[Git][security-tracker-team/security-tracker][master] 9 commits: add pgpool2

Sun Sep 15 22:47:52 BST 2024


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
243431af by Thorsten Alteholz at 2024-09-15T23:47:27+02:00
add pgpool2

- - - - -
fa0d3efc by Thorsten Alteholz at 2024-09-15T23:47:27+02:00
add php-twig

- - - - -
0d716206 by Thorsten Alteholz at 2024-09-15T23:47:27+02:00
add ruby-saml

- - - - -
be6d80f9 by Thorsten Alteholz at 2024-09-15T23:47:28+02:00
mark CVE-2024-43796 as postponed for Bullseye

- - - - -
b2d084ee by Thorsten Alteholz at 2024-09-15T23:47:30+02:00
mark CVE-2024-45296 as postponed for Bullseye

- - - - -
c3d19937 by Thorsten Alteholz at 2024-09-15T23:47:32+02:00
mark CVE-2024-43800 as postponed for Bullseye

- - - - -
2c2c6ab3 by Thorsten Alteholz at 2024-09-15T23:47:34+02:00
mark CVE-2024-45751 as postponed for Bulsseye

- - - - -
9f39e1fa by Thorsten Alteholz at 2024-09-15T23:47:34+02:00
add ansible

- - - - -
8fa77897 by Thorsten Alteholz at 2024-09-15T23:47:36+02:00
mark some CVEs of wolfssl as postponed for Bullseye

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1103,6 +1103,7 @@ CVE-2024-44087 (A vulnerability has been identified in Automation License Manage
 CVE-2024-43800 (serve-static serves static files. serve-static passes untrusted user i ...)
 	- node-serve-static <unfixed> (bug #1081482)
 	[bookworm] - node-serve-static <no-dsa> (Minor issue)
+	[bullseye] - node-serve-static <postponed> (Minor issue)
 	NOTE: https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p
 	NOTE: https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b (1.16.0)
 	NOTE: https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa (2.1.0)
@@ -1113,6 +1114,7 @@ CVE-2024-43799 (Send is a library for streaming files from the file system as a
 CVE-2024-43796 (Express.js minimalist web framework for node. In express < 4.20.0, pas ...)
 	- node-express <unfixed> (bug #1081481)
 	[bookworm] - node-express <no-dsa> (Minor issue)
+	[bullseye] - node-express <postponed> (Minor issue)
 	NOTE: https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx
 	NOTE: https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553 (4.20.0)
 CVE-2024-43781 (A vulnerability has been identified in SINUMERIK 828D V4 (All versions ...)
@@ -1524,6 +1526,7 @@ CVE-2024-45406 (Craft is a content management system (CMS). Craft CMS 5 stored X
 CVE-2024-45296 (path-to-regexp turns path strings into a regular expressions. In certa ...)
 	- node-path-to-regexp 6.3.0-1 (bug #1081656)
 	[bookworm] - node-path-to-regexp <no-dsa> (Minor issue)
+	[bullseye] - node-path-to-regexp <postponed> (Minor issue)
 	NOTE: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
 	NOTE: https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6 (v8.0.0)
 CVE-2024-45041 (External Secrets Operator is a Kubernetes operator that integrates ext ...)
@@ -1934,6 +1937,7 @@ CVE-2024-6792 (The WP ULike  WordPress plugin before 4.7.2.1 does not properly s
 CVE-2024-45751 (tgt (aka Linux target framework) before 1.0.93 attempts to achieve ent ...)
 	- tgt <unfixed> (bug #1081158)
 	[bookworm] - tgt <no-dsa> (Minor issue)
+	[bullseye] - tgt <postponed> (Minor issue)
 	NOTE: https://github.com/fujita/tgt/pull/67
 	NOTE: https://github.com/fujita/tgt/commit/abd8e0d987ab56013d360077202bf2aca20a42dd (v1.0.93)
 	NOTE: https://www.openwall.com/lists/oss-security/2024/09/07/2
@@ -3723,17 +3727,20 @@ CVE-2024-6632 (A vulnerability exists in FileCatalyst Workflow whereby a field a
 CVE-2024-5991 (In function MatchDomainName(), input param str is treated as a NULL te ...)
 	- wolfssl <unfixed> (bug #1081788)
 	[bookworm] - wolfssl <no-dsa> (Minor issue)
+	[bullseye] - wolfssl <postponed> (Minor issue)
 	NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable
 	NOTE: https://github.com/wolfSSL/wolfssl/pull/7604
 CVE-2024-5814 (A malicious TLS1.2 server can force a TLS1.3 client with downgrade cap ...)
 	- wolfssl <unfixed> (bug #1081791)
 	[bookworm] - wolfssl <no-dsa> (Minor issue)
+	[bullseye] - wolfssl <postponed> (Minor issue)
 	NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable
 	NOTE: https://github.com/wolfSSL/wolfssl/pull/7619
 	NOTE: https://tches.iacr.org/index.php/TCHES/article/view/11259
 CVE-2024-5288 (An issue was discovered in wolfSSL before 5.7.0. A safe-error attack v ...)
 	- wolfssl <unfixed> (bug #1081790)
 	[bookworm] - wolfssl <no-dsa> (Minor issue)
+	[bullseye] - wolfssl <postponed> (Minor issue)
 	NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable
 	NOTE: https://github.com/wolfSSL/wolfssl/pull/7416
 CVE-2024-4872 (The product does not validate any query towards persistent data, resul ...)


