[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Sep 13 20:41:59 BST 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c2b7b239 by Moritz Muehlenhoff at 2024-09-13T21:41:43+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -851,6 +851,7 @@ CVE-2024-44087 (A vulnerability has been identified in Automation License Manage
 	NOT-FOR-US: Siemens
 CVE-2024-43800 (serve-static serves static files. serve-static passes untrusted user i ...)
 	- node-serve-static <unfixed> (bug #1081482)
+	[bookworm] - node-serve-static <no-dsa> (Minor issue)
 	NOTE: https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p
 	NOTE: https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b (1.16.0)
 	NOTE: https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa (2.1.0)
@@ -860,6 +861,7 @@ CVE-2024-43799 (Send is a library for streaming files from the file system as a
 	NOTE: https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35 (0.19.0)
 CVE-2024-43796 (Express.js minimalist web framework for node. In express < 4.20.0, pas ...)
 	- node-express <unfixed> (bug #1081481)
+	[bookworm] - node-express <no-dsa> (Minor issue)
 	NOTE: https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx
 	NOTE: https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553 (4.20.0)
 CVE-2024-43781 (A vulnerability has been identified in SINUMERIK 828D V4 (All versions ...)
@@ -1265,6 +1267,7 @@ CVE-2024-45406 (Craft is a content management system (CMS). Craft CMS 5 stored X
 	NOT-FOR-US: Craft CMS
 CVE-2024-45296 (path-to-regexp turns path strings into a regular expressions. In certa ...)
 	- node-path-to-regexp <unfixed> (bug #1081656)
+	[bookworm] - node-path-to-regexp <no-dsa> (Minor issue)
 	NOTE: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
 	NOTE: https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6 (v8.0.0)
 CVE-2024-45041 (External Secrets Operator is a Kubernetes operator that integrates ext ...)
@@ -2480,6 +2483,7 @@ CVE-2024-6232 (There is a MEDIUM severity vulnerability affecting CPython.
 	- python3.13 3.13.0~rc2-1
 	- python3.12 3.12.6-1
 	- python3.11 <removed>
+	[bookworm] - python3.11 <no-dsa> (Minor issue)
 	- python3.9 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
@@ -3450,6 +3454,7 @@ CVE-2024-6632 (A vulnerability exists in FileCatalyst Workflow whereby a field a
 	NOT-FOR-US: FileCatalyst Workflow
 CVE-2024-5991 (In function MatchDomainName(), input param str is treated as a NULL te ...)
 	- wolfssl <unfixed>
+	[bookworm] - wolfssl <no-dsa> (Minor issue)
 	NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable
 	NOTE: https://github.com/wolfSSL/wolfssl/pull/7604
 CVE-2024-5814 (A malicious TLS1.2 server can force a TLS1.3 client with downgrade cap ...)
@@ -48076,7 +48081,8 @@ CVE-2024-3221 (A vulnerability classified as critical was found in SourceCodeste
 CVE-2024-3218 (A vulnerability classified as critical has been found in Shibang Commu ...)
 	NOT-FOR-US: Shibang Communications IP Network Intercom Broadcasting System
 CVE-2024-3209 (A vulnerability was found in UPX up to 4.2.2. It has been rated as cri ...)
-	- upx-ucl 4.2.4-1
+	- upx-ucl 4.2.4-1 (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://github.com/upx/upx/issues/841
 CVE-2024-3207 (A vulnerability was found in ermig1979 Simd up to 6.0.134. It has been ...)
 	NOT-FOR-US: ermig1979 Simd


=====================================
data/dsa-needed.txt
=====================================
@@ -49,5 +49,7 @@ smarty4
 --
 twisted (jmm)
 --
+xen
+--
 zabbix
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2b7b23945a0aa1e9b9f134831e3c0c33eb5878e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2b7b23945a0aa1e9b9f134831e3c0c33eb5878e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240913/2bd9d21c/attachment.htm>

More information about the debian-security-tracker-commits mailing list