[Git][security-tracker-team/security-tracker][master] trixie triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Apr 21 16:46:15 BST 2025
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0520556c by Moritz Muehlenhoff at 2025-04-21T17:46:06+02:00
trixie triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3265,6 +3265,8 @@ CVE-2025-32754 (In jenkins/ssh-agent Docker images 6.11.1 and earlier, SSH host
NOT-FOR-US: Jenkins (core or plugin)
CVE-2025-32743 (In ConnMan through 1.44, the lookup string in ns_resolv in dnsproxy.c ...)
- connman <unfixed> (bug #1103530)
+ [trixie] - connman <no-dsa> (Minor issue)
+ [bookworm] - connman <no-dsa> (Minor issue)
NOTE: https://lapis-sawfish-be3.notion.site/0-click-Vulnerability-in-Comman-1-43_v3-1cadc00d01d080b0b3b9c46a6da584cc
CVE-2025-32687 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
NOT-FOR-US: WordPress plugin
@@ -5091,6 +5093,8 @@ CVE-2025-32369 (Kentico Xperience before 13.0.181 allows authenticated users to
NOT-FOR-US: Kentico Xperience
CVE-2025-32366 (In ConnMan through 1.44, parse_rr in dnsproxy.c has a memcpy length th ...)
- connman <unfixed> (bug #1102193)
+ [trixie] - connman <no-dsa> (Minor issue)
+ [bookworm] - connman <no-dsa> (Minor issue)
CVE-2025-32365 (Poppler before 25.04.0 allows crafted input files to trigger out-of-bo ...)
- poppler 25.03.0-3 (bug #1102191)
[bookworm] - poppler <no-dsa> (Minor issue; can be fixed in point release)
@@ -12790,11 +12794,13 @@ CVE-2025-2339 (A vulnerability was found in otale Tale Blog 2.0.5. It has been c
NOT-FOR-US: Tale Blog
CVE-2025-2338 (A vulnerability, which was classified as critical, was found in tbeu m ...)
- libmatio <unfixed> (bug #1100992)
+ [trixie] - libmatio <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - libmatio <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libmatio <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/tbeu/matio/issues/269
CVE-2025-2337 (A vulnerability, which was classified as critical, has been found in t ...)
- libmatio <unfixed> (bug #1100992)
+ [trixie] - libmatio <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - libmatio <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libmatio <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://github.com/tbeu/matio/issues/267
@@ -40368,12 +40374,14 @@ CVE-2024-48943
NOTE: https://github.com/NICMx/FORT-validator/commit/4ee88d1c3fa7df763dd52312134cd93c1ce50870 (1.6.4)
CVE-2024-56170 (A validation integrity issue was discovered in Fort through 1.6.4 befo ...)
- fort-validator <unfixed> (bug #1090916)
- [bookworm] - fort-validator <no-dsa> (Minor issue)
+ [trixie] - fort-validator <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - fort-validator <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - fort-validator <postponed> (Minor issue, wait until it's fixed upstream)
NOTE: https://github.com/NICMx/FORT-validator/issues/82
CVE-2024-56169 (A validation integrity issue was discovered in Fort through 1.6.4 befo ...)
- fort-validator <unfixed> (bug #1090916)
- [bookworm] - fort-validator <no-dsa> (Minor issue)
+ [trixie] - fort-validator <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - fort-validator <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - fort-validator <postponed> (Minor issue, wait until it's fixed upstream)
NOTE: https://github.com/NICMx/FORT-validator/issues/82
CVE-2024-56142 (pghoard is a PostgreSQL backup daemon and restore tooling that stores ...)
@@ -61904,6 +61912,7 @@ CVE-2024-46304 (A NULL pointer dereference in libcoap v4.3.5-rc2 and below allow
[bullseye] - libcoap2 <postponed> (Minor issue; can be fixed in next update)
- libcoap <removed>
NOTE: https://github.com/obgm/libcoap/issues/1509
+ NOTE: Fixed in 4.3.5 (but exact fixing commits unknown)
CVE-2024-46292 (A buffer overflow in modsecurity v3.0.12 allows attackers to cause a D ...)
NOTE: Bogus report on modsecurity
NOTE: https://modsecurity.org/20241011/about-cve-2024-46292-2024-october/
@@ -110064,7 +110073,7 @@ CVE-2024-31031 (An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to ca
- libcoap3 <unfixed> (bug #1070362)
[bookworm] - libcoap3 <ignored> (Minor issue, no reverse deps in Bookworm)
NOTE: https://github.com/obgm/libcoap/issues/1351
- NOTE: https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928 (develop)
+ NOTE: https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928 (v4.3.5-rc1)
NOTE: Introduced by: https://github.com/obgm/libcoap/commit/7033555d2978b8d4d5e16d43cfbfe1b1781c418f (v4.3.0-rc1)
NOTE: Introduced by: https://github.com/obgm/libcoap/commit/47a83549a80dad9a83f84cdfaba54c54defb5444 (v4.3.2-rc1)
CVE-2024-30990 (SQL Injection vulnerability in the "Invoices" page in phpgurukul Clien ...)
