[Git][security-tracker-team/security-tracker][master] 4 commits: wordpress: Triage 2024 CVE for bullseye

Markus Koschany (@apo) apo at debian.org
Wed Oct 2 20:04:36 BST 2024 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7cc72079 by Markus Koschany at 2024-10-02T21:03:09+02:00
wordpress: Triage 2024 CVE for bullseye

Wordpress in bullseye is not affected. The vulnerable code was introduced in
later versions.

- - - - -
8ea67110 by Markus Koschany at 2024-10-02T21:03:11+02:00
CVE-2023-5692,wordpress: bullseye is ignored

Minor issue. Bullseye is affected but the worst case is the exposing of a
custom slug.

- - - - -
c8739aa1 by Markus Koschany at 2024-10-02T21:03:11+02:00
Remove wordpress from dla-needed.txt

After a closer inspection, I found that the latest security release for the
5.7.x branch only fixes a security vulnerability when Wordpress is hosted on a
Windows server. Apparently no CVE has been assigned so far. In Debian terms
this would be an "unimportant" issue anyway.

All other open CVE have been triaged individually.

There is nothing to do at the moment.

- - - - -
b484203b by Markus Koschany at 2024-10-02T21:04:09+02:00
Reclaim ffmpeg in dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -22092,6 +22092,7 @@ CVE-2024-6308 (A vulnerability was found in itsourcecode Simple Online Hotel Res
 	NOT-FOR-US: itsourcecode Simple Online Hotel Reservation System
 CVE-2024-6307 (WordPress Core is vulnerable to Stored Cross-Site Scripting via the HT ...)
 	- wordpress 6.5.5+dfsg1-1 (bug #1074486)
+	[bullseye] - wordpress <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
 	NOTE: https://core.trac.wordpress.org/changeset/58473
 	NOTE: https://core.trac.wordpress.org/changeset/58472
@@ -22200,6 +22201,7 @@ CVE-2024-32111 (Improper Limitation of a Pathname to a Restricted Directory ('Pa
 	NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
 CVE-2024-31111 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
 	- wordpress 6.5.5+dfsg1-1 (bug #1074486)
+	[bullseye] - wordpress <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
 CVE-2024-28832 (Stored XSS in the Crash Report page in Checkmk before versions 2.3.0p7 ...)
 	- check-mk <removed>
@@ -47063,6 +47065,7 @@ CVE-2024-3832 (Object corruption in V8 in Google Chrome prior to 124.0.6367.60 a
 	[buster] - chromium <end-of-life> (see DSA 5046)
 CVE-2024-4439 (WordPress Core is vulnerable to Stored Cross-Site Scripting via user d ...)
 	- wordpress 6.5.2+dfsg1-1 (bug #1069091)
+	[bullseye] - wordpress <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://wpscan.com/blog/unauthenticated-stored-xss-fixed-in-wordpress-core/
 	NOTE: https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
 	NOTE: https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=57950%40%2F&new=57950%40%2F&sfp_email=&sfph_mail=#file3
@@ -50482,6 +50485,7 @@ CVE-2023-6522 (Incorrect Use of Privileged APIs vulnerability in ExtremePacs Ext
 	NOT-FOR-US: ExtremePacs Extreme XDS
 CVE-2023-5692 (WordPress Core is vulnerable to Sensitive Information Exposure in vers ...)
 	- wordpress 6.5+dfsg1-1
+	[bullseye] - wordpress <ignored> (Minor issue)
 	NOTE: https://core.trac.wordpress.org/changeset/57645
 CVE-2023-49965 (SpaceX Starlink Wi-Fi router Gen 2 before 2023.48.0 allows XSS via the ...)
 	NOT-FOR-US: SpaceX Starlink Wi-Fi router


=====================================
data/dla-needed.txt
=====================================
@@ -82,7 +82,7 @@ exim4 (Markus Koschany)
   NOTE: 20240815: Consider fixing older postponed CVEs as well (Beuc/front-desk)
   NOTE: 20240923: Currently testing the update. (apo)
 --
-ffmpeg
+ffmpeg (Markus Koschany)
   NOTE: 20240815: Added by Front-Desk (Beuc)
   NOTE: 20240815: Upgrade to 4.3.8 (same approach as DSA-5748-1) (Beuc/front-desk)
   NOTE: 20240911: Update prepared in git and tested, waiting for CI pipeline
@@ -250,9 +250,6 @@ upx-ucl
 webkit2gtk
   NOTE: 20240926: Added by Front-Desk (lamby)
 --
-wordpress (apo)
-  NOTE: 20240922: Added by Front-Desk (apo)
---
 zabbix (tobi)
   NOTE: 20240126: Added by oldstable Security Team (jmm)
   NOTE: 20240815: sync fixes from bookworm and buster



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e5bca2c14e9b0dd85c6394f89cc905c18af083a...b484203b63cf8b2abc3d3e7504b81cc83868d94a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e5bca2c14e9b0dd85c6394f89cc905c18af083a...b484203b63cf8b2abc3d3e7504b81cc83868d94a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241002/761ca5bc/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list