[Git][security-tracker-team/security-tracker][master] triage older issues

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Nov 13 12:36:18 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
55dded58 by Moritz Muehlenhoff at 2024-11-13T13:36:04+01:00
triage older issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -6222,9 +6222,8 @@ CVE-2024-43812 (Kieback & Peter's DDC4000 serieshas an insufficiently protected
 CVE-2024-43698 (Kieback & Peter's DDC4000 seriesuses weak credentials, which may allow ...)
 	NOT-FOR-US: Kieback & Peter's DDC4000 series
 CVE-2024-42643 (Integer Overflow in fast_ping.c in SmartDNS Release46 allows remote at ...)
-	- smartdns <unfixed> (bug #1086146)
+	- smartdns <not-affected> (Was resolved in 2019, prior to the initial upload to Debian)
 	NOTE: https://github.com/pymumu/smartdns/issues/177
-	TODO: possibly valid report as upstream issue has been closed, but details unclear
 CVE-2024-41717 (Kieback & Peter's DDC4000 seriesis vulnerable to a path traversal vuln ...)
 	NOT-FOR-US: Kieback & Peter's DDC4000 series
 CVE-2024-40494 (Buffer Overflow in coap_msg.c in FreeCoAP allows remote attackers to e ...)
@@ -10703,7 +10702,7 @@ CVE-2024-46307 (A loop hole in the payment logic of Sparkshop v1.16 allows attac
 	NOT-FOR-US: Sparkshop
 CVE-2024-46304 (A NULL pointer dereference in libcoap v4.3.5-rc2 and below allows a re ...)
 	- libcoap3 <unfixed> (bug #1084981)
-	[bookworm] - libcoap3 <no-dsa> (Minor issue)
+	[bookworm] - libcoap3 <ignored> (Minor issue, no reverse deps in Bookworm)
 	- libcoap2 <removed>
 	[bullseye] - libcoap2 <postponed> (Minor issue; can be fixed in next update)
 	- libcoap <removed>
@@ -40381,7 +40380,7 @@ CVE-2023-6491 (The Strong Testimonials plugin for WordPress is vulnerable to una
 	NOT-FOR-US: WordPress plugin
 CVE-2023-51847 (An issue in obgm and Libcoap v.a3ed466 allows a remote attacker to cau ...)
 	- libcoap3 <unfixed> (bug #1084981)
-	[bookworm] - libcoap3 <no-dsa> (Minor issue)
+	[bookworm] - libcoap3 <ignored> (Minor issue, no reverse deps in Bookworm)
 	- libcoap2 <removed>
 	[bullseye] - libcoap2 <postponed> (Minor issue; can be fixed in next update)
 	- libcoap <removed>
@@ -58449,7 +58448,7 @@ CVE-2024-31031 (An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to ca
 	- libcoap <not-affected> (Vulnerable code not present)
 	- libcoap2 <not-affected> (Vulnerable code not present)
 	- libcoap3 <unfixed> (bug #1070362)
-	[bookworm] - libcoap3 <no-dsa> (Minor issue)
+	[bookworm] - libcoap3 <ignored> (Minor issue, no reverse deps in Bookworm)
 	NOTE: https://github.com/obgm/libcoap/issues/1351
 	NOTE: https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928 (develop)
 	NOTE: Introduced by: https://github.com/obgm/libcoap/commit/7033555d2978b8d4d5e16d43cfbfe1b1781c418f (v4.3.0-rc1)
@@ -70548,7 +70547,7 @@ CVE-2024-27907 (A vulnerability has been identified in Simcenter Femap (All vers
 CVE-2024-27894 (The Pulsar Functions Worker includes a capability that permits authent ...)
 	NOT-FOR-US: Apache Pulsar
 CVE-2024-27758 (In RPyC before 6.0.0, when a server exposes a method that calls the at ...)
-	- rpyc <unfixed> (bug #1066879)
+	- rpyc 6.0.0-1 (bug #1066879)
 	[bookworm] - rpyc <no-dsa> (Minor issue)
 	NOTE: https://github.com/tomerfiliba-org/rpyc/security/advisories/GHSA-h5cg-53g7-gqjw
 	NOTE: https://github.com/tomerfiliba-org/rpyc/issues/551
@@ -88910,7 +88909,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun
 	[buster] - libssh2 <not-affected> (ChaCha20-Poly1305 and CBC-EtM support not present)
 	- openssh 1:9.6p1-1
 	- paramiko 3.4.0-1 (bug #1059006)
-	[bookworm] - paramiko <no-dsa> (Minor issue)
+	[bookworm] - paramiko <ignored> (Minor issue)
 	[bullseye] - paramiko <no-dsa> (Minor issue)
 	[buster] - paramiko <not-affected> (ChaCha20-Poly1305 and CBC-EtM support not present)
 	- phpseclib 1.0.22-1
@@ -125045,7 +125044,7 @@ CVE-2023-30363 (vConsole v3.15.0 was discovered to contain a prototype pollution
 	NOT-FOR-US: Tencent vConsole
 CVE-2023-30362 (Buffer Overflow vulnerability in coap_send function in libcoap library ...)
