[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Nov 12 13:22:32 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
525ce4c4 by Moritz Muehlenhoff at 2024-11-12T14:22:10+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -16,19 +16,25 @@ CVE-2024-52533 (gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-on
 	TODO: check if has impact on embedded copy in src:gobject-introspection
 CVE-2024-52532 (GNOME libsoup before 3.6.1 has an infinite loop, and memory consumptio ...)
 	- libsoup3 <unfixed>
+	[bookworm] - libsoup3 <no-dsa> (Minor issue)
 	- libsoup2.4 <unfixed>
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/391
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/410
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c
 CVE-2024-52531 (GNOME libsoup before 3.6.1 allows a buffer overflow in applications th ...)
 	- libsoup3 <unfixed>
+	[bookworm] - libsoup3 <no-dsa> (Minor issue)
 	- libsoup2.4 <unfixed>
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/commit/3c54033634ae537b52582900a7ba432c52ae8174
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283
 CVE-2024-52530 (GNOME libsoup before 3.6.0 allows HTTP request smuggling in some confi ...)
 	- libsoup3 3.5.2-1
+	[bookworm] - libsoup3 <no-dsa> (Minor issue)
 	- libsoup2.4 <unfixed>
+	[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b (3.5.2)
 CVE-2024-52288 (libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised D ...)
@@ -229,18 +235,25 @@ CVE-2024-10179 (The Slickstream: Engagement and Conversions plugin for WordPress
 	TODO: check
 CVE-2024-49395 (In mutt and neomutt, PGP encryption does not use the --hidden-recipien ...)
 	- mutt <unfixed>
+	[bookworm] - mutt <no-dsa> (Minor issue)
 	- neomutt <unfixed>
+	[bookworm] - neomutt <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325332
 CVE-2024-49394 (In mutt and neomutt the In-Reply-To email header field is not protecte ...)
 	- mutt <unfixed>
+	[bookworm] - mutt <no-dsa> (Minor issue)
 	- neomutt <unfixed>
+	[bookworm] - neomutt <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325330
 CVE-2024-49393 (In neomutt and mutt, the To and Cc email headers are not validated by  ...)
 	- mutt <unfixed>
+	[bookworm] - mutt <no-dsa> (Minor issue)
 	- neomutt <unfixed>
+	[bookworm] - neomutt <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325317
 CVE-2024-11079 (A flaw was found in Ansible-Core. This vulnerability allows attackers  ...)
 	- ansible-core <unfixed>
+	[bookworm] - ansible-core <no-dsa> (Minor issue)
 	- ansible 5.4.0-1
 	NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325171
@@ -1542,6 +1555,7 @@ CVE-2024-10027 (The WP Booking Calendar WordPress plugin before 10.6.3 does not
 	NOT-FOR-US: WordPress plugin
 CVE-2024-9902 (A flaw was found in Ansible. The ansible-core `user` module can allow  ...)
 	- ansible-core 2.18.0-1 (bug #1086883)
+	[bookworm] - ansible-core <no-dsa> (Minor issue)
 	- ansible 5.4.0-1
 	NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2318271
@@ -1563,11 +1577,13 @@ CVE-2024-51757 (happy-dom is a JavaScript implementation of a web browser withou
 	NOT-FOR-US: happy-dom
 CVE-2024-51755 (Twig is a template language for PHP. In a sandbox, an attacker can acc ...)
 	- php-twig 3.14.2-1 (bug #1086884)
+	[bookworm] - php-twig <no-dsa> (Minor issue)
 	- twig <removed>
 	NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh
 	NOTE: Fixed by: https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21 (v3.14.1)
 CVE-2024-51754 (Twig is a template language for PHP. In a sandbox, an attacker can cal ...)
 	- php-twig 3.14.2-1 (bug #1086884)
+	[bookworm] - php-twig <no-dsa> (Minor issue)
 	- twig <removed>
 	NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
 	NOTE: Fixed by: https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73 (v3.14.1)
@@ -4432,6 +4448,7 @@ CVE-2024-10214 (Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly
 	- mattermost-server <itp> (bug #823556)
 CVE-2024-45802 (Squid is an open source caching proxy for the Web supporting HTTP, HTT ...)
 	- squid 6.12-1
+	[bookworm] - squid <no-dsa> (Minor issue)
 	NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj
 	NOTE: Not a code fix, this merely disables ESI by default (and thus in the Debian build)
 	NOTE: Upstream disabled ESI support in default builds already in 6.10 but Debian builds
@@ -5432,6 +5449,7 @@ CVE-2024-44812 (SQL Injection vulnerability in Online Complaint Site v.1.0 allow
 	NOT-FOR-US: Online Complaint Site
 CVE-2024-44331 (Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-s ...)
 	- gst-rtsp-server1.0 1.24.9-1
+	[bookworm] - gst-rtsp-server1.0 <no-dsa> (Minor issue)
 	NOTE: https://gstreamer.freedesktop.org/security/sa-2024-0004.html
 	NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3731
 	NOTE: Introduced by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/16bc937ed95c85c9d02a314a3b065eebc575a97c (gst-rtsp-server-1.18.0)


=====================================
data/dsa-needed.txt
=====================================
@@ -35,6 +35,8 @@ smarty3
 --
 smarty4
 --
+wordpress
+--
 xen
 --
 zabbix



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/525ce4c49a90726d9881473425e45584d68fbe69

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/525ce4c49a90726d9881473425e45584d68fbe69
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241112/b7fd3ebe/attachment.htm>

More information about the debian-security-tracker-commits mailing list