[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-57520 resolved and harmless
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Sun Apr 20 20:08:16 BST 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6730b8cc by Moritz Muehlenhoff at 2025-04-20T20:54:33+02:00
CVE-2024-57520 resolved and harmless
- - - - -
31a052fc by Moritz Muehlenhoff at 2025-04-20T21:07:46+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2778,11 +2778,13 @@ CVE-2025-3550 (A vulnerability has been found in wowjoy \u6d59\u6c5f\u6e56\u5dde
NOT-FOR-US: wowjoy Internet Doctor Workstation System
CVE-2025-3549 (A vulnerability, which was classified as critical, was found in Open A ...)
- assimp <unfixed> (bug #1103444)
+ [trixie] - assimp <no-dsa> (Minor issue)
[bookworm] - assimp <no-dsa> (Minor issue)
[bullseye] - assimp <postponed> (Minor issue)
NOTE: https://github.com/assimp/assimp/issues/6070
CVE-2025-3548 (A vulnerability, which was classified as critical, has been found in O ...)
- assimp <unfixed> (bug #1103443)
+ [trixie] - assimp <no-dsa> (Minor issue)
[bookworm] - assimp <no-dsa> (Minor issue)
[bullseye] - assimp <postponed> (Minor issue)
NOTE: https://github.com/assimp/assimp/issues/6068
@@ -5503,6 +5505,7 @@ CVE-2025-3197 (Versions of the package expand-object from 0.0.0 are vulnerable t
NOT-FOR-US: expand-object Nodejs module
CVE-2025-3196 (A vulnerability, which was classified as critical, was found in Open A ...)
- assimp <unfixed> (bug #1102207)
+ [trixie] - assimp <no-dsa> (Minor issue)
[bookworm] - assimp <no-dsa> (Minor issue)
[bullseye] - assimp <postponed> (Minor issue, no upstream patch)
NOTE: https://github.com/assimp/assimp/issues/6069
@@ -5651,6 +5654,7 @@ CVE-2025-3160 (A vulnerability has been found in Open Asset Import Library Assim
NOTE: Fixed by: https://github.com/assimp/assimp/commit/4b8f55cc0008af43a8a50b91f0134e2f4e80142e
CVE-2025-3159 (A vulnerability, which was classified as critical, was found in Open A ...)
- assimp <unfixed> (bug #1102205)
+ [trixie] - assimp <no-dsa> (Minor issue)
[bookworm] - assimp <no-dsa> (Minor issue)
[bullseye] - assimp <postponed> (Minor issue, OOB read)
NOTE: https://github.com/assimp/assimp/issues/6024
@@ -25297,10 +25301,9 @@ CVE-2025-24892 (OpenProject is open-source, web-based project management softwar
CVE-2025-24200 (An authorization issue was addressed with improved state management. T ...)
NOT-FOR-US: Apple
CVE-2025-24031 (PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificat ...)
- - pam-pkcs11 <unfixed>
- [bookworm] - pam-pkcs11 <postponed> (Reevaluate once issue fixed upstream)
- [bullseye] - pam-pkcs11 <postponed> (Reevaluate once issue fixed upstream)
+ - pam-pkcs11 <unfixed> (unimportant)
NOTE: https://github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-wvr3-c9x3-9mff
+ NOTE: Negligible security impact
CVE-2025-24016 (Wazuh is a free and open source platform used for threat prevention, d ...)
NOT-FOR-US: Wazuh
CVE-2025-1193 (Improper host validation in the certificate validation component in De ...)
@@ -25958,9 +25961,11 @@ CVE-2024-57699 (A security issue was found in Netplex Json-smart 2.5.0 through 2
CVE-2024-57598 (A floating point exception (divide-by-zero) vulnerability was discover ...)
NOT-FOR-US: Bento4
CVE-2024-57520 (Insecure Permissions vulnerability in asterisk v22 allows a remote att ...)
- - asterisk <undetermined>
+ - asterisk 1:22.3.0~dfsg+~cs6.15.60671435-1 (unimportant)
NOTE: https://gist.github.com/hyp164D1/ae76ab25acfbe263b2ed7b24b6e5c621
- TODO: check upstream awareness and position
+ NOTE: https://github.com/asterisk/asterisk/issues/1122
+ NOTE: https://github.com/asterisk/asterisk/commit/d184ae428df0740da02bf7ba7d9e7a7fcb7502fd (22.3.0-rc1)
+ NOTE: Negligible security impact
CVE-2024-57086 (A prototype pollution in the function fieldsToJson of node-opcua-alarm ...)
NOT-FOR-US: Node node-opcua-alarm-condition
CVE-2024-57085 (A prototype pollution in the function deepMerge of @stryker-mutator/ut ...)
@@ -52750,6 +52755,7 @@ CVE-2024-10964 (A vulnerability classified as critical has been found in emqx ne
NOT-FOR-US: emqx neuron
CVE-2024-10963 (A flaw was found in pam_access, where certain rules in its configurati ...)
- pam <unfixed> (bug #1087019)
+ [trixie] - pam <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - pam <not-affected> (The vulnerable code was introduced in 1.5.3)
[bullseye] - pam <not-affected> (The vulnerable code was introduced in 1.5.3)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2324291
@@ -141636,14 +141642,16 @@ CVE-2023-50782 (A flaw was found in the python-cryptography package. This issue
NOTE: The fix relies on OpenSSL 3.2, marking the first 42.x upload to unstable as fixed,
NOTE: openssl 3.2 was uploaded to unstable shortly after
CVE-2023-50781 (A flaw was found in m2crypto. This issue may allow a remote attacker t ...)
