[Git][security-tracker-team/security-tracker][master] trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Sun Apr 20 23:49:42 BST 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
fa5c9d27 by Moritz Muehlenhoff at 2025-04-21T00:48:30+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -4841,6 +4841,7 @@ CVE-2024-43046 (There may be information disclosure during memory re-allocation
NOT-FOR-US: Qualcomm
CVE-2024-38797 (EDK2 contains a vulnerability in the HashPeImageByType(). A user may c ...)
- edk2 <unfixed> (bug #1102519)
+ [trixie] - edk2 <no-dsa> (Minor issue)
[bookworm] - edk2 <no-dsa> (Minor issue)
NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-4wjw-6xmf-44xf
CVE-2024-33058 (Memory corruption while assigning memory from the source DDR memory(HL ...)
@@ -63093,6 +63094,7 @@ CVE-2024-47854 (An XSS vulnerability was discovered in Veritas Data Insight befo
NOT-FOR-US: Veritas Data Insight
CVE-2024-47850 (CUPS cups-browsed before 2.5b1 will send an HTTP POST request to an ar ...)
- cups-filters <unfixed> (bug #1088992)
+ [trixie] - cups-filters <ignored> (Mitigated with fixes around CVE-2024-47076, CVE-2024-47175 and CVE-2024-47176)
[bookworm] - cups-filters <ignored> (Mitigated with fixes around CVE-2024-47076, CVE-2024-47175 and CVE-2024-47176)
[bullseye] - cups-filters <ignored> (Mitigated with fixes around CVE-2024-47076, CVE-2024-47175 and CVE-2024-47176)
NOTE: https://www.akamai.com/blog/security-research/october-cups-ddos-threat
@@ -64620,6 +64622,7 @@ CVE-2023-46175 (IBM Cloud Pak for Multicloud Management 2.3 through 2.3 FP8 stor
NOT-FOR-US: IBM
CVE-2024-47177 (CUPS is a standards-based, open-source printing system, and cups-filte ...)
- cups-filters <unfixed> (bug #1082822)
+ [trixie] - cups-filters <ignored> (Mitigated with fixes around CVE-2024-47076, CVE-2024-47175 and CVE-2024-47176)
[bookworm] - cups-filters <ignored> (Mitigated with fixes around CVE-2024-47076, CVE-2024-47175 and CVE-2024-47176)
[bullseye] - cups-filters <ignored> (Mitigated with fixes around CVE-2024-47076, CVE-2024-47175 and CVE-2024-47176)
NOTE: https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47
@@ -68317,11 +68320,13 @@ CVE-2024-8601 (This vulnerability exists in TechExcel Back Office Software versi
NOT-FOR-US: TechExcel Back Office Software
CVE-2024-8373 (Improper sanitization of the value of the [srcset] attribute in <sourc ...)
- angular.js <unfixed> (bug #1088805)
+ [trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - angular.js <postponed> (Minor issue)
NOTE: https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b
CVE-2024-8372 (Improper sanitization of the value of the '[srcset]' attribute in Angu ...)
- angular.js <unfixed> (bug #1088804)
+ [trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - angular.js <postponed> (Minor issue)
NOTE: https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017
@@ -130120,6 +130125,7 @@ CVE-2024-21624 (nonebot2 is a cross-platform Python asynchronous chatbot framewo
NOT-FOR-US: nonebot2
CVE-2024-21490 (This affects versions of the package angular from 1.3.0. A regular exp ...)
- angular.js <unfixed> (bug #1088803)
+ [trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - angular.js <no-dsa> (Minor issue)
[buster] - angular.js <postponed> (Fix along with the next DLA)
@@ -144814,6 +144820,7 @@ CVE-2023-46349 (In the module "Product Catalog (CSV, Excel) Export/Update" (upda
NOT-FOR-US: PrestaShop module
CVE-2023-42366 (A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_ ...)
- busybox <unfixed> (bug #1059053)
+ [trixie] - busybox <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - busybox <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - busybox <postponed> (Minor issue)
[buster] - busybox <postponed> (Minor issue)
@@ -189427,18 +189434,21 @@ CVE-2023-26119 (Versions of the package net.sourceforge.htmlunit:htmlunit from 0
NOT-FOR-US: net.sourceforge.htmlunit:htmlunit
CVE-2023-26118 (Versions of the package angular from 1.4.9 are vulnerable to Regular E ...)
