[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Nov 29 16:19:12 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9494fe83 by Moritz Muehlenhoff at 2024-11-29T17:18:48+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -251,6 +251,7 @@ CVE-2024-11738
 	NOTE: https://github.com/rustls/rustls/issues/2227
 CVE-2024-53920 (In elisp-mode.el in GNU Emacs through 30.0.92, a user who chooses to i ...)
 	- emacs <unfixed>
+	[bookworm] - emacs <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
 	NOTE: https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg%40mail.gmail.com/
 CVE-2024-53855 (Centurion ERP (Enterprise Rescource Planning) is a simple application  ...)
@@ -794,6 +795,7 @@ CVE-2024-53930 (WikiDocs before 1.0.65 allows stored XSS by authenticated users
 	NOT-FOR-US: WikiDocs
 CVE-2024-53916 (In OpenStack Neutron through 25.0.0, neutron/extensions/tagging.py can ...)
 	- neutron <unfixed>
+	[bookworm] - neutron <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://review.opendev.org/c/openstack/neutron/+/935883
 CVE-2024-53915 (An issue was discovered in the server in Veritas Enterprise Vault befo ...)
 	NOT-FOR-US: Veritas Enterprise Vault
@@ -891,6 +893,7 @@ CVE-2024-11646 (A vulnerability classified as critical was found in 1000 Project
 	NOT-FOR-US: 1000 Projects Beauty Parlour Management System
 CVE-2024-11498 (There exists a stack buffer overflow in libjxl.A specifically-crafted  ...)
 	- jpeg-xl <unfixed>
+	[bookworm] - jpeg-xl <no-dsa> (Minor issue)
 	NOTE: https://github.com/libjxl/libjxl/pull/3943
 	NOTE: https://github.com/libjxl/libjxl/commit/bf4781a2eed2eef664790170977d1d3d8347efb9
 CVE-2024-11403 (There exists an out of bounds read/write in LibJXL versions prior to c ...)
@@ -4597,6 +4600,7 @@ CVE-2024-23919 (Improper buffer restrictions in some Intel(R) Graphics software
 	NOT-FOR-US: Intel
 CVE-2024-23918 (Improper conditions check in some Intel(R) Xeon(R) processor memory co ...)
 	- intel-microcode 3.20241112.1 (bug #1087532)
+	[bookworm] - intel-microcode <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01079.html
 	NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112
 CVE-2024-23312 (Uncontrolled search path for some Intel(R) Binary Configuration Tool s ...)
@@ -4616,12 +4620,14 @@ CVE-2024-22185 (Time-of-check Time-of-use Race Condition in some Intel(R) proces
 	NOT-FOR-US: Intel
 CVE-2024-21853 (Improper finite state machines (FSMs) in the hardware logic in some 4t ...)
 	- intel-microcode 3.20241112.1 (bug #1087532)
+	[bookworm] - intel-microcode <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01101.html
 	NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112
 CVE-2024-21850 (Sensitive information in resource not removed before reuse in some Int ...)
 	NOT-FOR-US: Intel
 CVE-2024-21820 (Incorrect default permissions in some Intel(R) Xeon(R) processor memor ...)
 	- intel-microcode 3.20241112.1 (bug #1087532)
+	[bookworm] - intel-microcode <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01079.html
 	NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112
 CVE-2024-21808 (Improper buffer restrictions in some Intel(R) VPL software before vers ...)
@@ -128445,6 +128451,7 @@ CVE-2023-2143 (The Enable SVG, WebP & ICO Upload WordPress plugin through 1.0.3
 	NOT-FOR-US: WordPress plugin
 CVE-2023-2142 (In Nunjucks versions prior to version 3.2.4, it was  possible to bypas ...)
 	- node-nunjucks <unfixed> (bug #1088331)
+	[bookworm] - node-nunjucks <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1825980
 	NOTE: https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw
 CVE-2023-2141 (An unsafe .NET object deserialization in DELMIA Apriso Release 2017 th ...)
@@ -135258,6 +135265,7 @@ CVE-2023-1522 (SQL Injection in the Hardware Inventory report of Security Center
 	NOT-FOR-US: Security Center
 CVE-2023-1521 (On Linux the sccache client can execute arbitrary code with the privil ...)
 	- sccache 0.5.3-1
+	[bookworm] - sccache <no-dsa> (Minor issue)
 	NOTE: https://securitylab.github.com/advisories/GHSL-2023-046_ScCache/
 	NOTE: https://github.com/advisories/GHSA-x7fr-pg8f-93f5
 	NOTE: ttps://github.com/mozilla/sccache/pull/1663


=====================================
data/dsa-needed.txt
=====================================
@@ -38,6 +38,8 @@ smarty3 (jmm)
 --
 smarty4
 --
+sogo
+--
 trafficserver
 --
 webkit2gtk (berto)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9494fe831548bf2c7f7d0798139005f7da48ac5c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9494fe831548bf2c7f7d0798139005f7da48ac5c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241129/b0f44707/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list