[Git][security-tracker-team/security-tracker][master] triage older issues
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Wed Nov 6 16:00:45 GMT 2024
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
8dbd7202 by Moritz Muehlenhoff at 2024-11-06T17:00:34+01:00
triage older issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3278,17 +3278,21 @@ CVE-2024-10011 (The BuddyPress plugin for WordPress is vulnerable to Directory T
NOT-FOR-US: WordPress plugin
CVE-2024-48426 (A segmentation fault (SEGV) was detected in the SortByPTypeProcess::Ex ...)
- assimp <unfixed> (bug #1086043)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/assimp/assimp/issues/5789
CVE-2024-48425 (A segmentation fault (SEGV) was detected in the Assimp::SplitLargeMesh ...)
- assimp <unfixed> (bug #1086044)
+ [bookworm] - assimp <ignored> (Minor issue)
NOTE: https://github.com/assimp/assimp/issues/5791
NOTE: https://github.com/assimp/assimp/commit/ecdf8d24b85367b22ba353b4f82299d4af7f1f97
NOTE: https://github.com/assimp/assimp/pull/5799
CVE-2024-48424 (A heap-buffer-overflow vulnerability has been identified in the OpenDD ...)
- assimp <unfixed> (bug #1086045)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/assimp/assimp/issues/5787
CVE-2024-48423 (An issue in assimp v.5.4.3 allows a local attacker to execute arbitrar ...)
- assimp <unfixed> (bug #1086046)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/assimp/assimp/issues/5788
CVE-2024-9692 (VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Serv ...)
NOT-FOR-US: VIMESA VHF/FM Transmitter Blue Plus
@@ -10912,7 +10916,7 @@ CVE-2024-47003 (Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to
- mattermost-server <itp> (bug #823556)
CVE-2024-46632 (Assimp v5.4.3 is vulnerable to Buffer Overflow via the MD5Importer::Lo ...)
- assimp <unfixed> (bug #1082857)
- [bookworm] - assimp <no-dsa> (Minor issue)
+ [bookworm] - assimp <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - assimp <postponed> (Minor issue)
NOTE: https://github.com/assimp/assimp/issues/5771
CVE-2024-46627 (Incorrect access control in BECN DATAGERRY v2.2 allows attackers to ex ...)
@@ -12018,7 +12022,7 @@ CVE-2024-45813 (find-my-way is a fast, open source HTTP router, internally using
NOT-FOR-US: find-my-way
CVE-2024-45679 (Heap-based buffer overflow vulnerability in Assimp versions prior to 5 ...)
- assimp 5.4.0+ds-1
- [bookworm] - assimp <no-dsa> (Minor issue)
+ [bookworm] - assimp <ignored> (Minor issue)
[bullseye] - assimp <postponed> (Minor issue)
NOTE: https://github.com/assimp/assimp/pull/5310
NOTE: https://github.com/assimp/assimp/commit/e4e2c63e0c2c449cd69fb9a3269e865eb83c241d (v5.4.0)
@@ -26441,7 +26445,7 @@ CVE-2024-41111 (Sliver is an open source cross-platform adversary emulation/red
NOT-FOR-US: Sliver
CVE-2024-40724 (Heap-based buffer overflow vulnerability in Assimp versions prior to 5 ...)
- assimp 5.4.2+ds-1
- [bookworm] - assimp <no-dsa> (Minor issue)
+ [bookworm] - assimp <ignored> (Minor issue)
[bullseye] - assimp <no-dsa> (Minor issue)
NOTE: https://github.com/assimp/assimp/commit/ddb74c2bbdee1565dda667e85f0c82a0588c8053 (v5.4.2)
CVE-2024-40642 (The netty incubator codec.bhttp is a java language binary http parser. ...)
@@ -47809,7 +47813,7 @@ CVE-2024-28866 (GoCD is a continuous delivery server. GoCD versions from 19.4.0
NOT-FOR-US: GoCD
CVE-2024-28285 (A Fault Injection vulnerability in the SymmetricDecrypt function in cr ...)
- libcrypto++ <unfixed> (bug #1077684)
- [bookworm] - libcrypto++ <no-dsa> (Minor issue)
+ [bookworm] - libcrypto++ <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libcrypto++ <no-dsa> (Minor issue)
[buster] - libcrypto++ <postponed> (Minor issue; can be fixed in next update)
NOTE: https://groups.google.com/g/cryptopp-users/c/UkVcH2IWR2M?pli=1
@@ -76519,19 +76523,20 @@ CVE-2024-24816 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed
[bookworm] - ckeditor <no-dsa> (Minor issue)
[bullseye] - ckeditor <no-dsa> (Minor issue)
[buster] - ckeditor <no-dsa> (Minor issue)
- - ckeditor3 <unfixed> (bug #1063537)
+ - ckeditor3 <unfixed> (bug #1063537; unimportant)
[bookworm] - ckeditor3 <no-dsa> (Minor issue)
[bullseye] - ckeditor3 <no-dsa> (Minor issue)
[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76
NOTE: https://github.com/ckeditor/ckeditor4/commit/7518202f0f228ee5549a36ecb7cb880b06ea5add (4.24.0-lts)
+ NOTE: The samples are not shipped in ckedito3
CVE-2024-24815 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...)
