[Git][security-tracker-team/security-tracker][master] triage of older issues
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Wed Oct 30 15:34:15 GMT 2024
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6699b3e6 by Moritz Muehlenhoff at 2024-10-30T16:33:06+01:00
triage of older issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -88843,11 +88843,12 @@ CVE-2023-5620 (The Web Push Notifications WordPress plugin before 4.35.0 does no
NOT-FOR-US: WordPress plugin
CVE-2023-5616 [gnome-control-center incorrectly claims remote login is off]
- gnome-control-center <unfixed> (bug #1058624)
- [bookworm] - gnome-control-center <no-dsa> (Minor issue)
+ [bookworm] - gnome-control-center <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - gnome-control-center <no-dsa> (Minor issue)
[buster] - gnome-control-center <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/2039577
- NOTE: https://gitlab.gnome.org/GNOME/gnome-control-center/-/merge_requests/2092
+ NOTE: https://gitlab.gnome.org/GNOME/gnome-control-center/-/merge_requests/2462
+ NOTE: https://gitlab.gnome.org/GNOME/gnome-control-center/-/merge_requests/2092 (abandoned)
NOTE: TODO: check, potentially same incorrect checking of service and socket status in budgie-control-center
CVE-2023-5611 (The Seraphinite Accelerator WordPress plugin before 2.20.32 does not h ...)
NOT-FOR-US: WordPress plugin
@@ -103478,7 +103479,7 @@ CVE-2023-39663 (Mathjax up to v2.7.9 was discovered to contain two Regular expre
CVE-2023-39616 (AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read mem ...)
[experimental] - aom 3.7.0-1~exp1
- aom 3.7.0-1
- [bookworm] - aom <no-dsa> (Minor issue)
+ [bookworm] - aom <ignored> (Minor issue)
[bullseye] - aom <not-affected> (Vulnerable code introduced later)
[buster] - aom <not-affected> (Vulnerable code introduced later)
NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=3372#c3
@@ -109467,17 +109468,15 @@ CVE-2023-37849 (A DLL hijacking vulnerability in Panda Security VPN for Windows
CVE-2023-37839 (An arbitrary file upload vulnerability in /dede/file_manage_control.ph ...)
NOT-FOR-US: Dede CMS
CVE-2023-37837 (libjpeg commit db33a6e was discovered to contain a heap buffer overflo ...)
- - libjpeg <unfixed> (bug #1041103)
- [bookworm] - libjpeg <no-dsa> (Minor issue)
- [bullseye] - libjpeg <no-dsa> (Minor issue)
+ - libjpeg <unfixed> (bug #1041103; unimportant)
NOTE: https://github.com/thorfdbg/libjpeg/issues/87#BUG0
NOTE: Fixed by: https://github.com/thorfdbg/libjpeg/commit/9e0cea29d7ba7a2c1e763865391bc94b336da25e
+ NOTE: Crash in CLI tool, no security impact
CVE-2023-37836 (libjpeg commit db33a6e was discovered to contain a reachable assertion ...)
- - libjpeg <unfixed> (bug #1041103)
- [bookworm] - libjpeg <no-dsa> (Minor issue)
- [bullseye] - libjpeg <no-dsa> (Minor issue)
+ - libjpeg <unfixed> (bug #1041103; unimportant)
NOTE: https://github.com/thorfdbg/libjpeg/issues/87#BUG1
NOTE: Fixed by: https://github.com/thorfdbg/libjpeg/commit/9e0cea29d7ba7a2c1e763865391bc94b336da25e
+ NOTE: Crash in CLI tool, no security impact
CVE-2023-37723 (Tenda F1202 V1.0BR_V1.2.0.20(408), FH1202_V1.2.0.19_EN were discovered ...)
NOT-FOR-US: Tenda
CVE-2023-37722 (Tenda F1202 V1.0BR_V1.2.0.20(408), FH1202_V1.2.0.19_EN were discovered ...)
@@ -124403,7 +124402,7 @@ CVE-2023-29000 (The Nextcloud Desktop Client is a tool to synchronize files from
NOTE: https://hackerone.com/reports/1679267
CVE-2023-28999 (Nextcloud is an open-source productivity platform. In Nextcloud Deskto ...)
