ...)
- libcrypto++ <unfixed>
- TODO: check details
+ [bookworm] - libcrypto++ <no-dsa> (Minor issue)
+ [bullseye] - libcrypto++ <no-dsa> (Minor issue)
+ NOTE: https://groups.google.com/g/cryptopp-users/c/UkVcH2IWR2M?pli=1
+ NOTE: https://github.com/weidai11/cryptopp/issues/1262
CVE-2024-28279 (Code-projects Computer Book Store 1.0 is vulnerable to SQL Injection v ...)
NOT-FOR-US: Code-projects Computer Book Store
CVE-2024-28277 (In Sourcecodester School Task Manager v1.0, a vulnerability was identi ...)
@@ -6175,6 +6187,8 @@ CVE-2024-29212 (Due to an unsafe de-serialization method used by the Veeam Serv
NOT-FOR-US: Veeam
CVE-2024-26306 (iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server wi ...)
- iperf3 <unfixed>
+ [bookworm] - iperf3 <no-dsa> (Minor issue)
+ [bullseye] - iperf3 <no-dsa> (Minor issue)
CVE-2023-5052 (vulnerability in Uniform Server Zero, version 10.2.5, consisting of an ...)
NOT-FOR-US: Uniform Zero Server
CVE-2024-4799 (A vulnerability, which was classified as critical, was found in Kaship ...)
@@ -8315,11 +8329,15 @@ CVE-2024-34404 (A vulnerability was discovered in the Alta Recovery Vault featur
NOT-FOR-US: Veritas NetBackup
CVE-2024-34403 (An issue was discovered in uriparser through 0.9.7. ComposeQueryMalloc ...)
- uriparser <unfixed> (bug #1070376)
+ [bookworm] - uriparser <no-dsa> (Minor issue)
+ [bullseye] - uriparser <no-dsa> (Minor issue)
[buster] - uriparser <postponed> (Minor issue)
NOTE: https://github.com/uriparser/uriparser/issues/183
NOTE: https://github.com/uriparser/uriparser/pull/186
CVE-2024-34402 (An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine ...)
- uriparser <unfixed> (bug #1070376)
+ [bookworm] - uriparser <no-dsa> (Minor issue)
+ [bullseye] - uriparser <no-dsa> (Minor issue)
[buster] - uriparser <postponed> (Minor issue)
NOTE: https://github.com/uriparser/uriparser/pull/185
NOTE: https://github.com/uriparser/uriparser/issues/183
@@ -11400,9 +11418,13 @@ CVE-2024-29040
NOTE: https://github.com/tpm2-software/tpm2-tss/commit/710cd0b6adf3a063f34a8e92da46df7a107d9a99 (4.1.0)
CVE-2024-29039
- tpm2-tools 5.7-1 (bug #1070139)
+ [bookworm] - tpm2-tools <no-dsa> (Minor issue)
+ [bullseye] - tpm2-tools <no-dsa> (Minor issue)
NOTE: https://github.com/tpm2-software/tpm2-tools/commit/98599df9392a346216c5a059b8d35271286100bb (5.7)
CVE-2024-29038
- tpm2-tools 5.7-1 (bug #1070139)
+ [bookworm] - tpm2-tools <no-dsa> (Minor issue)
+ [bullseye] - tpm2-tools <no-dsa> (Minor issue)
NOTE: https://github.com/tpm2-software/tpm2-tools/commit/66d922d6547b7b4fe4f274fb2ec10b376e0e259c (5.7)
CVE-2024-4327 (A vulnerability was found in Apryse WebViewer up to 10.8.0. It has bee ...)
NOT-FOR-US: Apryse WebViewer
@@ -13840,6 +13862,8 @@ CVE-2024-3825 (Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a
NOT-FOR-US: Jenkins plugin
CVE-2024-3817 (HashiCorp\u2019s go-getter library is vulnerable to argument injection ...)
- golang-github-hashicorp-go-getter <unfixed>
+ [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <not-affected> (Vulnerable code not present)
NOTE: https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040
CVE-2024-3333 (The Essential Addons for Elementor plugin for WordPress is vulnerable ...)
@@ -55293,6 +55317,8 @@ CVE-2023-38552 (When the Node.js policy feature checks the integrity of a resour
NOTE: https://github.com/nodejs/node/commit/1c538938ccadfd35fbc699d8e85102736cd5945c
CVE-2023-36321 (Connected Vehicle Systems Alliance (COVESA) up to v2.18.8 was discover ...)
- dlt-daemon 2.18.9-1
+ [bookworm] - dlt-daemon <no-dsa> (Minor issue)
+ [bullseye] - dlt-daemon <no-dsa> (Minor issue)
NOTE: https://github.com/COVESA/dlt-daemon/issues/436
NOTE: https://github.com/COVESA/dlt-daemon/commit/8ac9a080bee25e67e49bd138d81c992ce7b6d899 (v2.18.9-alpha)
CVE-2023-35084 (Unsafe Deserialization of User Input could lead to Execution of Unauth ...)
