[Git][security-tracker-team/security-tracker][master] 6 commits: dla: symfony status update

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Wed Nov 20 19:14:56 GMT 2024 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cfd61caa by Sylvain Beucler at 2024-11-20T19:49:52+01:00
dla: symfony status update

- - - - -
a4c49acb by Sylvain Beucler at 2024-11-20T19:53:28+01:00
dla: add trafficserver

- - - - -
d6be6118 by Sylvain Beucler at 2024-11-20T19:56:37+01:00
dla: mpg123 status update

- - - - -
c476fc36 by Sylvain Beucler at 2024-11-20T19:59:09+01:00
CVE-2024-44331/gst-rtsp-server1.0: bullseye postponed

- - - - -
77a42cef by Sylvain Beucler at 2024-11-20T20:05:41+01:00
CVE-2024-50612,CVE-2024-50613/libsndfile: bullseye postponed

- - - - -
5a91b860 by Sylvain Beucler at 2024-11-20T20:14:25+01:00
CVE-2024-49393,CVE-2024-49394,CVE-2024-49395/neomutt: bullseye postponed

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3456,6 +3456,7 @@ CVE-2024-49395 (In mutt and neomutt, PGP encryption does not use the --hidden-re
 	[bullseye] - mutt <postponed> (Minor issue; upstream won't fix)
 	- neomutt <unfixed>
 	[bookworm] - neomutt <no-dsa> (Minor issue)
+	[bullseye] - neomutt <postponed> (Minor issue, infoleak)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325332
 	NOTE: https://gitlab.com/muttmua/mutt/-/issues/490
 	NOTE: Mutt project does not plan to address CVE-2024-49393, CVE-2024-49394, CVE-2024-49395
@@ -3468,6 +3469,7 @@ CVE-2024-49394 (In mutt and neomutt the In-Reply-To email header field is not pr
 	[bullseye] - mutt <postponed> (Minor issue; upstream won't fix)
 	- neomutt 20241002+dfsg-1
 	[bookworm] - neomutt <no-dsa> (Minor issue)
+	[bullseye] - neomutt <postponed> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325330
 	NOTE: https://gitlab.com/muttmua/mutt/-/issues/490
 	NOTE: Mutt project does not plan to address CVE-2024-49393, CVE-2024-49394, CVE-2024-49395
@@ -3482,6 +3484,7 @@ CVE-2024-49393 (In neomutt and mutt, the To and Cc email headers are not validat
 	[bullseye] - mutt <postponed> (Minor issue; upstream won't fix)
 	- neomutt 20241002+dfsg-1
 	[bookworm] - neomutt <no-dsa> (Minor issue)
+	[bullseye] - neomutt <postponed> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325317
 	NOTE: https://gitlab.com/muttmua/mutt/-/issues/490
 	NOTE: Mutt project does not plan to address CVE-2024-49393, CVE-2024-49394, CVE-2024-49395
@@ -7722,10 +7725,12 @@ CVE-2024-50614 (TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/1
 CVE-2024-50613 (libsndfile through 1.2.2 has a reachable assertion, that may lead to a ...)
 	- libsndfile <unfixed>
 	[bookworm] - libsndfile <postponed> (Minor issue, revisit when fixed upstream)
+	[bullseye] - libsndfile <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/libsndfile/libsndfile/issues/1034
 CVE-2024-50612 (libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out ...)
 	- libsndfile <unfixed>
 	[bookworm] - libsndfile <postponed> (Minor issue, revisit when fixed upstream)
+	[bullseye] - libsndfile <postponed> (Minor issue, CLI DoS)
 	NOTE: https://github.com/libsndfile/libsndfile/issues/1035
 	NOTE: Fixed by: https://github.com/libsndfile/libsndfile/commit/4755f5bd7854611d92ad0f1295587b439f9950ba
 CVE-2024-50611 (CycloneDX cdxgen through 10.10.7, when run against an untrusted codeba ...)
@@ -8695,6 +8700,7 @@ CVE-2024-44812 (SQL Injection vulnerability in Online Complaint Site v.1.0 allow
 CVE-2024-44331 (Incorrect Access Control in GStreamer RTSP server 1.25.0 in gst-rtsp-s ...)
 	- gst-rtsp-server1.0 1.24.9-1
 	[bookworm] - gst-rtsp-server1.0 <no-dsa> (Minor issue)
+	[bullseye] - gst-rtsp-server1.0 <postponed> (Minor issue, DoS)
 	NOTE: https://gstreamer.freedesktop.org/security/sa-2024-0004.html
 	NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3731
 	NOTE: Introduced by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/16bc937ed95c85c9d02a314a3b065eebc575a97c (gst-rtsp-server-1.18.0)


=====================================
data/dla-needed.txt
=====================================
@@ -128,7 +128,8 @@ mosquitto (abhijith)
 --
 mpg123
   NOTE: 20241109: Added by coordinator (santiago)
-  NOTE: 20241114: Thorsten Glaser proposed to help with this
+  NOTE: 20241114: Thorsten Glaser proposed to help with this  https://lists.debian.org/debian-lts/2024/11/msg00024.html
+  NOTE: 20241120: Follow fixes from DSA-5811-1 (Beuc/front-desk)
 --
 netatalk
   NOTE: 20240807: Added by oldstable Security Team (jmm)
@@ -207,12 +208,17 @@ squid
 --
 symfony
   NOTE: 20241110: Added by Front-Desk (apo)
+  NOTE: 20241120: Follow fixes from DSA-5809-1 and DSA-5813-1 (Beuc/front-desk)
 --
 tomcat9
   NOTE: 20240908: Added by (apo)
   NOTE: 20240923: Still working on patch backport. (apo)
   NOTE: 20241010: Will release shortly after exim4 at the beginning of next week. (apo)
 --
+trafficserver
+  NOTE: 20241120: Added by Front-Desk (Beuc)
+  NOTE: 20241120: Upcoming DSA (Beuc/front-desk)
+--
 tryton-server
   NOTE: 20240923: Added by Front-Desk (lamby)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cb3d85e7f07fb43aeaf54f96979b3aa8c63c80c9...5a91b86096c100508c124302fdfddeac433d6e89

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cb3d85e7f07fb43aeaf54f96979b3aa8c63c80c9...5a91b86096c100508c124302fdfddeac433d6e89
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241120/8229cc20/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list