[Git][security-tracker-team/security-tracker][master] 22 commits: CVE-2024-45769,CVE-2024-45770,pcp: triage bullseye
Markus Koschany (@apo)
apo at debian.org
Mon Sep 23 04:32:22 BST 2024
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
1fa50d0f by Markus Koschany at 2024-09-23T00:22:33+02:00
CVE-2024-45769,CVE-2024-45770,pcp: triage bullseye
CVE-2024-45769: bullseye is not affected, the vulnerable code was introduced
later
CVE-2024-45770: bullseye is ignored: Minor issue, requires root access to be
exploited
- - - - -
96fd6d44 by Markus Koschany at 2024-09-23T02:58:01+02:00
CVE-2024-45679,assimp: bullseye is postponed
Minor issue
- - - - -
c0414713 by Markus Koschany at 2024-09-23T02:58:28+02:00
CVE-2024-41436,clickhouse: bullseye is postponed
Minor issue
- - - - -
36315cb1 by Markus Koschany at 2024-09-23T03:04:10+02:00
Add freeimage to dla-needed.txt
- - - - -
5618ff07 by Markus Koschany at 2024-09-23T03:07:25+02:00
CVE-2024-43799,node-send: bullseye is postponed
Minor issue
- - - - -
5035ebc7 by Markus Koschany at 2024-09-23T03:08:18+02:00
CVE-2024-7254,protobuf: bullseye is postponed
Minor issue
- - - - -
c071016e by Markus Koschany at 2024-09-23T03:10:54+02:00
rust-lexical-core: bullseye is postponed
Minor issues
- - - - -
224dded3 by Markus Koschany at 2024-09-23T03:15:42+02:00
weechat: bullseye is postponed
Minor issues
Vulnerable code is in src/core/wee-string.c etc.
- - - - -
155d8175 by Markus Koschany at 2024-09-23T03:38:12+02:00
CVE-2024-1544,wolfssl: bullseye is postponed
Minor issue
- - - - -
20aef863 by Markus Koschany at 2024-09-23T03:38:54+02:00
CVE-2024-2881,wolfssl: bullseye is postponed
Minor issue
- - - - -
72811193 by Markus Koschany at 2024-09-23T03:41:49+02:00
Add intel-mediasdk to dla-needed.txt
- - - - -
08f5d710 by Markus Koschany at 2024-09-23T03:52:45+02:00
Claim wordpress in dla-needed.txt
- - - - -
3909b9be by Markus Koschany at 2024-09-23T03:54:09+02:00
Add 389-ds-base to dla-needed.txt
- - - - -
596359ee by Markus Koschany at 2024-09-23T03:57:16+02:00
Add booth to dla-needed.txt
- - - - -
8e6b3da3 by Markus Koschany at 2024-09-23T04:15:24+02:00
CVE-2024-41110,docker.io: link to fixing commits
for 20.10 branch
- - - - -
0d1c787d by Markus Koschany at 2024-09-23T04:16:29+02:00
Add docker.io to dla-needed.txt
- - - - -
fe3b6d62 by Markus Koschany at 2024-09-23T04:18:36+02:00
Add nghttp2 to dla-needed.txt
- - - - -
c83f46e5 by Markus Koschany at 2024-09-23T04:35:19+02:00
Add puma to dla-needed.txt
- - - - -
467d4d24 by Markus Koschany at 2024-09-23T04:37:10+02:00
Add pure-data to dla-needed.txt
- - - - -
c9e78433 by Markus Koschany at 2024-09-23T04:39:09+02:00
Add sogo to dla-needed.txt
- - - - -
d06ba488 by Markus Koschany at 2024-09-23T05:29:05+02:00
CVE-2024-8517,spip: link to possible fixing link
- - - - -
9d58458a by Markus Koschany at 2024-09-23T05:31:36+02:00
Add spip to dla-needed.txt
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -125,12 +125,14 @@ CVE-2024-8612 (A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and vir
NOTE: https://gitlab.com/qemu-project/qemu/-/commit/637b0aa139565cb82a7b9269e62214f87082635c
CVE-2024-45769 (A vulnerability was found in Performance Co-Pilot (PCP). This flaw all ...)
