[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Oct 29 11:22:08 GMT 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3fee93e6 by Moritz Muehlenhoff at 2024-10-29T12:21:49+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -491,6 +491,7 @@ CVE-2024-9162 (The All-in-One WP Migration and Backup plugin for WordPress is vu
 CVE-2024-50624 (ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle at ...)
 	[experimental] - kmail-account-wizard 4:24.08.0-1
 	- kmail-account-wizard <unfixed> (bug #1086198)
+	[bookworm] - kmail-account-wizard <no-dsa> (Minor issue)
 	NOTE: https://bugs.kde.org/show_bug.cgi?id=487882
 	NOTE: https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d4a88afb25585180a62ee4 (v24.07.80)
 CVE-2024-50623 (In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom ...)
@@ -499,20 +500,25 @@ CVE-2024-50616 (Ironman PowerShell Universal 5.x before 5.0.12 allows an authent
 	NOT-FOR-US: Ironman PowerShell Universal
 CVE-2024-50615 (TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/digit,  ...)
 	- tinyxml2 <unfixed>
+	[bookworm] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/leethomason/tinyxml2/issues/997
 CVE-2024-50614 (TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/16, tha ...)
 	- tinyxml2 <unfixed>
+	[bookworm] - tinyxml2 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/leethomason/tinyxml2/issues/996
 CVE-2024-50613 (libsndfile through 1.2.2 has a reachable assertion, that may lead to a ...)
 	- libsndfile <unfixed>
+	[bookworm] - libsndfile <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/libsndfile/libsndfile/issues/1034
 CVE-2024-50612 (libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out ...)
 	- libsndfile <unfixed>
+	[bookworm] - libsndfile <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/libsndfile/libsndfile/issues/1035
 CVE-2024-50611 (CycloneDX cdxgen through 10.10.7, when run against an untrusted codeba ...)
 	NOT-FOR-US: CycloneDX cdxgen
 CVE-2024-50610 (GSL (GNU Scientific Library) through 2.8 has an integer signedness err ...)
 	- gsl 2.8+dfsg-4 (bug #1086206)
+	[bookworm] - gsl <no-dsa> (Minor issue)
 	NOTE: https://lists.gnu.org/archive/html/bug-gsl/2024-09/msg00000.html
 CVE-2024-50307 (Use of potentially dangerous function issue exists in Chatwork Desktop ...)
 	NOT-FOR-US: Chatwork Desktop Application
@@ -1181,9 +1187,11 @@ CVE-2024-0126 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner
 	[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
 	NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470
 	- nvidia-graphics-drivers-tesla-470 <unfixed> (bug #1085974)
+	[bookworm] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
 	- nvidia-graphics-drivers-tesla 525.147.05-6 (bug #1085975)
 	NOTE: 525.147.05-6 turned the package into a metapackage to aid switching to nvidia-graphics-drivers
 	- nvidia-open-gpu-kernel-modules <unfixed> (bug #1085976)
+	[bookworm] - nvidia-open-gpu-kernel-modules <no-dsa> (Contrib not supported)
 	NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5586
 CVE-2024-48936 (SchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in ...)
 	- slurm-wlm <unfixed> (bug #1086003)
@@ -1408,6 +1416,7 @@ CVE-2024-10250 (The Nioland theme for WordPress is vulnerable to Reflected Cross
 	NOT-FOR-US: WordPress theme
 CVE-2024-10041 (A vulnerability was found in PAM. The secret information is stored in  ...)
 	- pam <unfixed> (bug #1086038)
+	[bookworm] - pam <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2319212
 	NOTE: https://github.com/linux-pam/linux-pam/issues/846
 	NOTE: https://github.com/linux-pam/linux-pam/pull/686
@@ -4330,13 +4339,10 @@ CVE-2024-9925 (SQL injection vulnerability in TAI Smart Factory's QPLANT SF vers
 CVE-2024-9895 (The Smart Online Order for Clover plugin for WordPress is vulnerable t ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2024-9676 (A vulnerability was found in Podman, Buildah, and CRI-O. A symlink tra ...)
-	- cri-o <itp> (bug #979702)
 	- golang-github-containers-buildah <unfixed>
 	[bookworm] - golang-github-containers-buildah <no-dsa> (Minor issue)
 	- golang-github-containers-storage 1.55.1+ds1-1
 	[bookworm] - golang-github-containers-storage <no-dsa> (Minor issue)
-	- libpod <unfixed>
-	- podman <unfixed>
 	NOTE: https://github.com/advisories/GHSA-wq2p-5pc6-wpgf
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2317467
 	NOTE: https://github.com/containers/buildah/pull/5786


=====================================
data/dsa-needed.txt
=====================================
@@ -17,6 +17,8 @@ cacti
 frr
   coordination with the maintainer ongoing
 --
+libarchive
+--
 libreswan
   Waiting on feedback from maintainer
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fee93e6bba5a832ec42cbb481534dfbaf7a230c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3fee93e6bba5a832ec42cbb481534dfbaf7a230c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241029/7c3faec2/attachment.htm>

More information about the debian-security-tracker-commits mailing list