@@ -92753,6 +92779,8 @@ CVE-2023-26258 (Arcserve UDP through 9.0.6034 allows authentication bypass. The
NOT-FOR-US: Arcserve
CVE-2023-26257 (An issue was discovered in the Connected Vehicle Systems Alliance (COV ...)
- dlt-daemon 2.18.9-1
+ [bookworm] - dlt-daemon <no-dsa> (Minor issue)
+ [bullseye] - dlt-daemon <no-dsa> (Minor issue)
NOTE: https://github.com/COVESA/dlt-daemon/issues/440
NOTE: https://github.com/COVESA/dlt-daemon/commit/b6149e203f919c899fefc702a17fbb78bdec3700 (v2.18.9-alpha)
CVE-2023-26256 (An unauthenticated path traversal vulnerability affects the "STAGIL Na ...)
@@ -133639,9 +133667,13 @@ CVE-2022-39838 (Systematic FIX Adapter (ALFAFX) 2.4.0.25 13/09/2017 allows remot
NOT-FOR-US: Systematic FIX Adapter (ALFAFX)
CVE-2022-39837 (An issue was discovered in Connected Vehicle Systems Alliance (COVESA) ...)
- dlt-daemon 2.18.9-1
+ [bookworm] - dlt-daemon <no-dsa> (Minor issue)
+ [bullseye] - dlt-daemon <no-dsa> (Minor issue)
NOTE: https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272 (v2.18.9-alpha)
CVE-2022-39836 (An issue was discovered in Connected Vehicle Systems Alliance (COVESA) ...)
- dlt-daemon 2.18.9-1
+ [bookworm] - dlt-daemon <no-dsa> (Minor issue)
+ [bullseye] - dlt-daemon <no-dsa> (Minor issue)
NOTE: https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272 (v2.18.9-alpha)
CVE-2022-39835 (An issue was discovered in Gajim through 1.4.7. The vulnerability allo ...)
- gajim 1.5.0-1
@@ -169661,6 +169693,7 @@ CVE-2022-0997 (Improper file permissions in the CommandPost, Collector, and Sens
CVE-2022-0996 (A vulnerability was found in the 389 Directory Server that allows expi ...)
{DLA-3399-1}
- 389-ds-base 2.0.15-1
+ [bullseye] - 389-ds-base <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2064769
NOTE: https://github.com/389ds/389-ds-base/issues/5221
NOTE: https://github.com/389ds/389-ds-base/commit/b7fd028e5e67686afea617beb1791e9f3e7a4cb9 (389-ds-base-2.1.1)
@@ -170780,6 +170813,7 @@ CVE-2022-0919 (The Salon booking system Free and pro WordPress plugins before 7.
CVE-2022-0918 (A vulnerability was discovered in the 389 Directory Server that allows ...)
{DLA-3399-1}
- 389-ds-base 2.0.15-1.1 (bug #1016445)
+ [bullseye] - 389-ds-base <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2055815
NOTE: https://github.com/389ds/389-ds-base/issues/5242
NOTE: https://github.com/389ds/389-ds-base/commit/caad47ab207d7c5d61521ec4d33091db559c315a (master)
@@ -190970,6 +191004,7 @@ CVE-2021-4092 (yetiforcecrm is vulnerable to Cross-Site Request Forgery (CSRF))
CVE-2021-4091 (A double-free was found in the way 389-ds-base handles virtual attribu ...)
{DLA-3399-1}
- 389-ds-base 2.0.15-1
+ [bullseye] - 389-ds-base <no-dsa> (Minor issue)
[stretch] - 389-ds-base <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2030307
NOTE: Introduced by: https://github.com/389ds/389-ds-base/commit/74c666b83e3e1789c2ef3f7935c327bd7555193e (389-ds-base-1.3.6.4)
=====================================
data/dsa-needed.txt
=====================================
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
If needed, specify the release by adding a slash after the name of the source package.
+--
+cacti
--
chromium (dilinger)
--
@@ -21,6 +23,8 @@ dnsmasq
frr
Tobias Frost (tobi) proposed to work on preparing an update
--
+git
+--
gpac/oldstable
--
h2o (jmm)
@@ -53,6 +57,8 @@ pymatgen/stable
--
python-asyncssh
--
+python-pymysql
+--
redmine/stable
--
ring/oldstable
@@ -63,7 +69,7 @@ ruby2.7/oldstable
--
ruby-nokogiri/oldstable
--
-ruby-rack
+ruby-rack (jmm)
Adrian Bunk proposed debdiffs for review
--
ruby-rails-html-sanitizer
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5e371d0501503e50bbc46e8c864230bc8b5bdb2
--
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5e371d0501503e50bbc46e8c864230bc8b5bdb2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240522/43b57a61/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list