- pcp 6.3.1-1
+ [bullseye] - pcp <not-affected> (The vulnerable code was introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2310452
NOTE: https://www.openwall.com/lists/oss-security/2024/09/20/1
NOTE: Fixed by: https://github.com/performancecopilot/pcp/commit/3fc59861174ac0bbb08f5fa98cadb0d206f5cc60 (6.3.1)
NOTE: Fixed by: https://github.com/performancecopilot/pcp/commit/eadb79aab46175d7a58d0fa88028408743e2a93f (6.3.1)
CVE-2024-45770 (A vulnerability was found in Performance Co-Pilot (PCP). This flaw can ...)
- pcp 6.3.1-1
+ [bullseye] - pcp <ignored> (Minor issue, requires root access)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2310451
NOTE: https://www.openwall.com/lists/oss-security/2024/09/20/1
NOTE: Fixed by: https://github.com/performancecopilot/pcp/commit/22505f9a43c212217d4d53200dcf2f0e94febc8f (6.3.1)
@@ -253,6 +255,7 @@ CVE-2024-8364 (The WP Custom Fields Search plugin for WordPress is vulnerable to
CVE-2024-7254 (Any project that parses untrusted Protocol Buffers datacontaining an a ...)
- protobuf <unfixed> (bug #1082381)
[bookworm] - protobuf <no-dsa> (Minor issue)
+ [bullseye] - protobuf <postponed> (Minor issue)
NOTE: https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
CVE-2024-47089 (This vulnerability exists in the Apex Softcell LD Geo due to improper ...)
NOT-FOR-US: Apex Softcell LD Geo
@@ -421,6 +424,7 @@ CVE-2024-45813 (find-my-way is a fast, open source HTTP router, internally using
CVE-2024-45679 (Heap-based buffer overflow vulnerability in Assimp versions prior to 5 ...)
- assimp 5.4.0+ds-1
[bookworm] - assimp <no-dsa> (Minor issue)
+ [bullseye] - assimp <postponed> (Minor issue)
NOTE: https://github.com/assimp/assimp/pull/5310
NOTE: https://github.com/assimp/assimp/commit/e4e2c63e0c2c449cd69fb9a3269e865eb83c241d (v5.4.0)
CVE-2024-45601 (Mesop is a Python-based UI framework designed for rapid web apps devel ...)
@@ -1081,6 +1085,7 @@ CVE-2024-8421
CVE-2024-XXXX [RUSTSEC-2023-0086]
- rust-lexical-core <unfixed> (bug #1082053)
[bookworm] - rust-lexical-core <no-dsa> (Minor issue)
+ [bullseye] - rust-lexical-core <postponed> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0086.html
NOTE: https://github.com/Alexhuszagh/rust-lexical/issues/102
NOTE: https://github.com/Alexhuszagh/rust-lexical/issues/101
@@ -1401,6 +1406,7 @@ CVE-2023-41833 (A race condition in UEFI firmware for some Intel(R) processors m
CVE-2024-XXXX [Integer Overflow to Buffer Overflow vulnerability in "string_free_split" functions]
- weechat <unfixed> (bug #1081942)
[bookworm] - weechat <no-dsa> (Minor issue)
+ [bullseye] - weechat <postponed> (Minor issue)
NOTE: https://weechat.org/doc/weechat/security/WSA-2024-1/
NOTE: https://github.com/weechat/weechat/issues/2178
NOTE: https://github.com/weechat/weechat/commit/315f769ab25643cf501a4bf8deb8025d92654303
@@ -2567,6 +2573,7 @@ CVE-2024-43800 (serve-static serves static files. serve-static passes untrusted
CVE-2024-43799 (Send is a library for streaming files from the file system as a http r ...)
- node-send <unfixed> (bug #1081483)
[bookworm] - node-send <no-dsa> (Minor issue)
+ [bullseye] - node-send <postponed> (Minor issue)
NOTE: https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg
NOTE: https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35 (0.19.0)
CVE-2024-43796 (Express.js minimalist web framework for node. In express < 4.20.0, pas ...)
