[Git][security-tracker-team/security-tracker][master] 4 commits: wordpress: Triage 2024 CVE for bullseye
Markus Koschany (@apo)
apo at debian.org
Wed Oct 2 20:04:36 BST 2024
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7cc72079 by Markus Koschany at 2024-10-02T21:03:09+02:00
wordpress: Triage 2024 CVE for bullseye
Wordpress in bullseye is not affected. The vulnerable code was introduced in
later versions.
- - - - -
8ea67110 by Markus Koschany at 2024-10-02T21:03:11+02:00
CVE-2023-5692,wordpress: bullseye is ignored
Minor issue. Bullseye is affected but the worst case is the exposing of a
custom slug.
- - - - -
c8739aa1 by Markus Koschany at 2024-10-02T21:03:11+02:00
Remove wordpress from dla-needed.txt
After a closer inspection, I found that the latest security release for the
5.7.x branch only fixes a security vulnerability when Wordpress is hosted on a
Windows server. Apparently no CVE has been assigned so far. In Debian terms
this would be an "unimportant" issue anyway.
All other open CVE have been triaged individually.
There is nothing to do at the moment.
- - - - -
b484203b by Markus Koschany at 2024-10-02T21:04:09+02:00
Reclaim ffmpeg in dla-needed.txt
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -22092,6 +22092,7 @@ CVE-2024-6308 (A vulnerability was found in itsourcecode Simple Online Hotel Res
NOT-FOR-US: itsourcecode Simple Online Hotel Reservation System
CVE-2024-6307 (WordPress Core is vulnerable to Stored Cross-Site Scripting via the HT ...)
- wordpress 6.5.5+dfsg1-1 (bug #1074486)
+ [bullseye] - wordpress <not-affected> (The vulnerable code was introduced later)
NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
NOTE: https://core.trac.wordpress.org/changeset/58473
NOTE: https://core.trac.wordpress.org/changeset/58472
@@ -22200,6 +22201,7 @@ CVE-2024-32111 (Improper Limitation of a Pathname to a Restricted Directory ('Pa
NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
CVE-2024-31111 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
- wordpress 6.5.5+dfsg1-1 (bug #1074486)
+ [bullseye] - wordpress <not-affected> (The vulnerable code was introduced later)
NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
CVE-2024-28832 (Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7 ...)
- check-mk <removed>
@@ -47063,6 +47065,7 @@ CVE-2024-3832 (Object corruption in V8 in Google Chrome prior to 124.0.6367.60 a
[buster] - chromium <end-of-life> (see DSA 5046)
CVE-2024-4439 (WordPress Core is vulnerable to Stored Cross-Site Scripting via user d ...)
- wordpress 6.5.2+dfsg1-1 (bug #1069091)
+ [bullseye] - wordpress <not-affected> (The vulnerable code was introduced later)
NOTE: https://wpscan.com/blog/unauthenticated-stored-xss-fixed-in-wordpress-core/
NOTE: https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
NOTE: https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=57950%40%2F&new=57950%40%2F&sfp_email=&sfph_mail=#file3
@@ -50482,6 +50485,7 @@ CVE-2023-6522 (Incorrect Use of Privileged APIs vulnerability in ExtremePacs Ext
NOT-FOR-US: ExtremePacs Extreme XDS
CVE-2023-5692 (WordPress Core is vulnerable to Sensitive Information Exposure in vers ...)
- wordpress 6.5+dfsg1-1
+ [bullseye] - wordpress <ignored> (Minor issue)
NOTE: https://core.trac.wordpress.org/changeset/57645
CVE-2023-49965 (SpaceX Starlink Wi-Fi router Gen 2 before 2023.48.0 allows XSS via the ...)
NOT-FOR-US: SpaceX Starlink Wi-Fi router
=====================================
data/dla-needed.txt
=====================================
@@ -82,7 +82,7 @@ exim4 (Markus Koschany)
NOTE: 20240815: Consider fixing older postponed CVEs as well (Beuc/front-desk)
NOTE: 20240923: Currently testing the update. (apo)
--
-ffmpeg
+ffmpeg (Markus Koschany)
NOTE: 20240815: Added by Front-Desk (Beuc)
NOTE: 20240815: Upgrade to 4.3.8 (same approach as DSA-5748-1) (Beuc/front-desk)
NOTE: 20240911: Update prepared in git and tested, waiting for CI pipeline
@@ -250,9 +250,6 @@ upx-ucl
webkit2gtk
NOTE: 20240926: Added by Front-Desk (lamby)
--
-wordpress (apo)
- NOTE: 20240922: Added by Front-Desk (apo)
---
zabbix (tobi)
NOTE: 20240126: Added by oldstable Security Team (jmm)
NOTE: 20240815: sync fixes from bookworm and buster
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e5bca2c14e9b0dd85c6394f89cc905c18af083a...b484203b63cf8b2abc3d3e7504b81cc83868d94a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e5bca2c14e9b0dd85c6394f89cc905c18af083a...b484203b63cf8b2abc3d3e7504b81cc83868d94a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241002/761ca5bc/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list