- ckeditor <unfixed> (bug #1063536)
[bookworm] - ckeditor <no-dsa> (Minor issue)
[bullseye] - ckeditor <no-dsa> (Minor issue)
[buster] - ckeditor <no-dsa> (Minor issue)
- ckeditor3 <unfixed> (bug #1063537)
- [bookworm] - ckeditor3 <no-dsa> (Minor issue)
+ [bookworm] - ckeditor3 <ignored> (Minor issue, only used by Horde editor)
[bullseye] - ckeditor3 <no-dsa> (Minor issue)
[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm
@@ -86487,19 +86492,20 @@ CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated To
NOT-FOR-US: ADiTaaS (Allied Digital Integrated Tool-as-a-Service)
CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows atta ...)
- libcrypto++ <unfixed> (bug #1059312)
- [bookworm] - libcrypto++ <no-dsa> (Minor issue)
+ [bookworm] - libcrypto++ <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libcrypto++ <no-dsa> (Minor issue)
[buster] - libcrypto++ <no-dsa> (Minor issue)
NOTE: https://github.com/weidai11/cryptopp/issues/1249
CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to ...)
- libcrypto++ <unfixed> (bug #1059311)
- [bookworm] - libcrypto++ <no-dsa> (Minor issue)
+ [bookworm] - libcrypto++ <ignored> (Minor issue)
[bullseye] - libcrypto++ <no-dsa> (Minor issue)
[buster] - libcrypto++ <no-dsa> (Minor issue)
NOTE: https://github.com/weidai11/cryptopp/issues/1248
+ NOTE: https://github.com/weidai11/cryptopp/commit/641ae35258de397774744b8b17ef6632c3fa48b3
CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during ...)
- libcrypto++ <unfixed> (bug #1059310)
- [bookworm] - libcrypto++ <no-dsa> (Minor issue)
+ [bookworm] - libcrypto++ <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libcrypto++ <no-dsa> (Minor issue)
[buster] - libcrypto++ <no-dsa> (Minor issue)
NOTE: https://github.com/weidai11/cryptopp/issues/1247
@@ -106433,7 +106439,7 @@ CVE-2022-48571 (memcached 1.6.7 allows a Denial of Service via multi-packet uplo
NOTE: Fixed by: https://github.com/memcached/memcached/commit/6b319c8c7a29e9c353dec83dc92f01905f6c8966 (1.6.8)
CVE-2022-48570 (Crypto++ through 8.4 contains a timing side channel in ECDSA signature ...)
- libcrypto++ <unfixed> (bug #1059309)
- [bookworm] - libcrypto++ <no-dsa> (Minor issue)
+ [bookworm] - libcrypto++ <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libcrypto++ <no-dsa> (Minor issue)
[buster] - libcrypto++ <no-dsa> (Minor issue)
NOTE: Related issue: https://github.com/weidai11/cryptopp/issues/992
@@ -128465,7 +128471,7 @@ CVE-2023-28439 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed
[bullseye] - ckeditor <no-dsa> (Minor issue)
[buster] - ckeditor <no-dsa> (Minor issue)
- ckeditor3 <unfixed> (bug #1059301)
- [bookworm] - ckeditor3 <no-dsa> (Minor issue)
+ [bookworm] - ckeditor3 <ignored> (Minor issue, only used by Horde editor)
[bullseye] - ckeditor3 <no-dsa> (Minor issue)
[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g
@@ -156612,10 +156618,11 @@ CVE-2022-45749
RESERVED
CVE-2022-45748 (An issue was discovered with assimp 5.1.4, a use after free occurred i ...)
- assimp 5.3.1+ds-2 (bug #1029833)
- [bookworm] - assimp <no-dsa> (Minor issue)
+ [bookworm] - assimp <ignored> (Minor issue)
[bullseye] - assimp <no-dsa> (Minor issue)
[buster] - assimp <no-dsa> (Minor issue)
NOTE: https://github.com/assimp/assimp/issues/4286
+ NOTE: https://github.com/assimp/assimp/commit/4b9f46dbda5128d6d538d185eb69ad6a7b4b99ff (v5.4.0)
CVE-2022-45747
RESERVED
CVE-2022-45746
@@ -219316,18 +219323,15 @@ CVE-2022-24729 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed
- ckeditor 4.19.0+dfsg-1
[bullseye] - ckeditor <no-dsa> (Minor issue)
[buster] - ckeditor <no-dsa> (Minor issue)
- - ckeditor3 <unfixed> (bug #1015217)
- [bookworm] - ckeditor3 <no-dsa> (Minor issue)
- [bullseye] - ckeditor3 <no-dsa> (Minor issue)
- [buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
- [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
+ - ckeditor3 <not-affected> (Vulnerable code not present)
NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh
+ NOTE: https://github.com/ckeditor/ckeditor4/commit/8cff1e5aee3d766068792a374ba6b54a5cb92e2d (4.18.0)
CVE-2022-24728 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...)