=====================================
data/dla-needed.txt
=====================================
@@ -27,6 +27,9 @@ rather than remove/replace existing ones.
 activemq
   NOTE: 20240913: Added by Front-Desk (ta)
 --
+ansible
+  NOTE: 20240915: Added by Front-Desk (ta)
+--
 asterisk (Thorsten Alteholz)
   NOTE: 20240815: Added by Front-Desk (Beuc)
   NOTE: 20240815: CVE-2024-42365 is privilege escalation. (Beuc/front-desk)
@@ -116,6 +119,9 @@ openssl
   NOTE: 20240815: Added by Front-Desk (Beuc)
   NOTE: 20240815: Follow fixes from bookworm 12.6 (CVE-2023-5678, CVE-2024-0727) (Beuc/front-desk)
 --
+pgpool2
+  NOTE: 20240915: Added by Front-Desk (ta)
+--
 php-horde-mime-viewer
   NOTE: 20220622: Added by stable Security Team (jmm)
   NOTE: 20240815: considered for EOL, sunweaver to work on an update
@@ -126,6 +132,9 @@ php-horde-turba
   NOTE: 20240815: considered for EOL, sunweaver to work on an update
   NOTE: 20240815: https://lists.debian.org/debian-lts/2024/08/msg00023.html (Beuc/front-desk)
 --
+php-twig
+  NOTE: 20240915: Added by Front-Desk (ta)
+--
 proftpd-dfsg
   NOTE: 20240815: Added by Front-Desk (Beuc)
   NOTE: 20240815: Follow fixes from bookworm 12.5 (2 CVEs) (Beuc/front-desk)
@@ -170,6 +179,10 @@ ruby-rails-html-sanitizer
   NOTE: 20230901: Added by oldstable Security Team (jmm)
   NOTE: 20240815: Follow fixes from DLA-3566-1 and DLA-3227-1 (5 CVEs) (Beuc/front-desk)
 --
+ruby-saml
+  NOTE: 20240915: Added by Front-Desk (ta)
+  NOTE: 20240915: please recheck whether package is really affected
+--
 smarty3
   NOTE: 20240814: Added by oldstable Security Team (jmm)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/456c2afd0254ea1dfe706707ae275bebb2d6bc5d...8fa7789756b588b8bb5ce16d7daef0c5efb6cf67

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/456c2afd0254ea1dfe706707ae275bebb2d6bc5d...8fa7789756b588b8bb5ce16d7daef0c5efb6cf67
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240915/dc571bad/attachment-0001.htm>
