[Git][security-tracker-team/security-tracker][master] 17 commits: CVE-2024-50602,expat: bullseye is postponed

Markus Koschany (@apo) apo at debian.org
Sun Nov 10 22:36:15 GMT 2024 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0015a4bc by Markus Koschany at 2024-11-10T23:35:47+01:00
CVE-2024-50602,expat: bullseye is postponed

Minor issue. This can be fixed later when a more important issue arises.

- - - - -
c1b98fd5 by Markus Koschany at 2024-11-10T23:35:48+01:00
CVE-2024-50610,gsl: bullseye is postponed

Minor issue.

- - - - -
118c3b6a by Markus Koschany at 2024-11-10T23:35:48+01:00
Add libxstream-java to dla-needed.txt and claim it.

- - - - -
1aac9d4f by Markus Koschany at 2024-11-10T23:35:48+01:00
Add mosquitto to dla-needed.txt

- - - - -
dec47374 by Markus Koschany at 2024-11-10T23:35:50+01:00
CVE-2024-10041,pam: buster,stretch,jessie are postponed

- - - - -
9ea17f6a by Markus Koschany at 2024-11-10T23:35:50+01:00
Add python-werkzeug to dla-needed.txt

- - - - -
06ca8e00 by Markus Koschany at 2024-11-10T23:35:50+01:00
Add ruby-sinatra to dla-needed.txt

- - - - -
5c4935c5 by Markus Koschany at 2024-11-10T23:35:50+01:00
Add symfony to dla-needed.txt

- - - - -
7ab01fb3 by Markus Koschany at 2024-11-10T23:35:50+01:00
Add twitter-bootstrap3 to dla-needed.txt

- - - - -
7b572f27 by Markus Koschany at 2024-11-10T23:35:52+01:00
CVE-2024-49768,waitress: bullseye is not affected

- - - - -
bea4d0a8 by Markus Koschany at 2024-11-10T23:35:52+01:00
Add waitress to dla-needed.txt

- - - - -
3c6b66a6 by Markus Koschany at 2024-11-10T23:35:53+01:00
CVE-2024-50624,kmail-account-wizard: bullseye is postponed

Minor issue

- - - - -
2aaa60a1 by Markus Koschany at 2024-11-10T23:35:55+01:00
assimp,CVE-2024-48423,CVE-2024-48424,CVE-2024-48425,CVE-2024-48426: bullseye

Minor issues. Can be fixed later when all remaining problems are fixed
upstream.

- - - - -
7e649292 by Markus Koschany at 2024-11-10T23:35:55+01:00
Add qbittorrent to dla-needed.txt

- - - - -
19e8f81d by Markus Koschany at 2024-11-10T23:35:56+01:00
CVE-2024-7883,llvm-toolchain-16: bullseye is ignored

Minor issue

- - - - -
2499bb71 by Markus Koschany at 2024-11-10T23:35:58+01:00
CVE-2024-47174,nix: bullseye is postponed