- ckeditor 4.19.0+dfsg-1
[bullseye] - ckeditor <no-dsa> (Minor issue)
[buster] - ckeditor <no-dsa> (Minor issue)
- ckeditor3 <unfixed> (bug #1015217)
- [bookworm] - ckeditor3 <no-dsa> (Minor issue)
+ [bookworm] - ckeditor3 <ignored> (Minor issue, only used by Horde editor)
[bullseye] - ckeditor3 <no-dsa> (Minor issue)
[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
[stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
@@ -231154,7 +231158,7 @@ CVE-2021-45341 (A buffer overflow vulnerability in CDataMoji of the jwwlib compo
NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/f3502963eaf379a429bc9da73c1224c5db649997
CVE-2021-45340 (In Libsixel prior to and including v1.10.3, a NULL pointer dereference ...)
- libsixel <unfixed> (bug #1004377)
- [bookworm] - libsixel <no-dsa> (Minor issue)
+ [bookworm] - libsixel <ignored> (Minor issue)
[bullseye] - libsixel <no-dsa> (Minor issue)
[buster] - libsixel <no-dsa> (Minor issue)
[stretch] - libsixel <no-dsa> (Minor issue)
@@ -246933,7 +246937,7 @@ CVE-2021-41165 (CKEditor4 is an open source WYSIWYG HTML editor. In affected ver
[buster] - ckeditor <no-dsa> (Minor issue)
[stretch] - ckeditor <no-dsa> (Minor issue)
- ckeditor3 <unfixed> (bug #1015217)
- [bookworm] - ckeditor3 <no-dsa> (Minor issue)
+ [bookworm] - ckeditor3 <ignored> (Minor issue, only used by Horde editor)
[bullseye] - ckeditor3 <no-dsa> (Minor issue)
[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
[stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
@@ -256039,11 +256043,7 @@ CVE-2021-37695 (ckeditor is an open source WYSIWYG HTML editor with rich content
- ckeditor 4.16.2+dfsg-1 (bug #992290)
[bullseye] - ckeditor <no-dsa> (Minor issue)
[buster] - ckeditor <no-dsa> (Minor issue)
- - ckeditor3 <unfixed> (bug #1015217)
- [bookworm] - ckeditor3 <no-dsa> (Minor issue)
- [bullseye] - ckeditor3 <no-dsa> (Minor issue)
- [buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
- [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
+ - ckeditor3 <not-affected> (fakeobjects plugin only in ckeditor 4)
NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc
NOTE: https://github.com/ckeditor/ckeditor4/commit/de3c001540715f9c3801aaa38a1917de46cfcf58
CVE-2021-37694 (@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud S ...)
@@ -265333,7 +265333,7 @@ CVE-2021-33829 (A cross-site scripting (XSS) vulnerability in the HTML Data Proc
- ckeditor 4.16.0+dfsg-2
[buster] - ckeditor <no-dsa> (Minor issue)
- ckeditor3 <unfixed> (bug #1015217)
- [bookworm] - ckeditor3 <no-dsa> (Minor issue)
+ [bookworm] - ckeditor3 <ignored> (Minor issue, only used by Horde editor)
[bullseye] - ckeditor3 <no-dsa> (Minor issue)
[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
[stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
@@ -270933,7 +270933,7 @@ CVE-2021-31812 (In Apache PDFBox, a carefully crafted PDF file can trigger an in
[bullseye] - libpdfbox2-java <no-dsa> (Minor issue)
[buster] - libpdfbox2-java <no-dsa> (Minor issue)
- libpdfbox-java <unfixed> (bug #991527)
- [bookworm] - libpdfbox-java <no-dsa> (Minor issue)
+ [bookworm] - libpdfbox-java <ignored> (Minor issue)
[bullseye] - libpdfbox-java <no-dsa> (Minor issue)
[buster] - libpdfbox-java <no-dsa> (Minor issue)
[stretch] - libpdfbox-java <no-dsa> (Minor issue)
@@ -270944,7 +270944,7 @@ CVE-2021-31811 (In Apache PDFBox, a carefully crafted PDF file can trigger an Ou
[bullseye] - libpdfbox2-java <no-dsa> (Minor issue)
[buster] - libpdfbox2-java <no-dsa> (Minor issue)
- libpdfbox-java <unfixed> (bug #991527)
- [bookworm] - libpdfbox-java <no-dsa> (Minor issue)
+ [bookworm] - libpdfbox-java <ignored> (Minor issue)
[bullseye] - libpdfbox-java <no-dsa> (Minor issue)
[buster] - libpdfbox-java <no-dsa> (Minor issue)
[stretch] - libpdfbox-java <no-dsa> (Minor issue)
@@ -285259,11 +285259,7 @@ CVE-2021-26271 (It was possible to execute a ReDoS-type attack inside CKEditor 4
- ckeditor 4.16.0+dfsg-1 (bug #982587)
[buster] - ckeditor <no-dsa> (Minor issue)
[stretch] - ckeditor <postponed> (Fix along next DLA)
- - ckeditor3 <unfixed> (bug #1015217)
- [bookworm] - ckeditor3 <no-dsa> (Minor issue)
- [bullseye] - ckeditor3 <no-dsa> (Minor issue)
- [buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
- [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
+ - ckeditor3 <not-affected> (dialogadvtab plugin introduced in ckeditor 4)
NOTE: https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
CVE-2021-26270
RESERVED
@@ -296856,7 +296852,7 @@ CVE-2020-36121
RESERVED
CVE-2020-36120 (Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsix ...)
