[Git][security-tracker-team/security-tracker][master] bookworm triage

Wed Oct 23 10:02:05 BST 2024


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5816881c by Moritz Muehlenhoff at 2024-10-23T11:01:45+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1783,6 +1783,7 @@ CVE-2024-10195 (A vulnerability was found in Tecno 4G Portable WiFi TR118 V008-2
 	NOT-FOR-US: Tecno 4G Portable WiFi TR118
 CVE-2024-XXXX [XSS Vulnerability in matrix.pl]
 	- dbeacon 0.4.0-3 (bug #1031542)
+	[bookworm] - dbeacon <no-dsa> (Minor issue)
 CVE-2024-49631 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-49630 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
@@ -2489,16 +2490,19 @@ CVE-2024-47637 (: Relative Path Traversal vulnerability in LiteSpeed Technologie
 	NOT-FOR-US: WordPress plugin
 CVE-2024-47522 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...)
 	- suricata 1:7.0.7-1
+	[bookworm] - suricata <no-dsa> (Minor issue)
 	NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-w5xv-6586-jpm7
 	NOTE: https://redmine.openinfosecfoundation.org/issues/7267
 CVE-2024-47351 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-47188 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...)
 	- suricata 1:7.0.7-1
+	[bookworm] - suricata <no-dsa> (Minor issue)
 	NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-qq5v-qcjx-f872
 	NOTE: https://redmine.openinfosecfoundation.org/issues/7289
 CVE-2024-47187 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...)
 	- suricata 1:7.0.7-1
+	[bookworm] - suricata <no-dsa> (Minor issue)
 	NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-64ww-4f6x-863p
 	NOTE: https://redmine.openinfosecfoundation.org/issues/7209
 CVE-2024-47139 (A stored cross-site scripting (XSS) vulnerability exists in an undiscl ...)
@@ -2511,14 +2515,17 @@ CVE-2024-45844 (BIG-IP monitor functionality may allow an attacker to bypass acc
 	NOT-FOR-US: BIG-IP
 CVE-2024-45797 (LibHTP is a security-aware parser for the HTTP protocol and the relate ...)
 	- libhtp 1:0.5.49-1
+	[bookworm] - libhtp <no-dsa> (Minor issue)
 	NOTE: https://github.com/OISF/libhtp/security/advisories/GHSA-rqqp-24ch-248f
 	NOTE: https://redmine.openinfosecfoundation.org/issues/7191
 CVE-2024-45796 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...)
 	- suricata 1:7.0.7-1
+	[bookworm] - suricata <no-dsa> (Minor issue)
 	NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-mf6r-3xp2-v7xg
 	NOTE: https://redmine.openinfosecfoundation.org/issues/7067
 CVE-2024-45795 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...)
 	- suricata 1:7.0.7-1
+	[bookworm] - suricata <no-dsa> (Minor issue)
 	NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-6r8w-fpw6-cp9g
 	NOTE: https://redmine.openinfosecfoundation.org/issues/7195
 CVE-2024-45072 (IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML E ...)
@@ -2885,7 +2892,9 @@ CVE-2024-9895 (The Smart Online Order for Clover plugin for WordPress is vulnera
 CVE-2024-9676 (A vulnerability was found in Podman, Buildah, and CRI-O. A symlink tra ...)
 	- cri-o <itp> (bug #979702)
 	- golang-github-containers-buildah <unfixed>
+	[bookworm] - golang-github-containers-buildah <no-dsa> (Minor issue)
 	- golang-github-containers-storage 1.55.1+ds1-1
+	[bookworm] - golang-github-containers-storage <no-dsa> (Minor issue)
 	- libpod <unfixed>
 	- podman <unfixed>
 	NOTE: https://github.com/advisories/GHSA-wq2p-5pc6-wpgf
@@ -2913,6 +2922,7 @@ CVE-2024-49195 (Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun
 	NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-10-1/
