[Git][security-tracker-team/security-tracker][master] triage for older issues
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue Oct 29 20:01:40 GMT 2024
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
97f58a9a by Moritz Muehlenhoff at 2024-10-29T20:59:49+01:00
triage for older issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -74,7 +74,7 @@ CVE-2024-10458
CVE-2024-9632
- xorg-server <unfixed> (bug #1086244)
- xwayland <unfixed> (bug #1086245)
- [bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
+ [bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/85b776571487f52e756f68a069c768757369bfe3
NOTE: https://lists.freedesktop.org/archives/xorg-announce/2024-October/003545.html
CVE-2024-45477
@@ -47473,12 +47473,10 @@ CVE-2024-4492 (A vulnerability, which was classified as critical, has been found
CVE-2024-4491 (A vulnerability classified as critical was found in Tenda i21 1.0.0.14 ...)
NOT-FOR-US: Tenda
CVE-2024-34490 (In Maxima through 5.47.0 before 51704c, the plotting facilities make u ...)
- - maxima 5.47.0-1 (bug #1071630)
- [bookworm] - maxima <no-dsa> (Minor issue)
- [bullseye] - maxima <no-dsa> (Minor issue)
- [buster] - maxima <postponed> (Minor issue)
+ - maxima 5.47.0-1 (bug #1071630; unimportant)
NOTE: https://sourceforge.net/p/maxima/bugs/3755/
NOTE: https://sourceforge.net/p/maxima/code/ci/51704ccb090f6f971b641e4e0b7c1c22c4828bf7/
+ NOTE: Neutralised by kernel hardening
CVE-2024-34489 (OFPHello in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause ...)
NOT-FOR-US: Faucet SDN Ryu
CVE-2024-34488 (OFPMultipartReply in parser.py in Faucet SDN Ryu 4.34 allows attackers ...)
@@ -47947,7 +47945,7 @@ CVE-2024-31673 (Kliqqi-CMS 2.0.2 is vulnerable to SQL Injection in load_data.php
NOT-FOR-US: Kliqqi-CMS
CVE-2024-31636 (An issue in LIEF v.0.14.1 allows a local attacker to obtain sensitive ...)
- lief <unfixed> (bug #1071743)
- [bookworm] - lief <no-dsa> (Minor issue)
+ [bookworm] - lief <ignored> (Minor issue)
[bullseye] - lief <no-dsa> (Minor issue)
[buster] - lief <postponed> (Minor issue)
NOTE: https://github.com/lief-project/LIEF/issues/1038
@@ -58065,18 +58063,15 @@ CVE-2024-3347 (A vulnerability was found in SourceCodester Airline Ticket Reserv
CVE-2024-3346 (A vulnerability was found in Byzoro Smart S80 up to 20240328. It has b ...)
NOT-FOR-US: Byzro Smart S80
CVE-2024-31852 (LLVM before 18.1.3 generates code in which the LR register can be over ...)
- - llvm-toolchain-14 <unfixed> (bug #1070384)
- [bookworm] - llvm-toolchain-14 <no-dsa> (Minor issue)
- - llvm-toolchain-15 <removed> (bug #1070383)
- [bookworm] - llvm-toolchain-15 <no-dsa> (Minor issue)
- - llvm-toolchain-16 <unfixed> (bug #1070382)
- [bookworm] - llvm-toolchain-16 <no-dsa> (Minor issue)
- [bullseye] - llvm-toolchain-16 <no-dsa> (Minor issue)
- - llvm-toolchain-17 <unfixed> (bug #1070381)
- - llvm-toolchain-18 1:18.1.3-1 (bug #1070380)
+ - llvm-toolchain-14 <unfixed> (bug #1070384; unimportant)
+ - llvm-toolchain-15 <removed> (bug #1070383; unimportant)
+ - llvm-toolchain-16 <unfixed> (bug #1070382; unimportant)
+ - llvm-toolchain-17 <unfixed> (bug #1070381; unimportant)
+ - llvm-toolchain-18 1:18.1.3-1 (bug #1070380; unimportant)
NOTE: https://github.com/llvm/llvm-project/issues/80287
NOTE: https://bugs.chromium.org/p/llvm/issues/detail?id=69
NOTE: https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2
+ NOTE: Negligible security impact
CVE-2024-31851 (A path traversal vulnerability exists in the Java version of CData Syn ...)