- libsixel <unfixed> (bug #988159)
- [bookworm] - libsixel <no-dsa> (Minor issue, fix modifies the API)
+ [bookworm] - libsixel <ignored> (Minor issue, fix modifies the API)
[bullseye] - libsixel <ignored> (Minor issue, fix modifies the API)
[buster] - libsixel <no-dsa> (Minor issue)
[stretch] - libsixel <postponed> (Minor issue; can be fixed in next update)
@@ -341829,13 +341825,10 @@ CVE-2020-15355
CVE-2020-15354
REJECTED
CVE-2013-7489 (The Beaker library through 1.11.0 for Python is affected by deserializ ...)
- - beaker <unfixed> (bug #966197)
- [bookworm] - beaker <no-dsa> (Minor issue)
- [bullseye] - beaker <no-dsa> (Minor issue)
- [buster] - beaker <no-dsa> (Minor issue)
- [stretch] - beaker <no-dsa> (Minor issue)
+ - beaker <unfixed> (bug #966197; unimportant)
NOTE: https://github.com/bbangert/beaker/issues/191
NOTE: https://www.openwall.com/lists/oss-security/2020/05/14/11
+ NOTE: Negligible security impact, this is more hardening than an actual vulnerability
CVE-2020-15353
RESERVED
CVE-2020-15352 (An XML external entity (XXE) vulnerability in Pulse Connect Secure (PC ...)
@@ -445020,15 +445013,12 @@ CVE-2018-17961 (Artifex Ghostscript 9.25 and earlier allows attackers to bypass
NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a6807394bd94b708be24758287b606154daaaed9
NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=a5a9bf8c6a63aa4ac6874234fe8cd63e72077291
CVE-2018-17960 (CKEditor 4.x before 4.11.0 allows user-assisted XSS involving a source ...)
- - ckeditor 4.11.1+dfsg-1 (low)
+ - ckeditor 4.11.1+dfsg-1 (unimportant)
[stretch] - ckeditor <ignored> (Minor issue, XSS through direct copy/paste by victim, no identified patch)
[jessie] - ckeditor <ignored> (Minor issue)
- - ckeditor3 <unfixed> (low; bug #1015217)
- [bookworm] - ckeditor3 <no-dsa> (Minor issue)
- [bullseye] - ckeditor3 <no-dsa> (Minor issue)
- [buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
- [stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
+ - ckeditor3 <unfixed> (unimportant; bug #1015217)
- fckeditor <removed>
+ NOTE: Negligible security impact
CVE-2018-17959
RESERVED
CVE-2018-17958 (Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c b ...)
@@ -613791,7 +613781,7 @@ CVE-2014-5191 (Cross-site scripting (XSS) vulnerability in the Preview plugin be
[wheezy] - ckeditor <not-affected> (Preview plugin not yet present)
[squeeze] - ckeditor <not-affected> (Preview plugin not yet present)
- ckeditor3 <unfixed> (bug #1015217)
- [bookworm] - ckeditor3 <no-dsa> (Minor issue)
+ [bookworm] - ckeditor3 <ignored> (Minor issue, only used by Horde editor)
[bullseye] - ckeditor3 <no-dsa> (Minor issue)
[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
[stretch] - ckeditor3 <end-of-life> (EOL'd for stretch)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dbd720220020dcd5c09d020bf7c9afae878bb96
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8dbd720220020dcd5c09d020bf7c9afae878bb96
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241106/4ce7557d/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list