 CVE-2024-48948 (The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementatio ...)
 	- node-elliptic <unfixed> (bug #1085298)
+	[bookworm] - node-elliptic <no-dsa> (Minor issue)
 	NOTE: https://github.com/indutny/elliptic/issues/321
 	NOTE: https://github.com/indutny/elliptic/pull/322
 CVE-2024-48915 (Agent Dart is an agent library built for Internet Computer for Dart an ...)
@@ -2971,6 +2981,7 @@ CVE-2024-45271 (An unauthenticated local attacker can gain admin privileges by d
 	NOT-FOR-US: MB connect line GmbH
 CVE-2024-44337 (The package `github.com/gomarkdown/markdown` is a Go library for parsi ...)
 	- golang-github-gomarkdown-markdown <unfixed> (bug #1085377)
+	[bookworm] - golang-github-gomarkdown-markdown <no-dsa> (Minor issue)
 	NOTE: https://github.com/Brinmon/CVE-2024-44337
 	NOTE: https://github.com/gomarkdown/markdown/commit/a2a9c4f76ef5a5c32108e36f7c47f8d310322252
 CVE-2024-41344 (A Cross-Site Request Forgery (CSRF) in Codeigniter 3.1.13 allows attac ...)
@@ -4087,11 +4098,13 @@ CVE-2024-6747 (Information leakage in mknotifyd in Checkmk before 2.3.0p18, 2.2.
 	- check-mk <removed>
 CVE-2024-48958 (execute_filter_delta in archive_read_support_format_rar.c in libarchiv ...)
 	- libarchive <unfixed> (bug #1084978)
+	[bookworm] - libarchive <no-dsa> (Minor issue)
 	[bullseye] - libarchive <not-affected> (RAR filter support introduced in 3.6.0)
 	NOTE: https://github.com/libarchive/libarchive/pull/2148
 	NOTE: https://github.com/libarchive/libarchive/commit/a1cb648d52f5b6d3f31184d9b6a7cbca628459b7 (v3.7.5)
 CVE-2024-48957 (execute_filter_audio in archive_read_support_format_rar.c in libarchiv ...)
 	- libarchive <unfixed> (bug #1084978)
+	[bookworm] - libarchive <no-dsa> (Minor issue)
 	[bullseye] - libarchive <not-affected> (RAR filter support introduced in 3.6.0)
 	NOTE: https://github.com/libarchive/libarchive/pull/2149
 	NOTE: https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b (v3.7.5)
@@ -5617,6 +5630,7 @@ CVE-2024-47561 (Schema parsing in the Java SDK of Apache Avro 1.11.3 and previou
 	NOT-FOR-US: Apache Avro
 CVE-2024-47554 (Uncontrolled Resource Consumption vulnerability in Apache Commons IO.  ...)
 	- commons-io 2.16.0-1
+	[bookworm] - commons-io <no-dsa> (Minor issue)
 	NOTE: https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1
 CVE-2024-45872 (Bandisoft BandiView 7.05 is vulnerable to Buffer Overflow via sub_0x41 ...)
 	NOT-FOR-US: Bandisoft BandiView
@@ -21629,6 +21643,7 @@ CVE-2024-41110 (Moby is an open-source project created by Docker for software co
 	{DLA-3918-1}
 	[experimental] - docker.io 26.1.5+dfsg1-1
 	- docker.io 26.1.5+dfsg1-2
+	[bookworm] - docker.io <no-dsa> (Minor issue, will be fixed via spu)
 	NOTE: https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
 	NOTE: https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/
 	NOTE: 20.10 branch: fixed by https://github.com/moby/moby/commit/88c4b7690840044ce15489699294ec7c5dadf5dd


=====================================
data/dsa-needed.txt
=====================================
@@ -16,6 +16,8 @@ activemq
   Santiago started to work on an update for bookworm
   https://lists.debian.org/debian-lts/2024/10/msg00014.html
 --
+cacti
+--
 chromium (dilinger)
 --
 frr
@@ -33,7 +35,7 @@ linux (carnil)
 opennds
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --
-python-aiohttp
+python-aiohttp (jmm)
 --
 ring
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5816881c5292722a2d5ee4defb176c03a11a2cbe

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5816881c5292722a2d5ee4defb176c03a11a2cbe
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241023/c3555c81/attachment-0001.htm>
