[Git][security-tracker-team/security-tracker][master] 8 commits: Triage CVE-2024-25622 & CVE-2024-45397 in h2o for bullseye LTS.

Mon Oct 21 20:20:23 BST 2024


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
910b7977 by Chris Lamb at 2024-10-21T12:20:01-07:00
Triage CVE-2024-25622 & CVE-2024-45397 in h2o for bullseye LTS.

- - - - -
cd835b00 by Chris Lamb at 2024-10-21T12:20:03-07:00
Triage CVE-2024-44082 & CVE-2024-47211 in ironic for bullseye LTS.

- - - - -
d8b99926 by Chris Lamb at 2024-10-21T12:20:04-07:00
Triage CVE-2024-48933 in lemonldap-ng for bullseye LTS.

- - - - -
11fd056c by Chris Lamb at 2024-10-21T12:20:06-07:00
Triage CVE-2023-51847 & CVE-2024-46304 in libcoap2 for bullseye LTS.

- - - - -
8fb66ed2 by Chris Lamb at 2024-10-21T12:20:07-07:00
Triage CVE-2023-32190 in mlocate for bullseye LTS.

- - - - -
964a56a6 by Chris Lamb at 2024-10-21T12:20:07-07:00
data/dla-needed.txt: Triage dmitry for bullseye LTS (CVE-2017-7938, CVE-2020-14931 & CVE-2024-31837)

- - - - -
d2390b26 by Chris Lamb at 2024-10-21T12:20:07-07:00
data/dla-needed.txt: Triage ghostscript for bullseye LTS (CVE-2024-29508)

