[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Thu May 23 16:01:54 BST 2024
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
cf0f6dee by Moritz Muehlenhoff at 2024-05-23T16:59:55+02:00
bookworm/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2673,6 +2673,8 @@ CVE-2024-24293 (A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0
NOT-FOR-US: @bit/loader
CVE-2024-1968 (In scrapy/scrapy, an issue was identified where the Authorization head ...)
- python-scrapy 2.11.2-1
+ [bookworm] - python-scrapy <no-dsa> (Minor issue)
+ [bullseye] - python-scrapy <no-dsa> (Minor issue)
NOTE: https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a
NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-4qqq-9vqf-3h3f
NOTE: https://github.com/scrapy/scrapy/commit/f8d6c456e0669ea5344e93fe9206bd1ffebc2008 (2.11.2)
@@ -5379,6 +5381,7 @@ CVE-2024-20256 (A vulnerability in the web-based management interface of Cisco A
NOT-FOR-US: Cisco
CVE-2023-7258 (A denial of service exists in Gvisor Sandbox where a bug in reference ...)
- golang-gvisor-gvisor <unfixed>
+ [bookworm] - golang-gvisor-gvisor <no-dsa> (Minor issue)
NOTE: https://github.com/google/gvisor/commit/6a112c60a257dadac59962e0bc9e9b5aee70b5b6
CVE-2023-6324 (ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session ...)
NOT-FOR-US: ThroughTek Kalay SDK
@@ -11557,6 +11560,8 @@ CVE-2023-52647 (In the Linux kernel, the following vulnerability has been resolv
NOTE: https://git.kernel.org/linus/eb2f932100288dbb881eadfed02e1459c6b9504c (6.9-rc1)
CVE-2024-4340 (Passing a heavily nested list to sqlparse.parse() leads to a Denial of ...)
- sqlparse 0.5.0-1 (bug #1070148)
+ [bookworm] - sqlparse <no-dsa> (Minor issue)
+ [bullseye] - sqlparse <no-dsa> (Minor issue)
[buster] - sqlparse <postponed> (Minor issue)
NOTE: Fixed by: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 (0.5.0)
NOTE: https://github.com/advisories/GHSA-2m57-hf25-phgg
@@ -11679,6 +11684,8 @@ CVE-2023-36268 (An issue in The Document Foundation Libreoffice v.7.4.7 allows a
NOTE: Resource overload in desktop app, no security impact
CVE-2024-29040
- tpm2-tss 4.1.0-1 (bug #1070140)
+ [bookworm] - tpm2-tss <no-dsa> (Minor issue)
+ [bullseye] - tpm2-tss <no-dsa> (Minor issue)
NOTE: https://github.com/tpm2-software/tpm2-tss/commit/710cd0b6adf3a063f34a8e92da46df7a107d9a99 (4.1.0)
CVE-2024-29039
- tpm2-tools 5.7-1 (bug #1070139)
@@ -12515,10 +12522,14 @@ CVE-2024-33665 (angular-translate through 2.19.1 allows XSS via a crafted key th
NOT-FOR-US: angular-translate
CVE-2024-33664 (python-jose through 3.3.0 allows attackers to cause a denial of servic ...)
- python-jose <unfixed> (bug #1070375)
+ [bookworm] - python-jose <no-dsa> (Minor issue)
+ [bullseye] - python-jose <no-dsa> (Minor issue)
NOTE: https://github.com/mpdavis/python-jose/issues/344
NOTE: https://github.com/mpdavis/python-jose/pull/345
CVE-2024-33663 (python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA k ...)
- python-jose <unfixed> (bug #1070375)
+ [bookworm] - python-jose <no-dsa> (Minor issue)
+ [bullseye] - python-jose <no-dsa> (Minor issue)
NOTE: https://github.com/mpdavis/python-jose/issues/346
CVE-2024-33661 (Portainer before 2.20.0 allows redirects when the target is not index. ...)
NOT-FOR-US: Portainer
@@ -12544,6 +12555,8 @@ CVE-2024-32404 (Server-Side Template Injection (SSTI) vulnerability in inducer r
NOT-FOR-US: inducer relate
CVE-2024-31755 (cJSON v1.7.17 was discovered to contain a segmentation violation, whic ...)
- cjson <unfixed>
+ [bookworm] - cjson <no-dsa> (Minor issue)
+ [bullseye] - cjson <no-dsa> (Minor issue)
[buster] - cjson <postponed> (Sefault only; can be piggy-backed with future DLAs)
NOTE: https://github.com/DaveGamble/cJSON/issues/839
NOTE: https://github.com/DaveGamble/cJSON/pull/840
@@ -13675,6 +13688,8 @@ CVE-2024-21846 (An unauthenticated attacker can reset the board and stop transmi
NOT-FOR-US: Electrolink
CVE-2024-1681 (corydolphin/flask-cors is vulnerable to log injection when the log lev ...)
- python-flask-cors 4.0.1-1 (bug #1069764)
+ [bookworm] - python-flask-cors <no-dsa> (Minor issue)
+ [bullseye] - python-flask-cors <no-dsa> (Minor issue)
[buster] - python-flask-cors <postponed> (Minor issue)
NOTE: https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644
NOTE: https://github.com/corydolphin/flask-cors/issues/349
@@ -15160,6 +15175,7 @@ CVE-2024-21097 (Vulnerability in the PeopleSoft Enterprise PeopleTools product o
CVE-2024-21096 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
- mysql-8.0 8.0.37-1 (bug #1069189)
- mariadb 1:10.11.8-1
+ [bookworm] - mariadb <no-dsa> (Minor issue)
- mariadb-10.5 <removed>
[bullseye] - mariadb-10.5 <no-dsa> (Minor issue)
- mariadb-10.3 <removed>
=====================================
data/dsa-needed.txt
=====================================
@@ -51,6 +51,8 @@ pillow (jmm)
--
pymatgen/stable
--
+python-aiohttp
+--
python-asyncssh
--
python-pymysql
@@ -60,6 +62,8 @@ redmine/stable (jmm)
ring/oldstable
might make sense to rebase to current version
--
+roundcube
+--
ruby2.7/oldstable
Utkarsh Gupta offered help in preparing updates
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf0f6dee6f4edb8be372e0a991b378a6ce7fe97a
--
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf0f6dee6f4edb8be372e0a991b378a6ce7fe97a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240523/3b8fc06e/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list