[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue May 28 13:55:05 BST 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
48b0a219 by Moritz Muehlenhoff at 2024-05-28T14:54:29+02:00
bookworm/bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -68,6 +68,8 @@ CVE-2024-32978 (Kaminari is a paginator for web app frameworks and object relati
 	- ruby-kaminari <not-affected> (Doesn't affect Kaminari as shipped by Debian)
 CVE-2024-29415 (The ip package through 2.0.1 for Node.js might allow SSRF because some ...)
 	- node-ip <unfixed>
+	[bookworm] - node-ip <no-dsa> (Minor issue)
+	[bullseye] - node-ip <no-dsa> (Minor issue)
 	NOTE: https://github.com/indutny/node-ip/issues/150
 	NOTE: https://github.com/indutny/node-ip/pull/144
 	NOTE: https://github.com/indutny/node-ip/pull/143
@@ -4445,6 +4447,8 @@ CVE-2024-36043 (question_image.ts in SurveyJS Form Library before 1.10.4 allows
 	NOT-FOR-US: SurveyJS Form Library
 CVE-2024-34083 (aiosmptd is  a reimplementation of the Python stdlib smtpd.py based on ...)
 	- python-aiosmtpd <unfixed>
+	[bookworm] - python-aiosmtpd <no-dsa> (Minor issue)
+	[bullseye] - python-aiosmtpd <no-dsa> (Minor issue)
 	NOTE: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8
 	NOTE: https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda (v1.4.6)
 CVE-2024-31879 (IBM i 7.2, 7.3, and 7.4 could allow a remote attacker to execute arbit ...)
@@ -9927,16 +9931,22 @@ CVE-2023-51597 (Kofax Power PDF U3D File Parsing Out-Of-Bounds Write Remote Code
 	NOT-FOR-US: Kofax Power PDF
 CVE-2023-51596 (BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code ...)
 	- bluez <unfixed>
+	[bookworm] - bluez <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - bluez <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1902/
 CVE-2023-51595 (Voltronic Power ViewPower Pro selectDeviceListBy SQL Injection Remote  ...)
 	NOT-FOR-US: Voltronic Power ViewPower Pro
 CVE-2023-51594 (BlueZ OBEX Library Out-Of-Bounds Read Information Disclosure Vulnerabi ...)
 	- bluez <unfixed>
+	[bookworm] - bluez <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - bluez <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1901/
 CVE-2023-51593 (Voltronic Power ViewPower Pro Expression Language Injection Remote Cod ...)
 	NOT-FOR-US: Voltronic Power ViewPower Pro
 CVE-2023-51592 (BlueZ Audio Profile AVRCP parse_media_folder Out-Of-Bounds Read Inform ...)
 	- bluez <unfixed>
+	[bookworm] - bluez <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - bluez <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1905/
 CVE-2023-51591 (Voltronic Power ViewPower Pro doDocument XML External Entity Processin ...)
 	NOT-FOR-US: Voltronic Power ViewPower Pro
@@ -9944,6 +9954,8 @@ CVE-2023-51590 (Voltronic Power ViewPower Pro UpLoadAction Unrestricted File Upl
 	NOT-FOR-US: Voltronic Power ViewPower Pro
 CVE-2023-51589 (BlueZ Audio Profile AVRCP parse_media_element Out-Of-Bounds Read Infor ...)
 	- bluez <unfixed>
+	[bookworm] - bluez <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - bluez <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1904/
 CVE-2023-51588 (Voltronic Power ViewPower Pro MySQL Use of Hard-coded Credentials Loca ...)
 	NOT-FOR-US: Voltronic Power ViewPower Pro
@@ -9963,6 +9975,8 @@ CVE-2023-51581 (Voltronic Power ViewPower MacMonitorConsole Exposed Dangerous Me
 	NOT-FOR-US: Voltronic Power ViewPower
 CVE-2023-51580 (BlueZ Audio Profile AVRCP avrcp_parse_attribute_list Out-Of-Bounds Rea ...)
 	- bluez <unfixed>
+	[bookworm] - bluez <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - bluez <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1903/
 CVE-2023-51579 (Voltronic Power ViewPower Incorrect Permission Assignment Local Privil ...)
 	NOT-FOR-US: Voltronic Power ViewPower
@@ -10162,6 +10176,8 @@ CVE-2023-44432 (Kofax Power PDF PDF File Parsing Out-Of-Bounds Write Remote Code
 	NOT-FOR-US: Kofax Power PDF
 CVE-2023-44431 (BlueZ Audio Profile AVRCP Stack-based Buffer Overflow Remote Code Exec ...)
 	- bluez <unfixed>
+	[bookworm] - bluez <postponed> (Minor issue, revisit when/if fixed upstream)
+	[bullseye] - bluez <postponed> (Minor issue, revisit when/if fixed upstream)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1900/
 CVE-2023-44430 (Bentley View SKP File Parsing Use-After-Free Remote Code Execution Vul ...)