- - m2crypto <unfixed> (bug #1059292)
- [bookworm] - m2crypto <postponed> (Minor issue, revisit when fixed upstream)
+ - m2crypto 0.40.1-3 (bug #1059292)
+ [bookworm] - m2crypto <postponed> (Minor issue, requires OpenSSL 3.2 which isn't in Bookworm)
[bullseye] - m2crypto <no-dsa> (Minor issue)
[buster] - m2crypto <no-dsa> (Minor issue; it's an incomplete fix of CVE-2020-25657)
NOTE: https://todo.sr.ht/~mcepl/m2crypto/342
NOTE: https://people.redhat.com/~hkario/marvin/
NOTE: https://github.com/openssl/openssl/pull/13817
NOTE: CVE is for incomplete fix of CVE-2020-25657
+ NOTE: openssl 3.2 landed in Debian unstable at 04 Apr 2024, marking the first upload
+ NOTE: of m2crypto following it as the fixed version (0.40.1-3)
CVE-2023-49934 (An issue was discovered in SchedMD Slurm 23.11.x. There is SQL Injecti ...)
- slurm-wlm <not-affected> (Vulnerable code introduced in 23.11 series)
- slurm-llnl <not-affected> (Vulnerable code introduced in 23.11 series)
@@ -209128,6 +209136,7 @@ CVE-2022-46304 (ChangingTec ServiSign component has insufficient filtering for s
NOT-FOR-US: ChangingTec ServiSign
CVE-2022-46295 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
@@ -209135,6 +209144,7 @@ CVE-2022-46295 (Multiple out-of-bounds write vulnerabilities exist in the transl
NOTE: https://github.com/openbabel/openbabel/issues/2650
CVE-2022-46294 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
@@ -209142,6 +209152,7 @@ CVE-2022-46294 (Multiple out-of-bounds write vulnerabilities exist in the transl
NOTE: https://github.com/openbabel/openbabel/issues/2650
CVE-2022-46293 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
@@ -209149,6 +209160,7 @@ CVE-2022-46293 (Multiple out-of-bounds write vulnerabilities exist in the transl
NOTE: https://github.com/openbabel/openbabel/issues/2650
CVE-2022-46292 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
@@ -209156,6 +209168,7 @@ CVE-2022-46292 (Multiple out-of-bounds write vulnerabilities exist in the transl
NOTE: https://github.com/openbabel/openbabel/issues/2650
CVE-2022-46291 (Multiple out-of-bounds write vulnerabilities exist in the translationV ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
@@ -209163,6 +209176,7 @@ CVE-2022-46291 (Multiple out-of-bounds write vulnerabilities exist in the transl
NOTE: https://github.com/openbabel/openbabel/issues/2650
CVE-2022-46290 (Multiple out-of-bounds write vulnerabilities exist in the ORCA format ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
@@ -209170,6 +209184,7 @@ CVE-2022-46290 (Multiple out-of-bounds write vulnerabilities exist in the ORCA f
NOTE: https://github.com/openbabel/openbabel/issues/2650
CVE-2022-46289 (Multiple out-of-bounds write vulnerabilities exist in the ORCA format ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
@@ -209177,6 +209192,7 @@ CVE-2022-46289 (Multiple out-of-bounds write vulnerabilities exist in the ORCA f
NOTE: https://github.com/openbabel/openbabel/issues/2650
CVE-2022-46280 (A use of uninitialized pointer vulnerability exists in the PQS format ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
@@ -209220,6 +209236,7 @@ CVE-2022-44453
RESERVED
CVE-2022-44451 (A use of uninitialized pointer vulnerability exists in the MSI format ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
@@ -209233,6 +209250,7 @@ CVE-2022-43503
REJECTED
CVE-2022-43467 (An out-of-bounds write vulnerability exists in the PQS format coord_fi ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
@@ -209240,6 +209258,7 @@ CVE-2022-43467 (An out-of-bounds write vulnerability exists in the PQS format co
NOTE: https://github.com/openbabel/openbabel/issues/2650
CVE-2022-42885 (A use of uninitialized pointer vulnerability exists in the GRO format ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
@@ -209327,6 +209346,7 @@ CVE-2022-41795
RESERVED
CVE-2022-41793 (An out-of-bounds write vulnerability exists in the CSR format title fu ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
@@ -209371,6 +209391,7 @@ CVE-2022-40973
RESERVED
CVE-2022-37331 (An out-of-bounds write vulnerability exists in the Gaussian format ori ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
@@ -219628,6 +219649,7 @@ CVE-2022-3649 (A vulnerability was found in Linux Kernel. It has been classified
NOTE: https://git.kernel.org/linus/d325dc6eb763c10f591c239550b8c7e5466a5d09
CVE-2022-43607 (An out-of-bounds write vulnerability exists in the MOL2 format attribu ...)
- openbabel <unfixed> (bug #1059277)
+ [trixie] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - openbabel <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - openbabel <no-dsa> (Minor issue)
[buster] - openbabel <postponed> (Minor issue, no upstream patch yet)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b6aeea5c179f936b5b0d2442456710c89aa1b1c8...31a052fcff959d7bbe192fb98de3407329fba0f1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b6aeea5c179f936b5b0d2442456710c89aa1b1c8...31a052fcff959d7bbe192fb98de3407329fba0f1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250420/8abcb2ae/attachment.htm>
More information about the debian-security-tracker-commits
mailing list