 	- libcoap3 4.3.1-2 (bug #1040594)
-	[bookworm] - libcoap3 <no-dsa> (Minor issue)
+	[bookworm] - libcoap3 <ignored> (Minor issue, no reverse deps in Bookworm)
 	NOTE: https://github.com/obgm/libcoap/issues/1063
 	NOTE: https://github.com/obgm/libcoap/commit/e242200f0af2a418dc9f69eee543feacc13cd851
 CVE-2023-30361
@@ -182378,10 +182377,11 @@ CVE-2022-37343 (Improper access control in the BIOS firmware for some Intel(R) P
 	NOT-FOR-US: Intel
 CVE-2022-36788 (A heap-based buffer overflow vulnerability exists in the TriangleMesh  ...)
 	- slic3r <unfixed> (bug #1034848)
-	[bookworm] - slic3r <no-dsa> (Minor issue)
+	[bookworm] - slic3r <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - slic3r <no-dsa> (Minor issue)
 	[buster] - slic3r <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1593
+	NOTE: https://github.com/slic3r/Slic3r/issues/5162
 CVE-2022-36420
 	RESERVED
 CVE-2022-36419
@@ -268773,6 +268773,8 @@ CVE-2021-3563 (A flaw was found in openstack-keystone. Only the first 72 charact
 	[stretch] - keystone <end-of-life> (Keystone is not supported in stretch)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1962908
 	NOTE: https://bugs.launchpad.net/keystone/+bug/1901891
+	NOTE: https://opendev.org/openstack/keystone/commit/6730c761d18aa547998f2add833c13f45f257fe7
+	NOTE: Fixed in 22.0.1
 CVE-2021-33497 (Dutchcoders transfer.sh before 1.2.4 allows Directory Traversal for de ...)
 	NOT-FOR-US: Dutchcoders transfer.sh
 CVE-2021-33496 (Dutchcoders transfer.sh before 1.2.4 allows XSS via an inline view.)
@@ -311396,24 +311398,24 @@ CVE-2020-28599 (A stack-based buffer overflow vulnerability exists in the import
 	NOTE: https://github.com/openscad/openscad/commit/07ea60f82e94a155f4926f17fad8e8366bc74874
 CVE-2020-28598 (An out-of-bounds write vulnerability exists in the Admesh stl_fix_norm ...)
 	- slic3r-prusa <unfixed> (bug #1074415)
-	[bookworm] - slic3r-prusa <no-dsa> (Minor issue)
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - slic3r-prusa <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1222
 CVE-2020-28597 (A predictable seed vulnerability exists in the password reset function ...)
 	NOT-FOR-US: Epignosis EfrontPro
 CVE-2020-28596 (A stack-based buffer overflow vulnerability exists in the Objparser::o ...)
 	- slic3r-prusa <unfixed> (bug #1074415)
-	[bookworm] - slic3r-prusa <no-dsa> (Minor issue)
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - slic3r-prusa <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1220
 CVE-2020-28595 (An out-of-bounds write vulnerability exists in the Obj.cpp load_obj()  ...)
 	- slic3r-prusa <unfixed> (bug #1074415)
-	[bookworm] - slic3r-prusa <no-dsa> (Minor issue)
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - slic3r-prusa <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1219
 CVE-2020-28594 (A use-after-free vulnerability exists in the _3MF_Importer::_handle_en ...)
 	- slic3r-prusa <unfixed> (bug #1074415)
-	[bookworm] - slic3r-prusa <no-dsa> (Minor issue)
+	[bookworm] - slic3r-prusa <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - slic3r-prusa <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1218
 CVE-2020-28593 (A unauthenticated backdoor exists in the configuration server function ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55dded588e4147326d0b79a9ee8cc3057adde5f4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/55dded588e4147326d0b79a9ee8cc3057adde5f4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241113/0e666c4a/attachment.htm>

More information about the debian-security-tracker-commits mailing list