- angular.js <unfixed> (bug #1036694)
+ [trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - angular.js <no-dsa> (Minor issue)
[buster] - angular.js <no-dsa> (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046
CVE-2023-26117 (Versions of the package angular from 1.0.0 are vulnerable to Regular E ...)
- angular.js <unfixed> (bug #1036694)
+ [trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - angular.js <no-dsa> (Minor issue)
[buster] - angular.js <no-dsa> (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045
CVE-2023-26116 (Versions of the package angular from 1.2.21 are vulnerable to Regular ...)
- angular.js <unfixed> (bug #1036694)
+ [trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - angular.js <no-dsa> (Minor issue)
[buster] - angular.js <no-dsa> (Minor issue)
@@ -269770,6 +269780,7 @@ CVE-2022-25871 (All versions of package querymen are vulnerable to Prototype Pol
NOT-FOR-US: Node querymen
CVE-2022-25869 (All versions of package angular are vulnerable to Cross-site Scripting ...)
- angular.js <unfixed> (bug #1036694)
+ [trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - angular.js <no-dsa> (Minor issue)
[buster] - angular.js <no-dsa> (Minor issue)
@@ -269829,6 +269840,7 @@ CVE-2022-25845 (The package com.alibaba:fastjson before 1.2.83 are vulnerable to
NOT-FOR-US: com.alibaba:fastjson
CVE-2022-25844 (The package angular after 1.7.0 are vulnerable to Regular Expression D ...)
- angular.js <unfixed> (bug #1014779)
+ [trixie] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - angular.js <no-dsa> (Minor issue)
[buster] - angular.js <no-dsa> (Minor issue, probably even not-affected)
@@ -498801,13 +498813,9 @@ CVE-2018-18065 (_set_key in agent/helpers/table_container.c in Net-SNMP before 5
NOTE: https://dumpco.re/blog/net-snmp-5.7.3-remote-dos
NOTE: https://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d/
CVE-2018-18064 (cairo through 1.15.14 has an out-of-bounds stack-memory write during p ...)
- - cairo <unfixed> (low; bug #916083)
- [bookworm] - cairo <ignored> (Minor issue)
- [bullseye] - cairo <ignored> (Minor issue)
- [buster] - cairo <ignored> (Minor issue)
- [stretch] - cairo <no-dsa> (Minor issue)
- [jessie] - cairo <no-dsa> (Minor issue)
+ - cairo <unfixed> (unimportant; bug #916083)
NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/341
+ NOTE: Negligible security impact
CVE-2018-18063
RESERVED
CVE-2018-18062 (An issue was discovered in dialog.php in tecrail Responsive FileManage ...)
@@ -622541,7 +622549,7 @@ CVE-2016-2569 (Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly ap
NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch
NOTE: Upstream confirmed it does not affect squid 2.7.x
CVE-2016-2568 (pkexec, when used with --user nonpriv, allows local users to escape to ...)
- - policykit-1 <unfixed> (low; bug #816062; bug #812512)
+ - policykit-1 123-1 (low; bug #816062; bug #812512)
[bookworm] - policykit-1 <ignored> (Minor issue)
[bullseye] - policykit-1 <ignored> (Minor issue)
[buster] - policykit-1 <ignored> (Minor issue)
@@ -622550,6 +622558,9 @@ CVE-2016-2568 (pkexec, when used with --user nonpriv, allows local users to esca
[wheezy] - policykit-1 <ignored> (Minor issue)
NOTE: Restricting ioctl on the kernel side seems the better approach
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1300746
+ NOTE: Since Linux 6.4.4-1 (uploaded on 23 Jul 2023), TIOCSTI is disabled on the
+ NOTE: kernel side, marking the first polkit upload after that date (123-1) as the
+ NOTE: fixed version
CVE-2016-2558 (The Escape interface in the Kernel Mode Driver layer in the NVIDIA GPU ...)
NOT-FOR-US: NVIDIA Windows drivers
CVE-2016-2557 (The Escape interface in the Kernel Mode Driver layer in the NVIDIA GPU ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa5c9d2791aa060384e2de76356f277193a40259
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa5c9d2791aa060384e2de76356f277193a40259
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250420/10b8cc0e/attachment.htm>
More information about the debian-security-tracker-commits
mailing list