[Git][security-tracker-team/security-tracker][master] trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Apr 21 15:45:15 BST 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c375e4be by Moritz Muehlenhoff at 2025-04-21T16:45:06+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -14779,7 +14779,7 @@ CVE-2025-27519 (Cognita is a RAG (Retrieval Augmented Generation) Framework for
CVE-2025-27518 (Cognita is a RAG (Retrieval Augmented Generation) Framework for buildi ...)
NOT-FOR-US: Cognita
CVE-2025-27152 (axios is a promise based HTTP client for the browser and node.js. The ...)
- - node-axios <unfixed> (bug #1102223)
+ - node-axios 1.8.4+dfsg-1 (bug #1102223)
[bookworm] - node-axios <no-dsa> (Minor issue)
NOTE: https://github.com/axios/axios/security/advisories/GHSA-jr5f-v2jv-69x6
NOTE: Similar to: https://github.com/axios/axios/issues/6463 (CVE-2024-39338)
@@ -84380,7 +84380,7 @@ CVE-2024-39943 (rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UN
CVE-2024-39937 (supOS 5.0 allows api/image/download?fileName=../ directory traversal f ...)
NOT-FOR-US: supOS
CVE-2024-39936 (An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2. ...)
- - qt6-base <unfixed> (bug #1076292)
+ - qt6-base 6.8.2+dfsg-5 (bug #1076292)
[bookworm] - qt6-base <no-dsa> (Minor issue)
- qtbase-opensource-src 5.15.13+dfsg-3 (bug #1076293)
[bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
@@ -84391,6 +84391,7 @@ CVE-2024-39936 (An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x befor
[bullseye] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/571601
NOTE: https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=b1e75376cc3adfc7da5502a277dfe9711f3e0536
+ NOTE: https://github.com/qt/qtbase/commit/0fb43e4395da34d561814242a0186999e4956e28 (v6.8.0-beta3)
CVE-2024-39935 (jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certifi ...)
NOT-FOR-US: jc21 NGINX Proxy Manager
CVE-2024-39485 (In the Linux kernel, the following vulnerability has been resolved: m ...)
@@ -101906,6 +101907,7 @@ CVE-2024-28866 (GoCD is a continuous delivery server. GoCD versions from 19.4.0
NOT-FOR-US: GoCD
CVE-2024-28285 (A Fault Injection vulnerability in the SymmetricDecrypt function in cr ...)
- libcrypto++ <unfixed> (bug #1077684)
+ [trixie] - libcrypto++ <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - libcrypto++ <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libcrypto++ <no-dsa> (Minor issue)
[buster] - libcrypto++ <postponed> (Minor issue; can be fixed in next update)
@@ -128756,7 +128758,7 @@ CVE-2024-0793 (A flaw was found in kube-controller-manager. This issue occurs wh
NOT-FOR-US: kube-controller-manager
CVE-2024-25580 (An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15. ...)
[experimental] - qt6-base 6.6.2+dfsg-1
- - qt6-base <unfixed> (bug #1064052)
+ - qt6-base 6.6.2+dfsg-8 (bug #1064052)
[bookworm] - qt6-base <no-dsa> (Minor issue)
- qtbase-opensource-src 5.15.10+dfsg-7 (bug #1064053)
[bookworm] - qtbase-opensource-src 5.15.8+dfsg-11+deb12u2
@@ -140659,6 +140661,7 @@ CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated To
NOT-FOR-US: ADiTaaS (Allied Digital Integrated Tool-as-a-Service)
CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows atta ...)
- libcrypto++ <unfixed> (bug #1059312)
+ [trixie] - libcrypto++ <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - libcrypto++ <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libcrypto++ <no-dsa> (Minor issue)
[buster] - libcrypto++ <no-dsa> (Minor issue)
@@ -140672,6 +140675,7 @@ CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attacke
NOTE: https://github.com/weidai11/cryptopp/commit/641ae35258de397774744b8b17ef6632c3fa48b3
CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during ...)
- libcrypto++ <unfixed> (bug #1059310)
+ [trixie] - libcrypto++ <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - libcrypto++ <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libcrypto++ <no-dsa> (Minor issue)
[buster] - libcrypto++ <no-dsa> (Minor issue)
@@ -144969,6 +144973,7 @@ CVE-2023-5620 (The Web Push Notifications WordPress plugin before 4.35.0 does no
NOT-FOR-US: WordPress plugin
CVE-2023-5616 (In Ubuntu, gnome-control-center did not properly reflect SSH remote lo ...)
- gnome-control-center <unfixed> (bug #1058624)
+ [trixie] - gnome-control-center <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - gnome-control-center <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - gnome-control-center <no-dsa> (Minor issue)
[buster] - gnome-control-center <no-dsa> (Minor issue)
@@ -160616,6 +160621,7 @@ CVE-2022-48571 (memcached 1.6.7 allows a Denial of Service via multi-packet uplo
NOTE: Fixed by: https://github.com/memcached/memcached/commit/6b319c8c7a29e9c353dec83dc92f01905f6c8966 (1.6.8)
CVE-2022-48570 (Crypto++ through 8.4 contains a timing side channel in ECDSA signature ...)
- libcrypto++ <unfixed> (bug #1059309)
+ [trixie] - libcrypto++ <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - libcrypto++ <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libcrypto++ <no-dsa> (Minor issue)
[buster] - libcrypto++ <no-dsa> (Minor issue)
@@ -178811,6 +178817,7 @@ CVE-2023-1933
RESERVED
CVE-2023-1932 (A flaw was found in hibernate-validator's 'isValid' method in the org. ...)
