[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Nov 5 16:31:47 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6bf6ebf2 by Moritz Muehlenhoff at 2024-11-05T17:31:24+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -406,6 +406,7 @@ CVE-2024-10310 (The Element Pack Elementor Addons (Header Footer, Template Libra
 	NOT-FOR-US: WordPress plugin
 CVE-2024-51774 (qBittorrent before 5.0.1 proceeds with use of https URLs even after ce ...)
 	- qbittorrent 5.0.1-1
+	[bookworm] - qbittorrent <no-dsa> (Minor issue)
 	NOTE: https://sharpsec.run/rce-vulnerability-in-qbittorrent/
 CVE-2024-7456 (A SQL injection vulnerability exists in the `/api/v1/external-users` r ...)
 	NOT-FOR-US: lunary-ai/lunary
@@ -903,8 +904,11 @@ CVE-2024-8185 (Vault Community and Vault Enterprise (\u201cVault\u201d) clusters
 	NOT-FOR-US: HashiCorp Vault
 CVE-2024-7883 (When using Arm Cortex-M Security Extensions (CMSE), Secure stack  cont ...)
 	- llvm-toolchain-14 <unfixed>
+	[bookworm] - llvm-toolchain-14 <ignored> (Minor issue)
 	- llvm-toolchain-15 <removed>
+	[bookworm] - llvm-toolchain-15 <ignored> (Minor issue)
 	- llvm-toolchain-16 <unfixed>
+	[bookworm] - llvm-toolchain-16 <ignored> (Minor issue)
 	- llvm-toolchain-17 <unfixed>
 	- llvm-toolchain-18 <unfixed>
 	NOTE: https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability
@@ -1564,6 +1568,7 @@ CVE-2024-22066 (There is a privilege escalation vulnerability in ZTE ZXR10 ZSR V
 	NOT-FOR-US: ZTE
 CVE-2024-10491 (A vulnerability has been identified in the Express response.linksfunct ...)
 	- node-express <unfixed>
+	[bookworm] - node-express <no-dsa> (Minor issue)
 	NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-10491
 	NOTE: check details, affects only <=3.21.4, so possibly fixed in 4.1.1~dfsg-1 onwards
 CVE-2024-10474 (Focus was incorrectly allowing internal links to utilize the app schem ...)
@@ -2297,6 +2302,7 @@ CVE-2024-10413 (A vulnerability, which was classified as critical, has been foun
 	NOT-FOR-US: SourceCodester
 CVE-2024-50602 (An issue was discovered in libexpat before 2.6.4. There is a crash wit ...)
 	- expat 2.6.3-2 (bug #1086134)
+	[bookworm] - expat <no-dsa> (Minor issue)
 	NOTE: https://github.com/libexpat/libexpat/pull/915
 CVE-2024-10412 (A vulnerability was found in Poco-z Guns-Medical 1.0. It has been decl ...)
 	NOT-FOR-US: Poco-z Guns-Medical
@@ -6787,6 +6793,7 @@ CVE-2024-49193 (Zendesk before 2024-07-02 allows remote attackers to read ticket
 	NOT-FOR-US: Zendesk
 CVE-2024-6519 (A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI H ...)
 	- qemu <unfixed> (bug #1085299)
+	[bookworm] - qemu <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2292089
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-24-1382/
 CVE-2024-9860 (The Bridge Core plugin for WordPress is vulnerable to unauthorized mod ...)
@@ -94492,10 +94499,8 @@ CVE-2023-46478 (An issue in minCal v.1.0.0 allows a remote attacker to execute a
 CVE-2023-46451 (Best Courier Management System v1.0 is vulnerable to Cross Site Script ...)
 	NOT-FOR-US: Best Courier Management System
 CVE-2023-46361 (Artifex Software jbig2dec v0.20 was discovered to contain a SEGV vulne ...)
-	- jbig2dec <unfixed> (bug #1055387)
-	[bookworm] - jbig2dec <no-dsa> (Minor issue)
-	[bullseye] - jbig2dec <no-dsa> (Minor issue)
-	[buster] - jbig2dec <no-dsa> (Minor issue)
+	- jbig2dec <unfixed> (bug #1055387; unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/jbig2dec-SEGV/jbig2dec-SEGV.md
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707308
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=705041
@@ -127929,8 +127934,8 @@ CVE-2023-28430 (OneSignal is an email, sms, push notification, and in-app messag
 CVE-2023-28429 (Pimcore is an open source data and experience management platform. Ver ...)
 	NOT-FOR-US: Pimcore
 CVE-2023-28428 (PDFio is a C library for reading and writing PDF files. In versions 1. ...)
-	- ippsample <unfixed> (bug #1034155)
-	[bookworm] - ippsample <no-dsa> (Minor issue)
+	- ippsample <unfixed> (bug #1034155; unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://github.com/michaelrsweet/pdfio/commit/97d4955666779dc5b0665e15dd951a5c12426a31 (v1.1.1)
 	NOTE: https://github.com/michaelrsweet/pdfio/security/advisories/GHSA-68x8-9phf-j7jf
 CVE-2023-28427 (matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for Jav ...)
@@ -322400,6 +322405,7 @@ CVE-2020-23885
 CVE-2020-23884 (A buffer overflow in Nomacs v3.15.0 allows attackers to cause a denial ...)
 	- qt6-base <not-affected> (Fixed before initial upload to the archive)
 	- qtimageformats-opensource-src 5.15.15-3 (bug #1014124)
+	[bookworm] - qtimageformats-opensource-src <no-dsa> (Minor issue)
 	NOTE: Originally reported/assigned to nomac, but actual issue is in Qt:
 	NOTE: https://github.com/nomacs/nomacs/issues/516
 	NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/303313


=====================================
data/dsa-needed.txt
=====================================
@@ -19,6 +19,8 @@ frr
 --
 ghostscript (carnil)
 --
+guix (jmm)
+--
 libarchive (carnil)
 --
 libreswan
@@ -28,6 +30,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more 6.1.y versions
 --
+mpg123
+--
 nss (jmm)
 --
 opennds



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bf6ebf280380604d7456d0c8135b56045cc4691

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bf6ebf280380604d7456d0c8135b56045cc4691
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241105/0c6c56f4/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list