[Git][security-tracker-team/security-tracker][master] 4 commits: Mark CVE-2024-49761/ruby2.7 as n/a

Emilio Pozuelo Monfort (@pochu) pochu at debian.org
Fri Nov 1 10:16:04 GMT 2024 


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
99ac018c by Emilio Pozuelo Monfort at 2024-11-01T11:15:08+01:00
Mark CVE-2024-49761/ruby2.7 as n/a

- - - - -
e0b14e00 by Emilio Pozuelo Monfort at 2024-11-01T11:15:29+01:00
lts: add libheif

- - - - -
b204babb by Emilio Pozuelo Monfort at 2024-11-01T11:15:31+01:00
lts: Mark CVE-2024-0126 as no-dsa on bullseye

- - - - -
36e746c1 by Emilio Pozuelo Monfort at 2024-11-01T11:15:31+01:00
lts: Mark dbeacon issue as postponed

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1289,7 +1289,7 @@ CVE-2024-49761 (REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has
 	- ruby3.3 <unfixed>
 	- ruby3.2 <unfixed>
 	- ruby3.1 <unfixed>
-	- ruby2.7 <removed>
+	- ruby2.7 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
 	NOTE: https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f (v3.3.9)
 	NOTE: https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/
@@ -2044,7 +2044,9 @@ CVE-2024-0126 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner
 	[bullseye] - nvidia-graphics-drivers <ignored> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1085969)
 	- nvidia-graphics-drivers-legacy-390xx <unfixed> (bug #1085970)
+	[bullseye] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free not supported)
 	- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1085971)
+	[bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not supported)
 	- nvidia-graphics-drivers-tesla-450 450.248.02-4 (bug #1085972)
 	NOTE: 450.248.02-4 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
 	- nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1085973)
@@ -2052,6 +2054,7 @@ CVE-2024-0126 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner
 	NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
 	- nvidia-graphics-drivers-tesla-470 <unfixed> (bug #1085974)
 	[bookworm] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
+	[bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
 	- nvidia-graphics-drivers-tesla 525.147.05-6 (bug #1085975)
 	NOTE: 525.147.05-6 turned the package into a metapackage to aid switching to nvidia-graphics-drivers
 	- nvidia-open-gpu-kernel-modules <unfixed> (bug #1085976)
@@ -4091,6 +4094,7 @@ CVE-2024-10195 (A vulnerability was found in Tecno 4G Portable WiFi TR118 V008-2
 CVE-2024-XXXX [XSS Vulnerability in matrix.pl]
 	- dbeacon 0.4.0-3 (bug #1031542)
 	[bookworm] - dbeacon <no-dsa> (Minor issue)
+	[bullseye] - dbeacon <postponed> (Minor issue)
 CVE-2024-49631 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-49630 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
@@ -87177,7 +87181,6 @@ CVE-2023-49463 (libheif v1.17.5 was discovered to contain a segmentation violati
 CVE-2023-49462 (libheif v1.17.5 was discovered to contain a segmentation violation via ...)
 	{DSA-5796-1}
 	- libheif 1.17.6-1 (bug #1059151)
-	[bullseye] - libheif <no-dsa> (Minor issue)
 	[buster] - libheif <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/strukturag/libheif/issues/1043
 	NOTE: https://github.com/strukturag/libheif/commit/730a9d80bea3434f75c79e721878cc67f3889969 (v1.17.6)
@@ -122420,7 +122423,6 @@ CVE-2023-29660
 CVE-2023-29659 (A Segmentation fault caused by a floating point exception exists in li ...)
 	{DSA-5796-1}
 	- libheif 1.16.2-1 (bug #1035607)
-	[bullseye] - libheif <no-dsa> (Minor issue)
 	[buster] - libheif <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libheif/issues/794
 	NOTE: https://github.com/strukturag/libheif/commit/e05e15b57a38ec411cb9acb38512a1c36ff62991 (v1.15.2)
@@ -132744,7 +132746,6 @@ CVE-2023-22293 (Improper access control in the Intel(R) Thunderbolt(TM) DCH driv
 	NOT-FOR-US: Intel
 CVE-2023-0996 (There is a vulnerability in the strided image data parsing code in the ...)
 	- libheif 1.15.1-1 (bug #1032101)
-	[bullseye] - libheif <no-dsa> (Minor issue)
 	[buster] - libheif <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libheif/pull/759
 	NOTE: https://govtech-csg.github.io/security-advisories/2023/02/24/CVE-2023-0996.html


=====================================
data/dla-needed.txt
=====================================
@@ -91,6 +91,9 @@ libarchive (Adrian Bunk)
   NOTE: 20241031: Added by Front-Desk (pochu)
   NOTE: 20241031: look at no-dsa issues as well (pochu)
 --
+libheif
+  NOTE: 20241101: Added by Front-Desk (pochu)
+--
 linux (Ben Hutchings)
   NOTE: 20230111: Perma-added, Linux package specifically delegated to bwh (LTS Team)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f093cd36b1fefe22b9b551d315aad9d917c4543c...36e746c1dbebce123821f7a61e18d9fa9576d7cd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f093cd36b1fefe22b9b551d315aad9d917c4543c...36e746c1dbebce123821f7a61e18d9fa9576d7cd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241101/f9116e4f/attachment.htm>

More information about the debian-security-tracker-commits mailing list