- libhibernate-validator-java <unfixed> (bug #1063540)
+ [trixie] - libhibernate-validator-java <ignored> (Minor issue)
[bookworm] - libhibernate-validator-java <ignored> (Minor issue)
[bullseye] - libhibernate-validator-java <no-dsa> (Minor issue)
[buster] - libhibernate-validator-java <no-dsa> (Minor issue)
@@ -183021,12 +183028,13 @@ CVE-2023-28339 (OpenDoas through 6.8.2, when TIOCSTI is available, allows privil
- doas <removed>
[bullseye] - doas <no-dsa> (Minor issue)
- opendoas <unfixed> (bug #1034185)
+ [trixie] - opendoas <not-affected> (Addressed via Linux kernel change)
[bookworm] - opendoas <ignored> (Minor issue, will be addressed via kernel change which isn't in 6.1 yet)
NOTE: https://github.com/Duncaen/OpenDoas/issues/106
NOTE: https://www.openwall.com/lists/oss-security/2023/03/14/4
- NOTE: Restricting ioctl on the kernel side seems the better approach, patches have been
- NOTE: posted to kernel-hardening list, and can be mitigated with Linux 6.2, see option
- NOTE: CONFIG_LEGACY_TIOCSTI.
+ NOTE: Since Linux 6.4.4-1 (uploaded on 23 Jul 2023), TIOCSTI is disabled on the
+ NOTE: kernel side, marking opendoas upload as not-affected since no upload happened since
+ NOTE: then
CVE-2023-28338 (Any request send to a Netgear Nighthawk Wifi6 Router (RAX30)'s web ser ...)
NOT-FOR-US: Netgear
CVE-2023-28337 (When uploading a firmware image to a Netgear Nighthawk Wifi6 Router (R ...)
@@ -410246,6 +410254,7 @@ CVE-2020-10694
REJECTED
CVE-2020-10693 (A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in ...)
- libhibernate-validator-java <unfixed> (bug #988946)
+ [trixie] - libhibernate-validator-java <ignored> (Minor issue)
[bookworm] - libhibernate-validator-java <ignored> (Minor issue)
[bullseye] - libhibernate-validator-java <no-dsa> (Minor issue)
[buster] - libhibernate-validator-java <not-affected> (EL support added in 5.x)
@@ -465545,6 +465554,7 @@ CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to
[stretch] - linux 4.9.210-1
CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml validat ...)
- libhibernate-validator-java <unfixed> (bug #948235)
+ [trixie] - libhibernate-validator-java <ignored> (Minor issue)
[bookworm] - libhibernate-validator-java <ignored> (Minor issue)
[bullseye] - libhibernate-validator-java <no-dsa> (Minor issue)
[buster] - libhibernate-validator-java <not-affected> (Vulnerable code was introduced later)
@@ -520289,29 +520299,17 @@ CVE-2018-10113 (An issue was discovered in GEGL through 0.3.32. The process func
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=795248
NOTE: https://gitlab.gnome.org/GNOME/gegl/commit/c83b05d565a1e3392c9606a4ecaa560eb9a4ee29
CVE-2018-10112 (An issue was discovered in GEGL through 0.3.32. The gegl_tile_backend_ ...)
- - gegl <unfixed> (low; bug #1014710)
- [trixie] - gegl <ignored> (Minor issue, architectual limitation)
- [bookworm] - gegl <ignored> (Minor issue, architectual limitation)
- [bullseye] - gegl <ignored> (Minor issue, architectual limitation)
- [buster] - gegl <ignored> (Minor issue, architectual limitation)
- [stretch] - gegl <ignored> (Minor issue, architectual limitation)
- [jessie] - gegl <no-dsa> (Minor issue)
- [wheezy] - gegl <no-dsa> (Minor issue)
+ - gegl <unfixed> (unimportant; bug #1014710)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=795249
NOTE: https://gitlab.gnome.org/GNOME/gegl/issues/65
NOTE: https://github.com/xiaoqx/pocs/tree/master/gegl#4-gegl-outbound-write-2
+ NOTE: Architectual API limitation, negligible security impact
CVE-2018-10111 (An issue was discovered in GEGL through 0.3.32. The render_rectangle f ...)
- - gegl <unfixed> (low; bug #1014710)
- [trixie] - gegl <ignored> (Minor issue, architectual limitation)
- [bookworm] - gegl <ignored> (Minor issue, architectual limitation)
- [bullseye] - gegl <ignored> (Minor issue, architectual limitation)
- [buster] - gegl <ignored> (Minor issue, architectual limitation)
- [stretch] - gegl <ignored> (Minor issue, architectual limitation)
- [jessie] - gegl <no-dsa> (Minor issue)
- [wheezy] - gegl <no-dsa> (Minor issue)
+ - gegl <unfixed> (unimportant; bug #1014710)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=795249
NOTE: https://gitlab.gnome.org/GNOME/gegl/issues/65
NOTE: POC https://github.com/xiaoqx/pocs/tree/master/gegl#2-gegl-dos-1
+ NOTE: Architectual API limitation, negligible security impact
CVE-2018-10110 (D-Link DIR-615 T1 devices allow XSS via the Add User feature.)
NOT-FOR-US: D-Link
CVE-2018-10109 (Monstra CMS 3.0.4 has a stored XSS vulnerability when an attacker has ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c375e4be55db9d5be7818a36e7ad44cbee48beaf
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c375e4be55db9d5be7818a36e7ad44cbee48beaf
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250421/78a35f9a/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list