 	NOT-FOR-US: Bentley
@@ -30349,6 +30365,8 @@ CVE-2024-22983 (SQL injection vulnerability in Projectworlds Visitor Management
 	NOT-FOR-US: Projectworlds Visitor Management System
 CVE-2024-22871 (An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker  ...)
 	- clojure <unfixed> (bug #1071746)
+	[bookworm] - clojure <no-dsa> (Minor issue)
+	[bullseye] - clojure <no-dsa> (Minor issue)
 	NOTE: https://github.com/advisories/GHSA-vr64-r9qj-h27f
 	NOTE: https://hackmd.io/@fe1w0/rymmJGida
 CVE-2024-22532 (Buffer Overflow vulnerability in XNSoft NConvert 7.163 (for Windows x8 ...)
@@ -33375,6 +33393,8 @@ CVE-2024-1633 (During the secure boot, bl2 (the second stage of the bootloader)
 CVE-2024-1597 (pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if u ...)
 	{DLA-3812-1}
 	- libpgjava 42.7.2-1
+	[bookworm] - libpgjava <no-dsa> (Minor issue)
+	[bullseye] - libpgjava <no-dsa> (Minor issue)
 	NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
 	NOTE: https://github.com/pgjdbc/pgjdbc/commit/93b0fcb2711d9c1e3a2a03134369738a02a58b40 (REL42.7.2)
 	NOTE: https://github.com/pgjdbc/pgjdbc/commit/06abfb78a627277a580d4df825f210e96a4e14ee (REL42.7.2)
@@ -49537,6 +49557,7 @@ CVE-2023-49091 (Cosmos provides users the ability self-host a home server by act
 	NOT-FOR-US: Cosmos
 CVE-2023-49090 (CarrierWave is a solution for file uploads for Rails, Sinatra and othe ...)
 	- ruby-carrierwave <unfixed> (bug #1068150)
+	[bookworm] - ruby-carrierwave <no-dsa> (Minor issue)
 	NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj
 	NOTE: Fixed by: https://github.com/carrierwaveuploader/carrierwave/commit/39b282db5c1303899b3d3381ce8a837840f983b5 (v2.2.5)
 	NOTE: Fixed by: https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3 (v3.0.5)
@@ -61281,6 +61302,7 @@ CVE-2023-40619 (phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization o
 	{DLA-3644-1}
 	- phppgadmin 7.14.7+dfsg-1 (bug #1053004)
 	[bookworm] - phppgadmin <ignored> (Package in stable is broken and will be removed)
+	[bullseye] - phppgadmin <ignored> (Package is broken and will be removed)
 	NOTE: https://github.com/phppgadmin/phppgadmin/issues/174
 	NOTE: https://github.com/hestiacp/phppgadmin/pull/4
 CVE-2023-40618 (A reflected cross-site scripting (XSS) vulnerability in OpenKnowledgeM ...)
@@ -120355,6 +120377,7 @@ CVE-2022-44567 (A command injection vulnerability exists in Rocket.Chat-Desktop
 	NOT-FOR-US: Rocket.Chat-Desktop
 CVE-2022-44566 (A denial of service vulnerability present in ActiveRecord's PostgreSQL ...)
 	- rails 2:6.1.7.3+dfsg-1 (bug #1030050)
+	[bullseye] - rails <no-dsa> (Minor issue)
 	NOTE: https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119
 	NOTE: https://github.com/rails/rails/commit/414eb337d142a9c61d7723ceb9b7c1ab30dff3ed (6-1-stable)
 CVE-2022-44565 (An improper access validation vulnerability exists in airMAX AC <8.7.1 ...)
@@ -155806,6 +155829,7 @@ CVE-2022-32225 (A reflected DOM-Based XSS vulnerability has been discovered in t
 	NOT-FOR-US: Veeam
 CVE-2022-32224 (A possible escalation to RCE vulnerability exists when using YAML seri ...)
 	- rails 2:6.1.6.1+dfsg-1 (bug #1016140)
+	[bullseye] - rails <no-dsa> (Minor issue)
 	NOTE: https://github.com/advisories/GHSA-3hhc-qp5v-9p2j
 	NOTE: Fixed by: https://github.com/rails/rails/commit/611990f1a6c137c2d56b1ba06b27e5d2434dcd6a (main)
 	NOTE: Fixed by: https://github.com/rails/rails/commit/8ce4bd1be83c08c30c34af4d0f1a726066128176 (v6.1.6.1)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48b0a219287171bec18b5038d725ea15da58c4fd

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48b0a219287171bec18b5038d725ea15da58c4fd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240528/b446d5d5/attachment.htm>

More information about the debian-security-tracker-commits mailing list