- - - - -
8de47f8e by Chris Lamb at 2024-10-21T12:20:09-07:00
Triage CVE-2023-4806 in glibc for bullseye LTS.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1734,6 +1734,7 @@ CVE-2023-32191 (When RKE provisions a cluster, it stores the cluster state in a
 	NOT-FOR-US: SuSE RKE
 CVE-2023-32190 (mlocate's %post script allows RUN_UPDATEDB_AS user to make arbitrary f ...)
 	- mlocate <removed>
+	[bullseye] - mlocate <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1218896
 CVE-2023-32189 (Insecure handling of ssh keys used to bootstrap clients allows local a ...)
 	NOT-FOR-US: SuSE Manager
@@ -2775,6 +2776,7 @@ CVE-2024-45402 (Picotls is a TLS protocol library that allows users select diffe
 CVE-2024-45397 (h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Wh ...)
 	- h2o <unfixed> (bug #1084984)
 	[bookworm] - h2o <no-dsa> (Minor issue)
+	[bullseye] - h2o <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c
 	NOTE: https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a
 CVE-2024-45396 (Quicly is an IETF QUIC protocol implementation. Quicly up to commtit d ...)
@@ -2822,6 +2824,7 @@ CVE-2024-33578 (A DLL hijack vulnerability was reported in Lenovo Leyun that cou
 CVE-2024-25622 (h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Th ...)
 	- h2o <unfixed> (bug #1084984)
 	[bookworm] - h2o <no-dsa> (Minor issue)
+	[bullseye] - h2o <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-5m7v-cj65-h6pj
 	NOTE: https://github.com/h2o/h2o/issues/3332
 	NOTE: https://github.com/h2o/h2o/commit/123f5e2b65dcdba8f7ef659a00d24bd1249141be
@@ -3244,6 +3247,7 @@ CVE-2024-48941 (The Syracom Secure Login (2FA) plugin for Jira, Confluence, and
 CVE-2024-48933 (A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.1 ...)
 	- lemonldap-ng 2.20.0+ds-1 (bug #1084979)
 	[bookworm] - lemonldap-ng <no-dsa> (Minor issue)
+	[bullseye] - lemonldap-ng <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3232
 CVE-2024-9680 (An attacker was able to achieve code execution in the content process  ...)
 	{DSA-5789-1 DSA-5788-1 DLA-3916-1 DLA-3914-1}
@@ -3464,6 +3468,7 @@ CVE-2024-46304 (A NULL pointer dereference in libcoap v4.3.5-rc2 and below allow
 	- libcoap3 <unfixed> (bug #1084981)
 	[bookworm] - libcoap3 <no-dsa> (Minor issue)
 	- libcoap2 <removed>
+	[bullseye] - libcoap2 <postponed> (Minor issue; can be fixed in next update)
 	- libcoap <removed>
 	NOTE: https://github.com/obgm/libcoap/issues/1509
 CVE-2024-46292 (A buffer overflow in modsecurity v3.0.12 allows attackers to cause a D ...)
@@ -4586,6 +4591,7 @@ CVE-2024-47651 (This vulnerability exists in Shilpi Client Dashboard due to impr
 CVE-2024-47211 (In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x a ...)
 	- ironic 1:26.1.0-1
 	[bookworm] - ironic <no-dsa> (Minor issue)
+	[bullseye] - ironic <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://security.openstack.org/ossa/OSSA-2024-004.html
 CVE-2024-47183 (Parse Server is an open source backend that can be deployed to any inf ...)
 	NOT-FOR-US: Parse Server
@@ -10994,6 +11000,7 @@ CVE-2024-20439 (A vulnerability in Cisco Smart Licensing Utility could allow an
 CVE-2024-44082 (In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13. ...)
 	- ironic 1:26.1.0-1
 	[bookworm] - ironic <no-dsa> (Minor issue)
+	[bullseye] - ironic <postponed> (Minor issue; can be fixed in next update)
 	- ironic-python-agent 9.14.0-1
 	NOTE: https://www.openwall.com/lists/oss-security/2024/09/04/4
 	NOTE: https://bugs.launchpad.net/ironic/+bug/2071740
@@ -33083,6 +33090,7 @@ CVE-2023-51847 (An issue in obgm and Libcoap v.a3ed466 allows a remote attacker
 	- libcoap3 <unfixed> (bug #1084981)
 	[bookworm] - libcoap3 <no-dsa> (Minor issue)
 	- libcoap2 <removed>
+	[bullseye] - libcoap2 <postponed> (Minor issue; can be fixed in next update)
 	- libcoap <removed>
 	NOTE: https://github.com/obgm/libcoap/issues/1302
 	NOTE: https://github.com/obgm/libcoap/pull/1303
@@ -98295,7 +98303,7 @@ CVE-2023-4813 (A flaw was found in glibc. In an uncommon situation, the gaih_ine
 CVE-2023-4806 (A flaw was found in glibc. In an extremely rare situation, the getaddr ...)
 	- glibc 2.37-10
 	[bookworm] - glibc 2.36-9+deb12u3
-	[bullseye] - glibc <no-dsa> (Minor issue)
+	[bullseye] - glibc <ignored> (Minor issue)
 	[buster] - glibc <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30843
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=973fe93a5675c42798b2161c6f29c01b0e243994


=====================================
data/dla-needed.txt
=====================================
@@ -45,6 +45,10 @@ ckeditor
   NOTE: 20241002: Added by Front-Desk (Beuc)
   NOTE: 20241002: Multiple CVEs have been piling up (Beuc/front-desk)
 --
+dmitry
+  NOTE: 20241021: Added by Front-Desk (lamby)
+  NOTE: 20241021: Sync with stable (lamby)
+--
 dnsmasq
   NOTE: 20240313: Added by oldstable Security Team (jmm)
   NOTE: 20240802: CVE-2023-28450 is trivial to fix, however CVE-2023-50387 and CVE-2023-50868
@@ -85,6 +89,10 @@ freeimage (santiago)
   NOTE: 20240922: Added by Front-Desk (apo)
   NOTE: 20240922: Many postponed CVE.
 --
+ghostscript
+  NOTE: 20241021: Added by Front-Desk (lamby)
+  NOTE: 20241021: Sync with stable (lamby)
+--
 glewlwyd
   NOTE: 20240815: Added by Front-Desk (Beuc)
   NOTE: 20240815: A couple minor issues could be sync'd from bookworm, and a few postponed, but this can wait.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/397a84d5b50daaca44e8bef0a5c3dd6744c8eefb...8de47f8e70530d9a9ac4e15ce618e4f8dec05c04

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/397a84d5b50daaca44e8bef0a5c3dd6744c8eefb...8de47f8e70530d9a9ac4e15ce618e4f8dec05c04
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241021/8921ea5c/attachment-0001.htm>