- nextcloud-desktop 3.9.0-1 (bug #1034184)
- [bookworm] - nextcloud-desktop <no-dsa> (Minor issue)
+ [bookworm] - nextcloud-desktop <ignored> (Minor issue, too intrusive to backport)
[bullseye] - nextcloud-desktop <no-dsa> (Minor issue)
[buster] - nextcloud-desktop <no-dsa> (Minor issue)
NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8875-wxww-3rr8
@@ -253733,15 +253732,15 @@ CVE-2021-37819 (PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite
[buster] - pdftk-java <no-dsa> (Minor issue)
- pdftk 2.02-5
- libitext-java 2.1.7-16 (bug #1059318)
- [bookworm] - libitext-java <no-dsa> (Minor issue)
+ [bookworm] - libitext-java <ignored> (Minor issue)
[bullseye] - libitext-java <no-dsa> (Minor issue)
[buster] - libitext-java <no-dsa> (Minor issue)
- libitext1-java <unfixed> (bug #1059319)
- [bookworm] - libitext1-java <no-dsa> (Minor issue)
+ [bookworm] - libitext1-java <ignored> (Minor issue)
[bullseye] - libitext1-java <no-dsa> (Minor issue)
[buster] - libitext1-java <no-dsa> (Minor issue)
- libitext5-java 5.5.13.3-4 (bug #1059320)
- [bookworm] - libitext5-java <no-dsa> (Minor issue)
+ [bookworm] - libitext5-java <ignored> (Minor issue)
[bullseye] - libitext5-java <no-dsa> (Minor issue)
[buster] - libitext5-java <no-dsa> (Minor issue)
NOTE: https://gitlab.com/pdftk-java/pdftk/-/merge_requests/21
@@ -275268,8 +275267,8 @@ CVE-2021-29463 (Exiv2 is a command-line utility and C++ library for reading, wri
NOTE: https://github.com/Exiv2/exiv2/commit/783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b
CVE-2021-29462 (The Portable SDK for UPnP Devices is an SDK for development of UPnP de ...)
- pupnp <not-affected> (Fixed before initial upload to Debian after source package rename)
- - pupnp-1.8 <unfixed> (bug #987326)
- [bookworm] - pupnp-1.8 <no-dsa> (Minor issue)
+ - pupnp-1.8 <removed> (bug #987326)
+ [bookworm] - pupnp-1.8 <ignored> (Minor issue)
[bullseye] - pupnp-1.8 <no-dsa> (Minor issue)
[buster] - pupnp-1.8 <no-dsa> (Minor issue)
- libupnp <removed>
@@ -278156,7 +278155,7 @@ CVE-2021-28303
RESERVED
CVE-2021-28302 (A stack overflow in pupnp before version 1.14.5 can cause the denial o ...)
- pupnp <not-affected> (Fixed before initial upload to Debian after source package rename)
- - pupnp-1.8 <unfixed> (bug #986833)
+ - pupnp-1.8 <removed> (bug #986833)
[bookworm] - pupnp-1.8 <no-dsa> (Minor issue)
[bullseye] - pupnp-1.8 <no-dsa> (Minor issue)
[buster] - pupnp-1.8 <no-dsa> (Minor issue)
@@ -344163,8 +344162,8 @@ CVE-2020-13849 (The MQTT protocol 3.1.1 requires a server to set a timeout value
CVE-2020-13848 (Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attac ...)
{DLA-2585-1 DLA-2238-1}
- pupnp <not-affected> (Fixed before initial upload to Debian after source package rename)
- - pupnp-1.8 <unfixed> (bug #962282)
- [bookworm] - pupnp-1.8 <no-dsa> (Minor issue)
+ - pupnp-1.8 <removed> (bug #962282)
+ [bookworm] - pupnp-1.8 <ignored> (Minor issue)
[bullseye] - pupnp-1.8 <no-dsa> (Minor issue)
[buster] - pupnp-1.8 <no-dsa> (Minor issue)
- libupnp <removed>
@@ -347171,8 +347170,8 @@ CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before 2020-
[buster] - gupnp 1.0.5-0+deb10u1
- minidlna 1.2.1+dfsg-3 (bug #976594)
- pupnp <not-affected> (Fixed before initial upload to Debian after source package rename)
- - pupnp-1.8 <unfixed> (bug #983206)
- [bookworm] - pupnp-1.8 <no-dsa> (Minor issue)
+ - pupnp-1.8 <removed> (bug #983206)
+ [bookworm] - pupnp-1.8 <ignored> (Minor issue)
[bullseye] - pupnp-1.8 <no-dsa> (Minor issue)
[buster] - pupnp-1.8 <no-dsa> (Minor issue)
- libupnp <removed>
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6699b3e6a8d7353177c9746acf36583a73022195
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6699b3e6a8d7353177c9746acf36583a73022195
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241030/67027b9d/attachment.htm>
More information about the debian-security-tracker-commits
mailing list