[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu May 23 16:01:54 BST 2024



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cf0f6dee by Moritz Muehlenhoff at 2024-05-23T16:59:55+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2673,6 +2673,8 @@ CVE-2024-24293 (A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0
 	NOT-FOR-US: @bit/loader
 CVE-2024-1968 (In scrapy/scrapy, an issue was identified where the Authorization head ...)
 	- python-scrapy 2.11.2-1
+	[bookworm] - python-scrapy <no-dsa> (Minor issue)
+	[bullseye] - python-scrapy <no-dsa> (Minor issue)
 	NOTE: https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a
 	NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-4qqq-9vqf-3h3f
 	NOTE: https://github.com/scrapy/scrapy/commit/f8d6c456e0669ea5344e93fe9206bd1ffebc2008 (2.11.2)
@@ -5379,6 +5381,7 @@ CVE-2024-20256 (A vulnerability in the web-based management interface of Cisco A
 	NOT-FOR-US: Cisco
 CVE-2023-7258 (A denial of service exists in Gvisor Sandbox where a bug in reference  ...)
 	- golang-gvisor-gvisor <unfixed>
+	[bookworm] - golang-gvisor-gvisor <no-dsa> (Minor issue)
 	NOTE: https://github.com/google/gvisor/commit/6a112c60a257dadac59962e0bc9e9b5aee70b5b6
 CVE-2023-6324 (ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session  ...)
 	NOT-FOR-US: ThroughTek Kalay SDK
@@ -11557,6 +11560,8 @@ CVE-2023-52647 (In the Linux kernel, the following vulnerability has been resolv
 	NOTE: https://git.kernel.org/linus/eb2f932100288dbb881eadfed02e1459c6b9504c (6.9-rc1)
 CVE-2024-4340 (Passing a heavily nested list to sqlparse.parse() leads to a Denial of ...)
 	- sqlparse 0.5.0-1 (bug #1070148)
+	[bookworm] - sqlparse <no-dsa> (Minor issue)
+	[bullseye] - sqlparse <no-dsa> (Minor issue)
 	[buster] - sqlparse <postponed> (Minor issue)
 	NOTE: Fixed by: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 (0.5.0)
 	NOTE: https://github.com/advisories/GHSA-2m57-hf25-phgg
@@ -11679,6 +11684,8 @@ CVE-2023-36268 (An issue in The Document Foundation Libreoffice v.7.4.7 allows a
 	NOTE: Resource overload in desktop app, no security impact
 CVE-2024-29040
 	- tpm2-tss 4.1.0-1 (bug #1070140)
+	[bookworm] - tpm2-tss <no-dsa> (Minor issue)
+	[bullseye] - tpm2-tss <no-dsa> (Minor issue)
 	NOTE: https://github.com/tpm2-software/tpm2-tss/commit/710cd0b6adf3a063f34a8e92da46df7a107d9a99 (4.1.0)
 CVE-2024-29039
 	- tpm2-tools 5.7-1 (bug #1070139)
@@ -12515,10 +12522,14 @@ CVE-2024-33665 (angular-translate through 2.19.1 allows XSS via a crafted key th
 	NOT-FOR-US: angular-translate
 CVE-2024-33664 (python-jose through 3.3.0 allows attackers to cause a denial of servic ...)
 	- python-jose <unfixed> (bug #1070375)
+	[bookworm] - python-jose <no-dsa> (Minor issue)
+	[bullseye] - python-jose <no-dsa> (Minor issue)
 	NOTE: https://github.com/mpdavis/python-jose/issues/344
 	NOTE: https://github.com/mpdavis/python-jose/pull/345
 CVE-2024-33663 (python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA k ...)
 	- python-jose <unfixed> (bug #1070375)
+	[bookworm] - python-jose <no-dsa> (Minor issue)
+	[bullseye] - python-jose <no-dsa> (Minor issue)
 	NOTE: https://github.com/mpdavis/python-jose/issues/346
 CVE-2024-33661 (Portainer before 2.20.0 allows redirects when the target is not index. ...)
 	NOT-FOR-US: Portainer
@@ -12544,6 +12555,8 @@ CVE-2024-32404 (Server-Side Template Injection (SSTI) vulnerability in inducer r
 	NOT-FOR-US: inducer relate
 CVE-2024-31755 (cJSON v1.7.17 was discovered to contain a segmentation violation, whic ...)
 	- cjson <unfixed>
+	[bookworm] - cjson <no-dsa> (Minor issue)
+	[bullseye] - cjson <no-dsa> (Minor issue)
 	[buster] - cjson <postponed> (Sefault only; can be piggy-backed with future DLAs)
 	NOTE: https://github.com/DaveGamble/cJSON/issues/839
 	NOTE: https://github.com/DaveGamble/cJSON/pull/840
@@ -13675,6 +13688,8 @@ CVE-2024-21846 (An unauthenticated attacker can reset the board and stop transmi
 	NOT-FOR-US: Electrolink
 CVE-2024-1681 (corydolphin/flask-cors is vulnerable to log injection when the log lev ...)
 	- python-flask-cors 4.0.1-1 (bug #1069764)
+	[bookworm] - python-flask-cors <no-dsa> (Minor issue)
+	[bullseye] - python-flask-cors <no-dsa> (Minor issue)
 	[buster] - python-flask-cors <postponed> (Minor issue)
 	NOTE: https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644
 	NOTE: https://github.com/corydolphin/flask-cors/issues/349
@@ -15160,6 +15175,7 @@ CVE-2024-21097 (Vulnerability in the PeopleSoft Enterprise PeopleTools product o
 CVE-2024-21096 (Vulnerability in the MySQL Server product of Oracle MySQL (component:  ...)
 	- mysql-8.0 8.0.37-1 (bug #1069189)
 	- mariadb 1:10.11.8-1
+	[bookworm] - mariadb <no-dsa> (Minor issue)
 	- mariadb-10.5 <removed>
 	[bullseye] - mariadb-10.5 <no-dsa> (Minor issue)
 	- mariadb-10.3 <removed>


=====================================
data/dsa-needed.txt
=====================================
@@ -51,6 +51,8 @@ pillow (jmm)
 --
 pymatgen/stable
 --
+python-aiohttp
+--
 python-asyncssh
 --
 python-pymysql
@@ -60,6 +62,8 @@ redmine/stable (jmm)
 ring/oldstable
   might make sense to rebase to current version
 --
+roundcube
+--
 ruby2.7/oldstable
   Utkarsh Gupta offered help in preparing updates
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf0f6dee6f4edb8be372e0a991b378a6ce7fe97a

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf0f6dee6f4edb8be372e0a991b378a6ce7fe97a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240523/3b8fc06e/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list