[Git][security-tracker-team/security-tracker][master] triage older issues

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Nov 11 20:11:00 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9fdae700 by Moritz Muehlenhoff at 2024-11-11T21:10:41+01:00
triage older issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -20644,7 +20644,7 @@ CVE-2024-7904 (A vulnerability was found in DedeBIZ 6.3.0. It has been rated as
 	NOT-FOR-US: DedeBIZ
 CVE-2024-6221 (A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Ac ...)
 	- python-flask-cors <unfixed> (bug #1081300)
-	[bookworm] - python-flask-cors <no-dsa> (Minor issue)
+	[bookworm] - python-flask-cors <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - python-flask-cors <postponed> (Minor issue)
 	NOTE: https://huntr.com/bounties/a42935fc-6f57-4818-bca4-3d528235df4d
 	NOTE: https://github.com/corydolphin/flask-cors/issues/337
@@ -32582,15 +32582,21 @@ CVE-2024-39001 (ag-grid-enterprise v31.3.2 was discovered to contain a prototype
 CVE-2024-39000 (adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype  ...)
 	NOT-FOR-US: ratio-swiper Nodejs module
 CVE-2024-38999 (jrburke requirejs v2.3.6 was discovered to contain a prototype polluti ...)
-	- requirejs <unfixed> (bug #1077543)
+	- requirejs 2.3.7+ds+~2.1.37-1 (bug #1077543)
 	[bookworm] - requirejs <no-dsa> (Minor issue)
 	[bullseye] - requirejs <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/mestrtee/9acae342285bd2998fa09ebcb1e6d30a
+	NOTE: https://github.com/requirejs/requirejs/issues/1854
+	NOTE: https://github.com/requirejs/requirejs/pull/1856
+	NOTE: https://github.com/requirejs/requirejs/commit/6e8a234303deaf80ef619e66a2f5c6616bb7e6d9 (2.3.7)
 CVE-2024-38998 (jrburke requirejs v2.3.6 was discovered to contain a prototype polluti ...)
-	- requirejs <unfixed> (bug #1077543)
+	- requirejs 2.3.7+ds+~2.1.37-1 (bug #1077543)
 	[bookworm] - requirejs <no-dsa> (Minor issue)
 	[bullseye] - requirejs <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/mestrtee/9acae342285bd2998fa09ebcb1e6d30a
+	NOTE: https://github.com/requirejs/requirejs/issues/1854
+	NOTE: https://github.com/requirejs/requirejs/pull/1856
+	NOTE: https://github.com/requirejs/requirejs/commit/6e8a234303deaf80ef619e66a2f5c6616bb7e6d9 (2.3.7)
 CVE-2024-38997 (adolph_dudu ratio-swiper v0.0.2 was discovered to contain a prototype  ...)
 	NOT-FOR-US: ratio-swiper Nodejs module
 CVE-2024-38996 (ag-grid-community v31.3.2 and ag-grid-enterprise v31.3.2 were discover ...)
@@ -117760,6 +117766,9 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse
 	[buster] - r-cran-jsonlite <postponed> (Minor issue; fix only after newer releases got a fix)
 	- ruby-yajl <not-affected> (Vulnerable code not present; embeds not-affected old yajl version)
 	NOTE: ruby-yajl embeds yajl version 1.0.12 (https://github.com/brianmario/yajl-ruby/blob/master/ext/yajl/api/yajl_version.h)
+	NOTE: r-cran-jsonlite: https://github.com/jeroen/jsonlite/issues/426
+	NOTE: r-cran-jsonlite: https://github.com/jeroen/jsonlite/pull/421
+	NOTE: r-cran-jsonlite: https://github.com/jeroen/jsonlite/commit/e8965dfead9f270ff8d7bb3029e86dee866d407d (v1.8.8)
 CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::parse , ...)
 	NOT-FOR-US: Sogou Workflow
 CVE-2023-33381 (A command injection vulnerability was found in the ping functionality  ...)
@@ -220522,6 +220531,8 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation
 	NOTE: https://github.com/lloyd/yajl/issues/239
 	NOTE: burp fix: https://github.com/grke/burp/commit/5ce44cdf7018767b53a4c5466c62e4dc99d0bc93
 	NOTE: epics-base: https://github.com/epics-base/epics-base/issues/405
+	NOTE: r-cran-jsonlite: https://github.com/jeroen/jsonlite/issues/431
+	NOTE: r-cran-jsonlite: https://github.com/jeroen/jsonlite/commit/e425ef9cb39500687d83654a565c8abd203ff8ba (v1.8.8)
 CVE-2022-24794 (Express OpenID Connect is an Express JS middleware implementing sign o ...)
 	NOT-FOR-US: Express OpenID Connect
 CVE-2022-24793 (PJSIP is a free and open source multimedia communication library writt ...)
@@ -498798,6 +498809,8 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is
 	NOTE: https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
 	NOTE: burp fix: https://github.com/grke/burp/commit/5ce44cdf7018767b53a4c5466c62e4dc99d0bc93
 	NOTE: epics-base: https://github.com/epics-base/epics-base/issues/405
+	NOTE: r-cran-jsonlite: https://github.com/jeroen/jsonlite/issues/431
+	NOTE: r-cran-jsonlite: https://github.com/jeroen/jsonlite/commit/ce9520f888c2339b48565fcc5ffecc85091e589e (v1.8.8)
 CVE-2017-16515
 	RESERVED
 CVE-2017-16514 (Multiple persistent stored Cross-Site-Scripting (XSS) vulnerabilities  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fdae70095de147f68d3e795a7612aa4097835dd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fdae70095de147f68d3e795a7612aa4097835dd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241111/564312c1/attachment.htm>

More information about the debian-security-tracker-commits mailing list