[Git][security-tracker-team/security-tracker][master] triage older issues

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sat Nov 16 19:20:21 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e53d3556 by Moritz Muehlenhoff at 2024-11-16T20:19:51+01:00
triage older issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -16187,6 +16187,7 @@ CVE-2024-8897 (Under certain conditions, an attacker with the ability to redirec
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-45/#CVE-2024-8897
 CVE-2024-8796 (Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & ...)
 	- ruby-devise-two-factor <unfixed> (bug #1082382)
+	[bookworm] - ruby-devise-two-factor <ignored> (Minor issue)
 	NOTE: https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2
 CVE-2024-8767 (Sensitive data disclosure and manipulation due to unnecessary privileg ...)
 	NOT-FOR-US: Acronis
@@ -57667,12 +57668,12 @@ CVE-2024-33665 (angular-translate through 2.19.1 allows XSS via a crafted key th
 	NOT-FOR-US: angular-translate
 CVE-2024-33664 (python-jose through 3.3.0 allows attackers to cause a denial of servic ...)
 	- python-jose <removed> (bug #1070375)
-	[bookworm] - python-jose <no-dsa> (Minor issue)
+	[bookworm] - python-jose <ignored> (Minor issue)
 	NOTE: https://github.com/mpdavis/python-jose/issues/344
 	NOTE: https://github.com/mpdavis/python-jose/pull/345
 CVE-2024-33663 (python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA k ...)
 	- python-jose <removed> (bug #1070375)
-	[bookworm] - python-jose <no-dsa> (Minor issue)
+	[bookworm] - python-jose <ignored> (Minor issue)
 	NOTE: https://github.com/mpdavis/python-jose/issues/346
 CVE-2024-33661 (Portainer before 2.20.0 allows redirects when the target is not index. ...)
 	NOT-FOR-US: Portainer
@@ -70521,9 +70522,12 @@ CVE-2024-23523 (Exposure of Sensitive Information to an Unauthorized Actor vulne
 CVE-2024-23298 (A logic issue was addressed with improved state management.)
 	NOT-FOR-US: Apple
 CVE-2024-22513 (djangorestframework-simplejwt version 5.3.1 and before is vulnerable t ...)
-	- python-djangorestframework-simplejwt <unfixed> (bug #1067641)
-	[bookworm] - python-djangorestframework-simplejwt <no-dsa> (Minor issue)
+	- python-djangorestframework-simplejwt <unfixed> (unimportant; bug #1067641)
 	NOTE: https://github.com/dmdhrumilmistry/CVEs/tree/main/CVE-2024-22513
+	NOTE: https://github.com/jazzband/djangorestframework-simplejwt/issues/805
+	NOTE: https://github.com/jazzband/djangorestframework-simplejwt/issues/779
+	NOTE: https://github.com/jazzband/djangorestframework-simplejwt/issues/779
+	NOTE: Questionable CVE: This is an insecure interface, not a vulnerability per se
 CVE-2024-22259 (Applications that use UriComponentsBuilder in Spring Frameworkto parse ...)
 	- libspring-java <unfixed> (unimportant)
 	NOTE: https://spring.io/security/cve-2024-22259
@@ -96559,7 +96563,7 @@ CVE-2023-47117 (Label Studio is an open source data labeling tool. In all curren
 CVE-2023-46446 (An issue in AsyncSSH before 2.14.1 allows attackers to control the rem ...)
 	{DLA-3899-1}
 	- python-asyncssh 2.15.0-1 (bug #1055999)
-	[bookworm] - python-asyncssh <no-dsa> (Minor issue)
+	[bookworm] - python-asyncssh <ignored> (Minor issue)
 	[buster] - python-asyncssh <no-dsa> (Minor issue)
 	NOTE: https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm
 	NOTE: https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e (v2.14.1)
@@ -178417,7 +178421,7 @@ CVE-2022-3168
 	REJECTED
 CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...)
 	- openvswitch <unfixed> (bug #1021740)
-	[bookworm] - openvswitch <no-dsa> (Minor issue)
+	[bookworm] - openvswitch <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - openvswitch <no-dsa> (Minor issue)
 	[buster] - openvswitch <no-dsa> (Minor issue)
 	NOTE: https://arxiv.org/abs/2011.09107



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e53d3556dcd81217b1aa2e7c69e203ceab4ae0e3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e53d3556dcd81217b1aa2e7c69e203ceab4ae0e3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241116/372fb3ef/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list