@@ -3218,6 +3225,8 @@ CVE-2024-8517 (SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command
- spip 4.3.2+dfsg-1
NOTE: https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html?lang=fr
NOTE: https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/
+ NOTE: https://git.spip.net/spip/spip/-/commit/091eba6a7969b502dbe53c58a509b4c2a650f802
+ NOTE: Fixing link points to only changes between 4.1.17 and 4.1.18
CVE-2024-8509 (A vulnerability was found in Forklift Controller. There is no verifica ...)
NOT-FOR-US: Forklift Controller
CVE-2024-8428 (The ForumWP \u2013 Forum & Discussion Board Plugin plugin for WordPres ...)
@@ -4191,6 +4200,7 @@ CVE-2024-41718
CVE-2024-41436 (ClickHouse v24.3.3.102 was discovered to contain a buffer overflow via ...)
- clickhouse <unfixed> (bug #1082054)
[bookworm] - clickhouse <no-dsa> (Minor issue)
+ [bullseye] - clickhouse <postponed> (Minor issue)
NOTE: https://github.com/ClickHouse/ClickHouse/issues/65520
NOTE: https://github.com/ClickHouse/ClickHouse/pull/66912
CVE-2024-41435 (YugabyteDB v2.21.1.0 was discovered to contain a buffer overflow via t ...)
@@ -4692,6 +4702,7 @@ CVE-2024-34577 (Cross-site scripting vulnerability exists in WRC-X3000GS2-B, WRC
CVE-2024-2881 (Fault Injection vulnerability inwc_ed25519_sign_msg function in wolfss ...)
- wolfssl 5.7.0-0.3
[bookworm] - wolfssl <no-dsa> (Minor issue)
+ [bullseye] - wolfssl <postponed> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable
CVE-2024-2694 (The Betheme theme for WordPress is vulnerable to PHP Object Injection ...)
NOT-FOR-US: WordPress theme
@@ -5249,6 +5260,7 @@ CVE-2024-36068 (An incorrect access control vulnerability in Rubrik CDM versions
CVE-2024-1544 (Generating the ECDSA nonce k samples a random number r and then trunc ...)
- wolfssl <unfixed> (bug #1081789)
[bookworm] - wolfssl <no-dsa> (Minor issue)
+ [bullseye] - wolfssl <postponed> (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable
NOTE: https://github.com/wolfSSL/wolfssl/pull/7020
CVE-2024-8046 (The Logo Showcase Ultimate \u2013 Logo Carousel, Logo Slider & Logo Gr ...)
@@ -13720,6 +13732,8 @@ CVE-2024-41110 (Moby is an open-source project created by Docker for software co
- docker.io 26.1.5+dfsg1-2
NOTE: https://github.com/moby/moby/security/advisories/GHSA-v23v-6jw2-98fq
NOTE: https://www.docker.com/blog/docker-security-advisory-docker-engine-authz-plugin/
+ NOTE: 20.10 branch: fixed by https://github.com/moby/moby/commit/88c4b7690840044ce15489699294ec7c5dadf5dd
+ NOTE: follow-up: https://github.com/moby/moby/commit/7ff423cc1c991d8dc0a7b5d1d93e1cf3efaac169
CVE-2024-40575 (An issue in Huawei Technologies opengauss (openGauss 5.0.0 build) v.7. ...)
NOT-FOR-US: Huawei Technologies opengauss
CVE-2024-40495 (A vulnerability was discovered in Linksys Router E2500 with firmware 2 ...)
