[Git][security-tracker-team/security-tracker][master] triage older issues

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Nov 4 08:08:57 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
aab07c9b by Moritz Muehlenhoff at 2024-11-04T09:08:47+01:00
triage older issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -25631,12 +25631,10 @@ CVE-2024-5964 (The Zenon Lite theme for WordPress is vulnerable to Stored Cross-
 CVE-2024-5726 (The Timeline Event History plugin for WordPress is vulnerable to PHP O ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-41184 (In the vrrp_ipsets_handler handler (fglobal_parser.c) of keepalived th ...)
-	- keepalived <unfixed> (bug #1077370)
-	[bookworm] - keepalived <no-dsa> (Minor issue)
-	[bullseye] - keepalived <no-dsa> (Minor issue)
+	- keepalived <unfixed> (bug #1077370; unimportant)
 	NOTE: https://github.com/acassen/keepalived/commit/e78513fe0ce5d83c226ea2c0bd222f375c2438e7
 	NOTE: https://github.com/acassen/keepalived/issues/2447#issuecomment-2231329734
-	NOTE: An empty ipset name must be explicitly configured by the user
+	NOTE: An empty ipset name must be explicitly configured by the user, no practical security impact
 CVE-2024-40764 (Heap-based buffer overflow vulnerability in the SonicOS IPSec VPN allo ...)
 	NOT-FOR-US: SonicWall
 CVE-2024-40492 (Cross Site Scripting vulnerability in Heartbeat Chat v.15.2.1 allows a ...)
@@ -64516,7 +64514,7 @@ CVE-2024-2161 (Use of Hard-coded Credentials in Kiloview NDI allows un-authentic
 	NOT-FOR-US: Kiloview
 CVE-2024-29864 (Distrobox before 1.7.0.1 allows attackers to execute arbitrary code vi ...)
 	- distrobox 1.7.0.1-1
-	[bookworm] - distrobox <no-dsa> (Minor issue)
+	[bookworm] - distrobox <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/89luca89/distrobox/issues/1275
 	NOTE: Fixed by: https://github.com/89luca89/distrobox/commit/82a69f0a234e73e447d0ea8c8b3443b84fd31944 (1.7.0.1)
 CVE-2024-29862 (The Kerlink firewall in ChirpStack chirpstack-mqtt-forwarder before 4. ...)
@@ -104989,9 +104987,8 @@ CVE-2023-4520 (The FV Flowplayer Video Player plugin for WordPress is vulnerable
 	NOT-FOR-US: FV Flowplayer Video Player plugin for WordPress
 CVE-2023-4508 (A user able to control file input to Gerbv, between versions 2.4.0 and ...)
 	{DLA-3593-1}
-	- gerbv 2.10.0-1 (bug #1050560)
-	[bookworm] - gerbv <no-dsa> (Minor issue)
-	[bullseye] - gerbv <no-dsa> (Minor issue)
+	- gerbv 2.10.0-1 (bug #1050560; unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://github.com/gerbv/gerbv/issues/191
 	NOTE: https://github.com/gerbv/gerbv/pull/192
 	NOTE: https://github.com/gerbv/gerbv/commit/5517e22250e935dc7f86f64ad414aeae3dbcb36a (v2.10.0-rc.1)
@@ -114348,7 +114345,7 @@ CVE-2023-31671 (PrestaShop postfinance <= 17.1.13 is vulnerable to SQL Injection
 	NOT-FOR-US: PrestaShop postfinance
 CVE-2023-2976 (Use of Java's default temporary directory for file creation in `FileBa ...)
 	- guava-libraries 32.0.1-1 (bug #1038979)
-	[bookworm] - guava-libraries <no-dsa> (Minor issue)
+	[bookworm] - guava-libraries <ignored> (Minor issue, mitigated by kernel tmp hardening)
 	[bullseye] - guava-libraries <no-dsa> (Minor issue)
 	[buster] - guava-libraries <no-dsa> (Minor issue)
 	NOTE: https://github.com/google/guava/releases/tag/v32.0.0
@@ -359474,7 +359471,7 @@ CVE-2020-8909
 	RESERVED
 CVE-2020-8908 (A temp directory creation vulnerability exists in all versions of Guav ...)
 	- guava-libraries 32.0.1-1 (bug #1038979)
-	[bookworm] - guava-libraries <no-dsa> (Minor issue)
+	[bookworm] - guava-libraries <ignored> (Minor issue, mitigated by kernel tmp hardening)
 	[bullseye] - guava-libraries <no-dsa> (Minor issue)
 	[buster] - guava-libraries <no-dsa> (Minor issue)
 	NOTE: https://github.com/google/guava/issues/4011



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aab07c9b203bb197542324fc21d27a528edec89f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aab07c9b203bb197542324fc21d27a528edec89f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241104/24183f4c/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list