[Git][security-tracker-team/security-tracker][master] 5 commits: Triage CVE-2024-47554 in commons-io for bullseye LTS.

Chris Lamb (@lamby) lamby at debian.org
Wed Oct 23 18:03:56 BST 2024 


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6aec8999 by Chris Lamb at 2024-10-23T10:02:10-07:00
Triage CVE-2024-47554 in commons-io for bullseye LTS.

- - - - -
0df8498a by Chris Lamb at 2024-10-23T10:02:26-07:00
Triage CVE-2024-48948 in node-elliptic for bullseye LTS.

- - - - -
2484a8ba by Chris Lamb at 2024-10-23T10:02:50-07:00
Triage CVE-2024-47874 in starlette for bullseye LTS.

- - - - -
a9bcbc99 by Chris Lamb at 2024-10-23T10:03:14-07:00
Triage CVE-2024-6484 & CVE-2024-6485 in twitter-bootstrap3 for bullseye LTS.

- - - - -
cf64bf1f by Chris Lamb at 2024-10-23T10:03:36-07:00
Triage CVE-2024-6531 in twitter-bootstrap4 for bullseye LTS.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2921,6 +2921,7 @@ CVE-2024-49195 (Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun
 CVE-2024-48948 (The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementatio ...)
 	- node-elliptic <unfixed> (bug #1085298)
 	[bookworm] - node-elliptic <no-dsa> (Minor issue)
+	[bullseye] - node-elliptic <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://github.com/indutny/elliptic/issues/321
 	NOTE: https://github.com/indutny/elliptic/pull/322
 CVE-2024-48915 (Agent Dart is an agent library built for Internet Computer for Dart an ...)
@@ -2956,6 +2957,7 @@ CVE-2024-47876 (Sakai is a Collaboration and Learning Environment. Starting in v
 CVE-2024-47874 (Starlette is an Asynchronous Server Gateway Interface (ASGI) framework ...)
 	- starlette 0.41.0-1 (bug #1085295)
 	[bookworm] - starlette <no-dsa> (Minor issue)
+	[bullseye] - starlette <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw
 	NOTE: https://github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733 (0.40.0)
 CVE-2024-47824 (matrix-react-sdk is react-based software development kit for inserting ...)
@@ -5630,6 +5632,7 @@ CVE-2024-47561 (Schema parsing in the Java SDK of Apache Avro 1.11.3 and previou
 CVE-2024-47554 (Uncontrolled Resource Consumption vulnerability in Apache Commons IO.  ...)
 	- commons-io 2.16.0-1
 	[bookworm] - commons-io <no-dsa> (Minor issue)
+	[bullseye] - commons-io <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1
 CVE-2024-45872 (Bandisoft BandiView 7.05 is vulnerable to Buffer Overflow via sub_0x41 ...)
 	NOT-FOR-US: Bandisoft BandiView
@@ -24603,6 +24606,7 @@ CVE-2024-6643
 CVE-2024-6531 (A vulnerability has been identified in Bootstrap that exposes users to ...)
 	- twitter-bootstrap4 <unfixed> (bug #1084059)
 	[bookworm] - twitter-bootstrap4 <no-dsa> (Minor issue)
+	[bullseye] - twitter-bootstrap4 <postponed> (Minor issue; can be fixed in next update)
 	- twitter-bootstrap3 <not-affected> (Only affects 4.x)
 	NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6531
 CVE-2024-6528 (CWE-79: Improper Neutralization of Input During Web Page Generation (' ...)
@@ -24611,11 +24615,13 @@ CVE-2024-6485 (A security vulnerability has been discovered in bootstrap that co
 	- twitter-bootstrap4 <not-affected> (Only affects 3.x)
 	- twitter-bootstrap3 <unfixed> (bug #1084060)
 	[bookworm] - twitter-bootstrap3 <no-dsa> (Minor issue)
+	[bullseye] - twitter-bootstrap3 <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6485
 CVE-2024-6484 (A vulnerability has been identified in Bootstrap that exposes users to ...)
 	- twitter-bootstrap4 <not-affected> (Only affects 3.x)
 	- twitter-bootstrap3 <unfixed> (bug #1084060)
 	[bookworm] - twitter-bootstrap3 <no-dsa> (Minor issue)
+	[bullseye] - twitter-bootstrap3 <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6484
 CVE-2024-6407 (CWE-200: Information Exposure vulnerability exists that could cause di ...)
 	NOT-FOR-US: Schneider Electric



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b4c9ecf77c1c61a7846f3df5e3f9b9d72dd5e3a8...cf64bf1f915796d13419c037e0fbef48b92c587e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b4c9ecf77c1c61a7846f3df5e3f9b9d72dd5e3a8...cf64bf1f915796d13419c037e0fbef48b92c587e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241023/9825eb36/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list