[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri Sep 20 16:18:29 BST 2024 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c8af8242 by Moritz Muehlenhoff at 2024-09-20T17:18:06+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -39,6 +39,7 @@ CVE-2024-8375 (There exists a use after free vulnerability in Reverb.Reverb supp
 	NOT-FOR-US: Google Reverb
 CVE-2024-8354 (A flaw was found in QEMU. An assertion failure was present in the usb_ ...)
 	- qemu <unfixed> (bug #1082377)
+	[bookworm] - qemu <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2313497
 	NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2548
 CVE-2024-7785 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...)
@@ -83,6 +84,7 @@ CVE-2024-45806 (Envoy is a cloud-native high-performance edge/middle/service pro
 	- envoyproxy <itp> (bug #987544)
 CVE-2024-45752 (logiops through 0.3.4, in its default configuration, allows any unpriv ...)
 	- logiops <unfixed> (bug #1082378)
+	[bookworm] - logiops <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1226598
 CVE-2024-45614 (Puma is a Ruby/Rack web server built for parallelism. In affected vers ...)
 	- puma <unfixed> (bug #1082379)
@@ -104,6 +106,7 @@ CVE-2024-33109 (Directory Traversal in the web interface of the Tiptel IP 286 wi
 	NOT-FOR-US: Tiptel
 CVE-2024-31570 (libfreeimage in FreeImage 3.4.0 through 3.18.0 has a stack-based buffe ...)
 	- freeimage <unfixed> (bug #1082380)
+	[bookworm] - freeimage <no-dsa> (Minor issue#)
 	NOTE: https://sourceforge.net/p/freeimage/bugs/355/
 	NOTE: https://www.openwall.com/lists/oss-security/2024/04/11/10
 CVE-2024-25673 (Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earli ...)
@@ -124,6 +127,7 @@ CVE-2024-8364 (The WP Custom Fields Search plugin for WordPress is vulnerable to
 	NOT-FOR-US: WordPress plugin
 CVE-2024-7254 (Any project that parses untrusted Protocol Buffers datacontaining an a ...)
 	- protobuf <unfixed> (bug #1082381)
+	[bookworm] - protobuf <no-dsa> (Minor issue)
 	NOTE: https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
 CVE-2024-47089 (This vulnerability exists in the Apex Softcell LD Geo due to improper  ...)
 	NOT-FOR-US: Apex Softcell LD Geo
@@ -291,6 +295,7 @@ CVE-2024-45813 (find-my-way is a fast, open source HTTP router, internally using
 	NOT-FOR-US: find-my-way
 CVE-2024-45679 (Heap-based buffer overflow vulnerability in Assimp versions prior to 5 ...)
 	- assimp 5.4.0+ds-1
+	[bookworm] - assimp <no-dsa> (Minor issue)
 	NOTE: https://github.com/assimp/assimp/pull/5310
 	NOTE: https://github.com/assimp/assimp/commit/e4e2c63e0c2c449cd69fb9a3269e865eb83c241d (v5.4.0)
 CVE-2024-45601 (Mesop is a Python-based UI framework designed for rapid web apps devel ...)
@@ -400,8 +405,10 @@ CVE-2024-36981 (An out-of-bounds read vulnerability exists in the OpenPLC Runtim
 CVE-2024-36980 (An out-of-bounds read vulnerability exists in the OpenPLC Runtime Ethe ...)
 	NOT-FOR-US: OpenPLC
 CVE-2024-35515 (Insecure deserialization in sqlitedict up to v2.1.0 allows attackers t ...)
-	- sqlitedict <unfixed>
+	- sqlitedict <unfixed> (unimportant)
 	NOTE: https://wha13.github.io/2024/06/13/mfcve/
+	NOTE: https://github.com/piskvorky/sqlitedict/issues/174
+	NOTE: Not considered a security issue by upstream
 CVE-2024-34399 (**UNSUPPORTED WHEN ASSIGNED** An issue was discovered in BMC Remedy Mi ...)
 	NOT-FOR-US: BMC Remedy Mid Tier
 CVE-2024-34057 (Triangle Microworks TMW IEC 61850 Client source code libraries before  ...)
@@ -4558,6 +4565,7 @@ CVE-2024-34577 (Cross-site scripting vulnerability exists in WRC-X3000GS2-B, WRC
 	NOT-FOR-US: WRC-X3000GS2-B, WRC-X3000GS2-W, and WRC-X3000GS2A-B
 CVE-2024-2881 (Fault Injection vulnerability inwc_ed25519_sign_msg function in wolfss ...)
 	- wolfssl 5.7.0-0.3
+	[bookworm] - wolfssl <no-dsa> (Minor issue)
 	NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable
 CVE-2024-2694 (The Betheme theme for WordPress is vulnerable to PHP Object Injection  ...)
 	NOT-FOR-US: WordPress theme
@@ -5114,6 +5122,7 @@ CVE-2024-36068 (An incorrect access control vulnerability in Rubrik CDM versions
 	NOT-FOR-US: Rubrik CDM
 CVE-2024-1544 (Generating the ECDSA nonce k samples a random number r and then  trunc ...)
 	- wolfssl <unfixed> (bug #1081789)
+	[bookworm] - wolfssl <no-dsa> (Minor issue)
 	NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable
 	NOTE: https://github.com/wolfSSL/wolfssl/pull/7020
 CVE-2024-8046 (The Logo Showcase Ultimate \u2013 Logo Carousel, Logo Slider & Logo Gr ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -50,6 +50,8 @@ smarty3
 --
 smarty4
 --
+tryton-server (jmm)
+--
 twisted (jmm)
 --
 xen



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8af82420935a4d5a08b80899ab7521786de7362

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8af82420935a4d5a08b80899ab7521786de7362
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240920/038afd25/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list