=====================================
data/dla-needed.txt
=====================================
@@ -23,6 +23,9 @@ https://lts-team.pages.debian.net/wiki/Development.html#triage-new-security-issu
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
+--
+389-ds-base
+ NOTE: 20240922: Added by Front-Desk (apo)
--
activemq
NOTE: 20240913: Added by Front-Desk (ta)
@@ -43,6 +46,9 @@ bind9
NOTE: 20240815: https://lists.debian.org/debian-security/2024/07/msg00009.html
NOTE: 20240815: pu request not in the BTS yet, coordinate with maintainer (Beuc/front-desk)
--
+booth
+ NOTE: 20240922: Added by Front-Desk (apo)
+--
dnsmasq
NOTE: 20240313: Added by oldstable Security Team (jmm)
NOTE: 20240802: CVE-2023-28450 is trivial to fix, however CVE-2023-50387 and CVE-2023-50868
@@ -50,6 +56,9 @@ dnsmasq
NOTE: 20240802: action. (lee)
NOTE: 20240815: A bookworm DSA is planned (Beuc/front-desk)
--
+docker.io
+ NOTE: 20240922: Added by Front-Desk (apo)
+--
edk2
NOTE: 20240815: Added by Front-Desk (Beuc)
NOTE: 20240815: bullseye did not get most of DSA 5624-1 security fixes,
@@ -74,6 +83,10 @@ flatpak (Adrian Bunk)
NOTE: 20240814: Added by oldstable Security Team (carnil)
NOTE: 20240815: Follow fixes from DSA-5749-1 (CVE-2024-42472) (Beuc/front-desk)
--
+freeimage
+ NOTE: 20240922: Added by Front-Desk (apo)
+ NOTE: 20240922: Many postponed CVE.
+--
frr
NOTE: 20240906: Added by Front-Desk (lamby)
NOTE: 20240906: NB. There was a recent update, DLA-3865, @ Tue Sep 3 06:55:29 2024 +0200 (lamby)
@@ -93,6 +106,9 @@ glewlwyd
NOTE: 20240815: pu scheduled https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007884
NOTE: 20240815: maintainer (babelouest) plans to do a LTS upload as well (Beuc/front-desk)
--
+intel-mediasdk
+ NOTE: 20240922: Added by Front-Desk (apo)
+--
libreoffice (rouca)
NOTE: 20240920: Added by Front-Desk (apo)
NOTE: 20240920: Bastien took care of previous releases.
@@ -109,6 +125,10 @@ netatalk
NOTE: 20240815: pu in progress but looking stuck https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774
NOTE: 20240815: coordinate bullseye DLA with uploader (Beuc/front-desk)
--
+nghttp2
+ NOTE: 20240922: Added by Front-Desk (apo)
+ NOTE: 20240922: Already fixed in buster.
+--
nss (arturo)
NOTE: 20240825: Added by Front-Desk (ta)
--
@@ -137,6 +157,12 @@ proftpd-dfsg
NOTE: 20240815: Added by Front-Desk (Beuc)
NOTE: 20240815: Follow fixes from bookworm 12.5 (2 CVEs) (Beuc/front-desk)
--
+puma
+ NOTE: 20240922: Added by Front-Desk (apo)
+--
+pure-data
+ NOTE: 20240922: Added by Front-Desk (apo)
+--
python-aiohttp
NOTE: 20240523: Added by oldstable Security Team (jmm)
NOTE: 20240815: A bookworm DSA is planned (Beuc/front-desk)
@@ -178,6 +204,15 @@ ruby-saml
smarty3
NOTE: 20240814: Added by oldstable Security Team (jmm)
--
+sogo
+ NOTE: 20240922: Added by Front-Desk (apo)
+ NOTE: 20240922: See also postponed issues.
+--
+spip
+ NOTE: 20240922: Added by Front-Desk (apo)
+ NOTE: 20240922: Knowing French may be useful. Determined fixing commit by
+ NOTE: 20240922: diffing the releases on the 4.1.x branch. 3.x is already EOL. (apo)
+--
squid (roberto)
NOTE: 20240308: Added by oldstable Security Team (apo)
NOTE: 20240308: Readd squid to dsa-needed.txt
@@ -212,6 +247,9 @@ wireshark (Adrian Bunk)
NOTE: 20240815: Added by Front-Desk (Beuc)
NOTE: 20240815: bullseye currently lags behind lacking fixes present in both buster and bookworm (Beuc/front-desk)
--
+wordpress (apo)
+ NOTE: 20240922: Added by Front-Desk (apo)
+--
zabbix (tobi)
NOTE: 20240126: Added by oldstable Security Team (jmm)
NOTE: 20240815: sync fixes from bookworm and buster
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f1f2739dc395d104c7c81fde377eba8628474558...9d58458ad4434d682b668733fab04b20ebc78b2c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f1f2739dc395d104c7c81fde377eba8628474558...9d58458ad4434d682b668733fab04b20ebc78b2c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240923/929a416e/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list