[Git][security-tracker-team/security-tracker][master] bookworm triage

Wed Oct 23 17:02:59 BST 2024


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0334f2bf by Moritz Muehlenhoff at 2024-10-23T18:02:03+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2955,6 +2955,7 @@ CVE-2024-47876 (Sakai is a Collaboration and Learning Environment. Starting in v
 	NOT-FOR-US: Sakai
 CVE-2024-47874 (Starlette is an Asynchronous Server Gateway Interface (ASGI) framework ...)
 	- starlette 0.41.0-1 (bug #1085295)
+	[bookworm] - starlette <no-dsa> (Minor issue)
 	NOTE: https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw
 	NOTE: https://github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733 (0.40.0)
 CVE-2024-47824 (matrix-react-sdk is react-based software development kit for inserting ...)
@@ -5704,6 +5705,7 @@ CVE-2023-37822 (The Eufy Homebase 2 before firmware version 3.3.4.1h creates a d
 	NOT-FOR-US: Eufy HomeBase 2 model T8010X
 CVE-2024-8508 (NLnet Labs Unbound up to and including version 1.21.0 contains a vulne ...)
 	- unbound 1.21.1-1 (bug #1083282)
+	[bookworm] - unbound <no-dsa> (Minor issue)
 	NOTE: Advisory: https://nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt
 	NOTE: Patch: https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-8508.diff
 	NOTE: Fixed by: https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259 (release-1.21.1)
@@ -7592,6 +7594,7 @@ CVE-2024-46639 (A cross-site scripting (XSS) vulnerability in HelpDeskZ v2.0.2 a
 CVE-2024-46544 (Incorrect Default Permissions vulnerability in Apache Tomcat Connector ...)
 	{DLA-3919-1}
 	- libapache-mod-jk <unfixed> (bug #1082713)
+	[bookworm] - libapache-mod-jk <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/09/23/1
 	NOTE: Fixed by: https://github.com/apache/tomcat-connectors/commit/d55706e92b65018c2e4c7ab14014a996b0174966 (JK_1_2_50)
 CVE-2024-46241 (PHPGurukul Dairy Farm Shop Management System v1.1 is vulnerable to Cro ...)
@@ -7808,6 +7811,7 @@ CVE-2024-8612 (A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and vir
 	NOTE: https://gitlab.com/qemu-project/qemu/-/commit/637b0aa139565cb82a7b9269e62214f87082635c
 CVE-2024-45769 (A vulnerability was found in Performance Co-Pilot (PCP). This flaw all ...)
 	- pcp 6.3.1-1
+	[bookworm] - pcp <no-dsa> (Minor issue)
 	[bullseye] - pcp <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2310452
 	NOTE: https://www.openwall.com/lists/oss-security/2024/09/20/1
@@ -7815,6 +7819,7 @@ CVE-2024-45769 (A vulnerability was found in Performance Co-Pilot (PCP). This fl
 	NOTE: Fixed by: https://github.com/performancecopilot/pcp/commit/eadb79aab46175d7a58d0fa88028408743e2a93f (6.3.1)
 CVE-2024-45770 (A vulnerability was found in Performance Co-Pilot (PCP). This flaw can ...)
 	- pcp 6.3.1-1
+	[bookworm] - pcp <no-dsa> (Minor issue)
 	[bullseye] - pcp <ignored> (Minor issue, requires root access)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2310451
 	NOTE: https://www.openwall.com/lists/oss-security/2024/09/20/1
@@ -24597,6 +24602,7 @@ CVE-2024-6643
 	REJECTED
 CVE-2024-6531 (A vulnerability has been identified in Bootstrap that exposes users to ...)
 	- twitter-bootstrap4 <unfixed> (bug #1084059)
+	[bookworm] - twitter-bootstrap4 <no-dsa> (Minor issue)
 	- twitter-bootstrap3 <not-affected> (Only affects 4.x)
 	NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6531
 CVE-2024-6528 (CWE-79: Improper Neutralization of Input During Web Page Generation (' ...)
@@ -24604,10 +24610,12 @@ CVE-2024-6528 (CWE-79: Improper Neutralization of Input During Web Page Generati
 CVE-2024-6485 (A security vulnerability has been discovered in bootstrap that could e ...)
 	- twitter-bootstrap4 <not-affected> (Only affects 3.x)
 	- twitter-bootstrap3 <unfixed> (bug #1084060)
+	[bookworm] - twitter-bootstrap3 <no-dsa> (Minor issue)
 	NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6485
 CVE-2024-6484 (A vulnerability has been identified in Bootstrap that exposes users to ...)
 	- twitter-bootstrap4 <not-affected> (Only affects 3.x)
 	- twitter-bootstrap3 <unfixed> (bug #1084060)
+	[bookworm] - twitter-bootstrap3 <no-dsa> (Minor issue)
 	NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6484
 CVE-2024-6407 (CWE-200: Information Exposure vulnerability exists that could cause di ...)
 	NOT-FOR-US: Schneider Electric


=====================================
data/dsa-needed.txt
=====================================
@@ -23,7 +23,7 @@ chromium (dilinger)
 frr
   coordination with the maintainer ongoing
 --
-libheif
+libheif (jmm)
 --
 libreswan
   Waiting on feedback from maintainer
@@ -32,6 +32,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more 6.1.y versions
 --
+nss (jmm)
+--
 opennds
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0334f2bfe7152810fb2e1b42302cd78e972c6fa2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0334f2bfe7152810fb2e1b42302cd78e972c6fa2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241023/c27e3313/attachment-0001.htm>
