[Git][security-tracker-team/security-tracker][master] triage older issues

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed Nov 20 20:11:20 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a44abfbd by Moritz Muehlenhoff at 2024-11-20T21:10:49+01:00
triage older issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3451,25 +3451,19 @@ CVE-2024-10314 (In Helix Core versions prior to 2024.2, an unauthenticated remot
 CVE-2024-10179 (The Slickstream: Engagement and Conversions plugin for WordPress is vu ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-49395 (In mutt and neomutt, PGP encryption does not use the --hidden-recipien ...)
-	- mutt <unfixed>
-	[bookworm] - mutt <no-dsa> (Minor issue)
-	[bullseye] - mutt <postponed> (Minor issue; upstream won't fix)
-	- neomutt <unfixed>
-	[bookworm] - neomutt <no-dsa> (Minor issue)
-	[bullseye] - neomutt <postponed> (Minor issue, infoleak)
+	- mutt <unfixed> (unimportant)
+	- neomutt <unfixed> (unimportant)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325332
 	NOTE: https://gitlab.com/muttmua/mutt/-/issues/490
 	NOTE: Mutt project does not plan to address CVE-2024-49393, CVE-2024-49394, CVE-2024-49395
 	NOTE: cf. https://gitlab.com/muttmua/mutt/-/issues/490#note_2209448655 . Issues with documented
 	NOTE: through http://mutt.org/doc/manual/#crypt-protected-headers-read
 	NOTE: https://github.com/neomutt/neomutt/issues/4234
+	NOTE: These are longstanding limitations of PGP-encrypted mail and rather enhancements
+	NOTE: than actual vulnerabilities
 CVE-2024-49394 (In mutt and neomutt the In-Reply-To email header field is not protecte ...)
-	- mutt <unfixed>
-	[bookworm] - mutt <no-dsa> (Minor issue)
-	[bullseye] - mutt <postponed> (Minor issue; upstream won't fix)
-	- neomutt 20241002+dfsg-1
-	[bookworm] - neomutt <no-dsa> (Minor issue)
-	[bullseye] - neomutt <postponed> (Minor issue)
+	- mutt <unfixed> (unimportant)
+	- neomutt 20241002+dfsg-1 (unimportant)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325330
 	NOTE: https://gitlab.com/muttmua/mutt/-/issues/490
 	NOTE: Mutt project does not plan to address CVE-2024-49393, CVE-2024-49394, CVE-2024-49395
@@ -3478,13 +3472,11 @@ CVE-2024-49394 (In mutt and neomutt the In-Reply-To email header field is not pr
 	NOTE: https://github.com/neomutt/neomutt/issues/4226
 	NOTE: Protected since: https://github.com/neomutt/neomutt/commit/13cfc6f98322eafdc30ecc4c15999d401950a1d9 (20241002)
 	NOTE: Reading protected value since: https://github.com/neomutt/neomutt/commit/ec02b141983c70ae7ebee0cdfba59e90a825f0cc (20241002)
+	NOTE: These are longstanding limitations of PGP-encrypted mail and rather enhancements
+	NOTE: than actual vulnerabilities
 CVE-2024-49393 (In neomutt and mutt, the To and Cc email headers are not validated by  ...)
-	- mutt <unfixed>
-	[bookworm] - mutt <no-dsa> (Minor issue)
-	[bullseye] - mutt <postponed> (Minor issue; upstream won't fix)
-	- neomutt 20241002+dfsg-1
-	[bookworm] - neomutt <no-dsa> (Minor issue)
-	[bullseye] - neomutt <postponed> (Minor issue)
+	- mutt <unfixed> (unimportant)
+	- neomutt 20241002+dfsg-1 (unimportant)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325317
 	NOTE: https://gitlab.com/muttmua/mutt/-/issues/490
 	NOTE: Mutt project does not plan to address CVE-2024-49393, CVE-2024-49394, CVE-2024-49395
@@ -49882,13 +49874,13 @@ CVE-2024-36050 (Nix through 2.22.1 mishandles certain usage of hash caches, whic
 	NOTE: https://github.com/NixOS/ofborg/issues/68#issuecomment-2082789441
 CVE-2024-36048 (QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x b ...)
 	- qtnetworkauth-everywhere-src 5.15.13-3 (bug #1071974)
-	[bookworm] - qtnetworkauth-everywhere-src <no-dsa> (Minor issue)
+	[bookworm] - qtnetworkauth-everywhere-src <ignored> (Minor issue)
 	[bullseye] - qtnetworkauth-everywhere-src <no-dsa> (Minor issue)
 	[buster] - qtnetworkauth-everywhere-src <postponed> (Minor issue)
-	- qt6-networkauth <unfixed> (bug #1071973)
-	[bookworm] - qt6-networkauth <no-dsa> (Minor issue)
-	NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317
-	NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560368
+	- qt6-networkauth 6.7.2-2 (bug #1071973)
+	[bookworm] - qt6-networkauth <ignored> (Minor issue)
+	NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317 (security fix)
+	NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560368 (followup/finetuning)
 CVE-2024-28064 (Kiteworks Totemomail 7.x and 8.x before 8.3.0 allows /responsiveUI/Env ...)
 	NOT-FOR-US: Kiteworks Totemomail
 CVE-2024-28063 (Kiteworks Totemomail through 7.0.0 allows /responsiveUI/EnvelopeOpenSe ...)
@@ -95496,7 +95488,7 @@ CVE-2023-6070 (A server-side request forgery vulnerability in ESM prior to versi
 CVE-2023-49091 (Cosmos provides users the ability self-host a home server by acting as ...)
 	NOT-FOR-US: Cosmos
 CVE-2023-49090 (CarrierWave is a solution for file uploads for Rails, Sinatra and othe ...)
-	- ruby-carrierwave <unfixed> (bug #1068150)
+	- ruby-carrierwave 3.0.7-1 (bug #1068150)
 	[bookworm] - ruby-carrierwave <no-dsa> (Minor issue)
 	[buster] - ruby-carrierwave <postponed> (Minor issue)
 	NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj
@@ -177195,7 +177187,7 @@ CVE-2020-36604 (hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisonin
 	NOTE: Fixed by: https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90 (v9.0.3)
 CVE-2022-3276 (Command injection is possible in the puppetlabs-mysql module prior to  ...)
 	- puppet-module-puppetlabs-mysql 15.0.0-1 (bug #1027154)
-	[bookworm] - puppet-module-puppetlabs-mysql <no-dsa> (Minor issue)
+	[bookworm] - puppet-module-puppetlabs-mysql <ignored> (Minor issue)
 	[bullseye] - puppet-module-puppetlabs-mysql <no-dsa> (Minor issue)
 	[buster] - puppet-module-puppetlabs-mysql <no-dsa> (Minor issue)
 	NOTE: https://puppet.com/security/cve/CVE-2022-3276
@@ -518563,7 +518555,7 @@ CVE-2017-1000048 (the web framework using ljharb's qs module older than v6.3.2,
 	NOT-FOR-US: ljharb
 CVE-2017-1000047 (rbenv (all current versions) is vulnerable to Directory Traversal in t ...)
 	- rbenv <unfixed> (bug #869702)
-	[bookworm] - rbenv <no-dsa> (Minor issue)
+	[bookworm] - rbenv <ignored> (Minor issue)
 	[bullseye] - rbenv <no-dsa> (Minor issue)
 	[buster] - rbenv <no-dsa> (Minor issue)
 	[stretch] - rbenv <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a44abfbd742bc216a56297da42fa766a73c1b2e5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a44abfbd742bc216a56297da42fa766a73c1b2e5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241120/7d41dca9/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list