Minor issue

- - - - -
070e8dc7 by Markus Koschany at 2024-11-10T23:35:58+01:00
Claim jetty9 in ela-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2781,6 +2781,7 @@ CVE-2024-7883 (When using Arm Cortex-M Security Extensions (CMSE), Secure stack
 	[bookworm] - llvm-toolchain-15 <ignored> (Minor issue)
 	- llvm-toolchain-16 <unfixed>
 	[bookworm] - llvm-toolchain-16 <ignored> (Minor issue)
+	[bullseye] - llvm-toolchain-16 <ignored> (Minor issue)
 	- llvm-toolchain-17 <unfixed>
 	- llvm-toolchain-18 <unfixed>
 	NOTE: https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability
@@ -3353,6 +3354,7 @@ CVE-2024-49769 (Waitress is a Web Server Gateway Interface server for Python 2 a
 	NOTE: Fixed by: https://github.com/Pylons/waitress/commit/1ae4e894c9f76543bee06584001583fc6fa8c95c (v3.0.1)
 CVE-2024-49768 (Waitress is a Web Server Gateway Interface server for Python 2 and 3.  ...)
 	- waitress 3.0.1-1 (bug #1086467)
+	[bullseye] - waitress <not-affected> (The vulnerable code was introduced in version 2.0)
 	NOTE: https://github.com/Pylons/waitress/security/advisories/GHSA-9298-4cf8-g4wj
 	NOTE: Fixed by: https://github.com/Pylons/waitress/commit/6943dcf556610ece2ff3cddb39e59a05ef110661 (v3.0.1)
 	NOTE: Test: https://github.com/Pylons/waitress/commit/7e7f11e61d358ab1cb853fcadf2b46b1f00f5993 (v3.0.1)
@@ -4088,6 +4090,7 @@ CVE-2024-50624 (ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-mid
 	[experimental] - kmail-account-wizard 4:24.08.0-1
 	- kmail-account-wizard <unfixed> (bug #1086198)
 	[bookworm] - kmail-account-wizard <no-dsa> (Minor issue)
+	[bullseye] - kmail-account-wizard <postponed> (Minor issue)
 	NOTE: https://bugs.kde.org/show_bug.cgi?id=487882
 	NOTE: https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d4a88afb25585180a62ee4 (v24.07.80)
 	NOTE: Vulnerable code in src/ispdb/ispdb.cpp
@@ -4116,6 +4119,7 @@ CVE-2024-50611 (CycloneDX cdxgen through 10.10.7, when run against an untrusted
 CVE-2024-50610 (GSL (GNU Scientific Library) through 2.8 has an integer signedness err ...)
 	- gsl 2.8+dfsg-4 (bug #1086206)
 	[bookworm] - gsl <ignored> (Minor issue)
+	[bullseye] - gsl <postponed> (Minor issue)
 	NOTE: https://lists.gnu.org/archive/html/bug-gsl/2024-09/msg00000.html
 CVE-2024-50307 (Use of potentially dangerous function issue exists in Chatwork Desktop ...)
 	NOT-FOR-US: Chatwork Desktop Application
@@ -4181,6 +4185,7 @@ CVE-2024-10413 (A vulnerability, which was classified as critical, has been foun
 CVE-2024-50602 (An issue was discovered in libexpat before 2.6.4. There is a crash wit ...)
 	- expat 2.6.3-2 (bug #1086134)
 	[bookworm] - expat <no-dsa> (Minor issue)
+	[bullseye] - expat <postponed> (Minor issue)
 	NOTE: https://github.com/libexpat/libexpat/pull/915
 CVE-2024-10412 (A vulnerability was found in Poco-z Guns-Medical 1.0. It has been decl ...)
 	NOT-FOR-US: Poco-z Guns-Medical
@@ -4599,20 +4604,24 @@ CVE-2024-10011 (The BuddyPress plugin for WordPress is vulnerable to Directory T
 CVE-2024-48426 (A segmentation fault (SEGV) was detected in the SortByPTypeProcess::Ex ...)
 	- assimp <unfixed> (bug #1086043)
 	[bookworm] - assimp <postponed> (Minor issue, revisit when fixed upstream)
+	[bullseye] - assimp <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/assimp/assimp/issues/5789
 CVE-2024-48425 (A segmentation fault (SEGV) was detected in the Assimp::SplitLargeMesh ...)
 	- assimp <unfixed> (bug #1086044)
 	[bookworm] - assimp <ignored> (Minor issue)
+	[bullseye] - assimp <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/assimp/assimp/issues/5791
 	NOTE: https://github.com/assimp/assimp/commit/ecdf8d24b85367b22ba353b4f82299d4af7f1f97
 	NOTE: https://github.com/assimp/assimp/pull/5799
 CVE-2024-48424 (A heap-buffer-overflow vulnerability has been identified in the OpenDD ...)
 	- assimp <unfixed> (bug #1086045)
 	[bookworm] - assimp <postponed> (Minor issue, revisit when fixed upstream)
+	[bullseye] - assimp <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/assimp/assimp/issues/5787
 CVE-2024-48423 (An issue in assimp v.5.4.3 allows a local attacker to execute arbitrar ...)
 	- assimp <unfixed> (bug #1086046)
 	[bookworm] - assimp <postponed> (Minor issue, revisit when fixed upstream)
+	[bullseye] - assimp <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/assimp/assimp/issues/5788
 CVE-2024-9692 (VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Serv ...)
 	NOT-FOR-US: VIMESA VHF/FM Transmitter Blue Plus
@@ -5028,6 +5037,7 @@ CVE-2024-10250 (The Nioland theme for WordPress is vulnerable to Reflected Cross
 CVE-2024-10041 (A vulnerability was found in PAM. The secret information is stored in  ...)
 	- pam <unfixed> (bug #1086038)
 	[bookworm] - pam <no-dsa> (Minor issue)
+	[bullseye] - pam <postponed> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2319212
 	NOTE: https://github.com/linux-pam/linux-pam/issues/846
 	NOTE: https://github.com/linux-pam/linux-pam/pull/686
@@ -12201,6 +12211,7 @@ CVE-2024-47179 (RSSHub is an RSS network. Prior to commit 64e00e7, RSSHub's `doc
 CVE-2024-47174 (Nix is a package manager for Linux and other Unix systems. Starting in ...)
 	- nix 2.24.8+dfsg-1 (bug #1082847)
 	[bookworm] - nix <no-dsa> (Minor issue)
+	[bullseye] - nix <postponed> (Minor issue)
 	NOTE: https://github.com/NixOS/nix/commit/062b4a489e30da9c85fa4ff15cfdd2e51cac7b90
 	NOTE: https://github.com/NixOS/nix/pull/11585
 	NOTE: https://github.com/NixOS/nix/security/advisories/GHSA-6fjr-mq49-mm2c