NOT-FOR-US: CData
CVE-2024-31850 (A path traversal vulnerability exists in the Java version of CData Arc ...)
@@ -59431,7 +59426,7 @@ CVE-2024-31083 (A use-after-free vulnerability was found in the ProcRenderAddGly
{DSA-5657-1 DLA-3787-1}
- xorg-server 2:21.1.11-3
- xwayland 2:23.2.6-1
- [bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
+ [bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bdca6c3d1f5057eeb31609b1280fc93237b00c77
NOTE: https://lists.x.org/archives/xorg-announce/2024-April/003497.html
NOTE: Followup to fix regression: https://gitlab.freedesktop.org/xorg/xserver/-/commit/337d8d48b618d4fc0168a7b978be4c3447650b04
@@ -59446,14 +59441,14 @@ CVE-2024-31081 (A heap-based buffer over-read vulnerability was found in the X.o
{DSA-5657-1 DLA-3787-1}
- xorg-server 2:21.1.11-3
- xwayland 2:23.2.6-1
- [bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
+ [bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/3e77295f888c67fc7645db5d0c00926a29ffecee
NOTE: https://lists.x.org/archives/xorg-announce/2024-April/003497.html
CVE-2024-31080 (A heap-based buffer over-read vulnerability was found in the X.org ser ...)
{DSA-5657-1 DLA-3787-1}
- xorg-server 2:21.1.11-3
- xwayland 2:23.2.6-1
- [bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
+ [bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/96798fc1967491c80a4d0c8d9e0a80586cb2152b
NOTE: https://lists.x.org/archives/xorg-announce/2024-April/003497.html
CVE-2024-27983 (An attacker can make the Node.js HTTP/2 server completely unavailable ...)
@@ -78713,21 +78708,21 @@ CVE-2024-0408 (A flaw was found in the X.Org server. The GLX PBuffer code does n
{DSA-5603-1 DLA-3721-1}
- xorg-server 2:21.1.11-1
- xwayland 2:23.2.4-1
- [bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
+ [bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/e5e8586a12a3ec915673edffa10dc8fe5e15dac3
CVE-2024-0409 (A flaw was found in the X.Org server. The cursor code in both Xephyr a ...)
{DSA-5603-1 DLA-3721-1}
- xorg-server 2:21.1.11-1
- xwayland 2:23.2.4-1
- [bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
+ [bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7
CVE-2024-21886 (A heap buffer overflow flaw was found in the DisableDevice function in ...)
{DSA-5603-1 DLA-3721-1}
- xorg-server 2:21.1.11-1
- xwayland 2:23.2.4-1
- [bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
+ [bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8
@@ -78736,14 +78731,14 @@ CVE-2024-21885 (A flaw was found in X.Org server. In the XISendDeviceHierarchyEv
{DSA-5603-1 DLA-3721-1}
- xorg-server 2:21.1.11-1
- xwayland 2:23.2.4-1
- [bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
+ [bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1
CVE-2024-0229 (An out-of-bounds memory access flaw was found in the X.Org server. Thi ...)
{DSA-5603-1 DLA-3721-1}
- xorg-server 2:21.1.11-1
- xwayland 2:23.2.4-1
- [bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
+ [bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/219c54b8a3337456ce5270ded6a67bcde53553d5
@@ -78752,7 +78747,7 @@ CVE-2023-6816 (A flaw was found in X.Org server. Both DeviceFocusEvent and the X
{DSA-5603-1 DLA-3721-1}
- xorg-server 2:21.1.11-1
- xwayland 2:23.2.4-1
- [bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
+ [bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html
NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3
CVE-2024-22428 (Dell iDRAC Service Module, versions 5.2.0.0 and prior, contain an Inco ...)
