[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Wed Oct 23 17:02:59 BST 2024
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0334f2bf by Moritz Muehlenhoff at 2024-10-23T18:02:03+02:00
bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2955,6 +2955,7 @@ CVE-2024-47876 (Sakai is a Collaboration and Learning Environment. Starting in v
NOT-FOR-US: Sakai
CVE-2024-47874 (Starlette is an Asynchronous Server Gateway Interface (ASGI) framework ...)
- starlette 0.41.0-1 (bug #1085295)
+ [bookworm] - starlette <no-dsa> (Minor issue)
NOTE: https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw
NOTE: https://github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733 (0.40.0)
CVE-2024-47824 (matrix-react-sdk is react-based software development kit for inserting ...)
@@ -5704,6 +5705,7 @@ CVE-2023-37822 (The Eufy Homebase 2 before firmware version 3.3.4.1h creates a d
NOT-FOR-US: Eufy HomeBase 2 model T8010X
CVE-2024-8508 (NLnet Labs Unbound up to and including version 1.21.0 contains a vulne ...)
- unbound 1.21.1-1 (bug #1083282)
+ [bookworm] - unbound <no-dsa> (Minor issue)
NOTE: Advisory: https://nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt
NOTE: Patch: https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-8508.diff
NOTE: Fixed by: https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259 (release-1.21.1)
@@ -7592,6 +7594,7 @@ CVE-2024-46639 (A cross-site scripting (XSS) vulnerability in HelpDeskZ v2.0.2 a
CVE-2024-46544 (Incorrect Default Permissions vulnerability in Apache Tomcat Connector ...)
{DLA-3919-1}
- libapache-mod-jk <unfixed> (bug #1082713)
+ [bookworm] - libapache-mod-jk <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2024/09/23/1
NOTE: Fixed by: https://github.com/apache/tomcat-connectors/commit/d55706e92b65018c2e4c7ab14014a996b0174966 (JK_1_2_50)
CVE-2024-46241 (PHPGurukul Dairy Farm Shop Management System v1.1 is vulnerable to Cro ...)
@@ -7808,6 +7811,7 @@ CVE-2024-8612 (A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and vir
NOTE: https://gitlab.com/qemu-project/qemu/-/commit/637b0aa139565cb82a7b9269e62214f87082635c
CVE-2024-45769 (A vulnerability was found in Performance Co-Pilot (PCP). This flaw all ...)
- pcp 6.3.1-1
+ [bookworm] - pcp <no-dsa> (Minor issue)
[bullseye] - pcp <not-affected> (The vulnerable code was introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2310452
NOTE: https://www.openwall.com/lists/oss-security/2024/09/20/1
@@ -7815,6 +7819,7 @@ CVE-2024-45769 (A vulnerability was found in Performance Co-Pilot (PCP). This fl
NOTE: Fixed by: https://github.com/performancecopilot/pcp/commit/eadb79aab46175d7a58d0fa88028408743e2a93f (6.3.1)
CVE-2024-45770 (A vulnerability was found in Performance Co-Pilot (PCP). This flaw can ...)
- pcp 6.3.1-1
+ [bookworm] - pcp <no-dsa> (Minor issue)
[bullseye] - pcp <ignored> (Minor issue, requires root access)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2310451
NOTE: https://www.openwall.com/lists/oss-security/2024/09/20/1
@@ -24597,6 +24602,7 @@ CVE-2024-6643
REJECTED
CVE-2024-6531 (A vulnerability has been identified in Bootstrap that exposes users to ...)
- twitter-bootstrap4 <unfixed> (bug #1084059)
+ [bookworm] - twitter-bootstrap4 <no-dsa> (Minor issue)
- twitter-bootstrap3 <not-affected> (Only affects 4.x)
NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6531
CVE-2024-6528 (CWE-79: Improper Neutralization of Input During Web Page Generation (' ...)
@@ -24604,10 +24610,12 @@ CVE-2024-6528 (CWE-79: Improper Neutralization of Input During Web Page Generati
CVE-2024-6485 (A security vulnerability has been discovered in bootstrap that could e ...)
- twitter-bootstrap4 <not-affected> (Only affects 3.x)
- twitter-bootstrap3 <unfixed> (bug #1084060)
+ [bookworm] - twitter-bootstrap3 <no-dsa> (Minor issue)
NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6485
CVE-2024-6484 (A vulnerability has been identified in Bootstrap that exposes users to ...)
- twitter-bootstrap4 <not-affected> (Only affects 3.x)
- twitter-bootstrap3 <unfixed> (bug #1084060)
+ [bookworm] - twitter-bootstrap3 <no-dsa> (Minor issue)
NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6484
CVE-2024-6407 (CWE-200: Information Exposure vulnerability exists that could cause di ...)
NOT-FOR-US: Schneider Electric
=====================================
data/dsa-needed.txt
=====================================
@@ -23,7 +23,7 @@ chromium (dilinger)
frr
coordination with the maintainer ongoing
--
-libheif
+libheif (jmm)
--
libreswan
Waiting on feedback from maintainer
@@ -32,6 +32,8 @@ linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more 6.1.y versions
--
+nss (jmm)
+--
opennds
pinged maintainer, but no reply yet. should most probably be bumped to 10.x
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0334f2bfe7152810fb2e1b42302cd78e972c6fa2
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0334f2bfe7152810fb2e1b42302cd78e972c6fa2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241023/c27e3313/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list