=====================================
data/dla-needed.txt
=====================================
@@ -95,6 +95,9 @@ intel-microcode (pochu)
   NOTE: 20241103: Added by Front-Desk (pochu)
   NOTE: 20241103: work prepared for bullseye-pu in #1086602, coordinate with maintainer (pochu)
 --
+jetty9 (Markus Koschany)
+  NOTE: 20241110: Added by Front-Desk (apo)
+--
 knot-resolver
   NOTE: 20240924: Added by Front-Desk (lamby)
 --
@@ -103,9 +106,15 @@ libarchive
   NOTE: 20241031: look at no-dsa issues as well (pochu)
   NOTE: 20241104: DLA pending, waiting for DSA published (bunk)
 --
+libxstream-java (Markus Koschany)
+  NOTE: 20241110: Added by Front-Desk (apo)
+--
 linux (Ben Hutchings)
   NOTE: 20230111: Perma-added, Linux package specifically delegated to bwh (LTS Team)
 --
+mosquitto
+  NOTE: 20241110: Added by Front-Desk (apo)
+--
 mpg123
   NOTE: 20241109: Added by coordinator (santiago)
 --
@@ -145,9 +154,15 @@ python-aiohttp (dleidert)
   NOTE: 20241030: Maybe it makes sense to upload the Bookworm version to Bullseye to reduce maintenance and patch both at the same time. (dleidert)
   NOTE: 20241030: Also added autopkgtest test scripts to run test suite. (dleidert)
 --
+python-werkzeug
+  NOTE: 20241110: Added by Front-Desk (apo)
+--
 python3.9 (Adrian Bunk)
   NOTE: 20240906: Added by Front-Desk (lamby)
 --
+qbittorrent
+  NOTE: 20241110: Added by Front-Desk (apo)
+--
 qemu
   NOTE: 20240815: Added by Front-Desk (Beuc)
   NOTE: 20240815: Follow fixes from bookworm 12.4 (CVE-2023-5088)
@@ -163,6 +178,9 @@ ruby-saml (abhijith)
   NOTE: 20240915: Added by Front-Desk (ta)
   NOTE: 20240915: please recheck whether package is really affected
 --
+ruby-sinatra
+  NOTE: 20241110: Added by Front-Desk (apo)
+--
 smarty3
   NOTE: 20240814: Added by oldstable Security Team (jmm)
 --
@@ -184,6 +202,9 @@ squid (roberto)
   NOTE: 20240930: Backported most patches, help will be needed with CVE-2024-25111 and CVE-2023-46846 (roberto)
   NOTE: 20241028: Sorted out all the patch backports. Still need to test (roberto)
 --
+symfony
+  NOTE: 20241110: Added by Front-Desk (apo)
+--
 tomcat9 (Markus Koschany)
   NOTE: 20240908: Added by (apo)
   NOTE: 20240923: Still working on patch backport. (apo)
@@ -196,6 +217,9 @@ twisted
   NOTE: 20240807: Added by oldstable Security Team (jmm)
   NOTE: 20240815: A bookworm DSA is planned (Beuc/front-desk)
 --
+twitter-bootstrap3
+  NOTE: 20241110: Added by Front-Desk (apo)
+--
 unbound (dleidert)
   NOTE: 20240825: Added by Front-Desk (ta)
   NOTE: 20240929: The patch for CVE-2024-33655 was considered too intrusive for Buster. (dleidert)
@@ -206,6 +230,9 @@ unbound (dleidert)
 upx-ucl
   NOTE: 20240815: Added by Front-Desk (Beuc)
 --
+waitress
+  NOTE: 20241110: Added by Front-Desk (apo)
+--
 webkit2gtk (Emilio)
   NOTE: 20240926: Added by Front-Desk (lamby)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1450cbbdacfdd5d31426f221193a605926477279...070e8dc7328728d6010bb497e9e00ca475028edd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1450cbbdacfdd5d31426f221193a605926477279...070e8dc7328728d6010bb497e9e00ca475028edd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241110/4703c2b5/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list