@@ -93787,14 +93782,14 @@ CVE-2023-6478 (A flaw was found in xorg-server. A specially crafted request to R
{DSA-5576-1 DLA-3686-1}
- xorg-server 2:21.1.10-1
- xwayland 2:23.2.3-1
- [bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
+ [bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg-announce/2023-December/003435.html
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/14f480010a93ff962fef66a16412fafff81ad632
CVE-2023-6377 (A flaw was found in xorg-server. Querying or changing XKB button actio ...)
{DSA-5576-2 DSA-5576-1 DLA-3686-2 DLA-3686-1}
- xorg-server 2:21.1.10-1
- xwayland 2:23.2.3-1
- [bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
+ [bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg-announce/2023-December/003435.html
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
CVE-2023-5574 (A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue oc ...)
@@ -93813,7 +93808,7 @@ CVE-2023-5367 (A out-of-bounds write flaw was found in the xorg-x11-server. This
{DSA-5534-1 DLA-3631-1}
- xorg-server 2:21.1.9-1
- xwayland 2:23.2.2-1
- [bookworm] - xwayland <no-dsa> (Minor issue; Xwayland shouldn't be running as root)
+ [bookworm] - xwayland <ignored> (Minor issue; Xwayland shouldn't be running as root)
NOTE: https://lists.x.org/archives/xorg-announce/2023-October/003430.html
NOTE: Fixed by: https://gitlab.freedesktop.org/xorg/xserver/-/commit/541ab2ecd41d4d8689e71855d93e492bc554719a
CVE-2023-5472 (Use after free in Profiles in Google Chrome prior to 118.0.5993.117 al ...)
@@ -112850,7 +112845,7 @@ CVE-2023-34624 (An issue was discovered htmlcleaner thru = 2.28 allows attackers
NOTE: https://github.com/amplafi/htmlcleaner/issues/13
CVE-2023-34623 (An issue was discovered jtidy thru r938 allows attackers to cause a de ...)
- jtidy <unfixed> (bug #1038663)
- [bookworm] - jtidy <no-dsa> (Minor issue)
+ [bookworm] - jtidy <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - jtidy <no-dsa> (Minor issue)
[buster] - jtidy <postponed> (Minor issue, DoS)
NOTE: https://github.com/trajano/jtidy/issues/4
@@ -124917,7 +124912,7 @@ CVE-2023-28756 (A ReDoS issue was discovered in the Time component through 0.2.1
- ruby2.5 <removed>
[experimental] - jruby 9.4.3.0+ds-1~exp1
- jruby 9.4.5.0+ds-1 (bug #1036283)
- [bookworm] - jruby <no-dsa> (Minor issue)
+ [bookworm] - jruby <ignored> (Minor issue)
NOTE: Fixed by: https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e (v3_1_4)
NOTE: Fixed by: https://github.com/ruby/time/commit/b57db51f577875d3e896dcd2ef1dcaf97f23e943 (v0.2.2)
NOTE: Fixed by: https://github.com/ruby/time/commit/3dce6f73d14f5fad6d9b302393fd02df48797b11 (v0.2.2)
@@ -124934,7 +124929,7 @@ CVE-2023-28755 (A ReDoS issue was discovered in the URI component through 0.12.0
- ruby2.5 <removed>
[experimental] - jruby 9.4.3.0+ds-1~exp1
- jruby 9.4.5.0+ds-1 (bug #1036283)
- [bookworm] - jruby <no-dsa> (Minor issue)
+ [bookworm] - jruby <ignored> (Minor issue)
NOTE: Fixed by: https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300 (v3_1_4)
NOTE: Fixed by: https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d0b58ea9dc38892d175 (v0.12.1)
NOTE: https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97f58a9a7d0df0fd03707c6bc0c43cbf8997357d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97f58a9a7d0df0fd03707c6bc0c43cbf8997357d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241029/28f6166d/attachment.htm>
More information about the debian-security-tracker-commits
mailing list