@@ -132793,7 +132802,7 @@ CVE-2024-0962 (A vulnerability was found in obgm libcoap 4.3.4. It has been rate
NOTE: https://github.com/obgm/libcoap/issues/1310#issue-2099860835
NOTE: https://github.com/obgm/libcoap/pull/1311
NOTE: Introduced by: https://github.com/obgm/libcoap/commit/dac6bd3b603fc8a37fe80f8a459d82c79feebad0 (v4.3.2-rc1)
- NOTE: Fixed by: https://github.com/obgm/libcoap/commit/2b28d8b0e9607e71a145345b4fe49517e052b7d9
+ NOTE: Fixed by: https://github.com/obgm/libcoap/commit/2b28d8b0e9607e71a145345b4fe49517e052b7d9 (v4.3.5-rc1)
CVE-2024-0960 (A vulnerability was found in flink-extended ai-flow 0.3.1. It has been ...)
NOT-FOR-US: flink-extended ai-flow
CVE-2024-0959 (A vulnerability was found in StanfordVL GibsonEnv 0.3.1. It has been c ...)
@@ -136132,6 +136141,7 @@ CVE-2023-51748 (ScaleFusion 10.5.2 does not properly limit users to the Edge app
NOT-FOR-US: ScaleFusion
CVE-2023-50671 (In exiftags 1.01, nikon_prop1 in nikon.c has a heap-based buffer overf ...)
- exiftags <unfixed> (bug #1060753)
+ [trixie] - exiftags <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - exiftags <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - exiftags <no-dsa> (Minor issue)
[buster] - exiftags <no-dsa> (Minor issue)
@@ -148140,7 +148150,8 @@ CVE-2023-47004 (Buffer Overflow vulnerability in Redis RedisGraph v.2.x through
NOT-FOR-US: RedisGraph
CVE-2023-46998 (Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through ...)
- libjs-bootbox <unfixed> (bug #1055612)
- [bookworm] - libjs-bootbox <no-dsa> (Minor issue)
+ [trixie] - libjs-bootbox <postponed> (Minor issue, revisit when fixed upstream)
+ [bookworm] - libjs-bootbox <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - libjs-bootbox <no-dsa> (Minor issue)
[buster] - libjs-bootbox <postponed> (Minor issue, reflected XSS)
NOTE: https://github.com/bootboxjs/bootbox/issues/661
@@ -299727,19 +299738,13 @@ CVE-2021-41739 (A OS Command Injection vulnerability was discovered in Artica Pr
CVE-2021-41738 (ZeroShell 3.9.5 has a command injection vulnerability in /cgi-bin/kerb ...)
NOT-FOR-US: ZeroShell
CVE-2021-41737 (In Faust 2.23.1, an input file with the lines "// r visualisation tCst ...)
- - faust <unfixed> (bug #1014783)
- [bookworm] - faust <postponed> (Minor issue, revisit when fixed upstream)
- [bullseye] - faust <no-dsa> (Minor issue)
- [buster] - faust <no-dsa> (Minor issue)
- [stretch] - faust <postponed> (Minor issue, no patch/acknowledgment yet)
+ - faust <unfixed> (unimportant; bug #1014783)
NOTE: https://github.com/grame-cncm/faust/issues/653
+ NOTE: Negligible security impact
CVE-2021-41736 (Faust v2.35.0 was discovered to contain a heap-buffer overflow in the ...)
- - faust <unfixed> (bug #1014783)
- [bookworm] - faust <postponed> (Minor issue, revisit when fixed upstream)
- [bullseye] - faust <no-dsa> (Minor issue)
- [buster] - faust <no-dsa> (Minor issue)
- [stretch] - faust <postponed> (Minor issue, no patch/acknowledgment yet)
+ - faust <unfixed> (unimportant; bug #1014783)
NOTE: https://github.com/grame-cncm/faust/issues/653
+ NOTE: Negligible security impact
CVE-2021-41735
RESERVED
CVE-2021-41734
@@ -323640,12 +323645,9 @@ CVE-2021-32296
CVE-2021-32295
RESERVED
CVE-2021-32294 (An issue was discovered in libgig through 20200507. A heap-buffer-over ...)
- - libgig <unfixed> (bug #1014777)
- [bookworm] - libgig <ignored> (Minor issue)
- [bullseye] - libgig <ignored> (Minor issue)
- [buster] - libgig <ignored> (Minor issue)
- [stretch] - libgig <postponed> (Minor issue, revisit when/if fixed upstream)
+ - libgig <unfixed> (unimportant; bug #1014777)
NOTE: https://github.com/drbye78/libgig/issues/1
+ NOTE: Negligible security impact
CVE-2021-32293
RESERVED
CVE-2021-32292 (An issue was discovered in json-c from 20200420 (post 0.14 unreleased ...)
@@ -464288,6 +464290,7 @@ CVE-2019-10736
RESERVED
CVE-2019-10735 (In Claws Mail 3.14.1, an attacker in possession of S/MIME or PGP encry ...)
- claws-mail <unfixed> (low; bug #926705)
+ [trixie] - claws-mail <postponed> (Minor issue, revisit when fixed upstream)
[bookworm] - claws-mail <postponed> (Minor issue, revisit when fixed upstream)
[bullseye] - claws-mail <no-dsa> (Minor issue)
[buster] - claws-mail <postponed> (Revisit when fixed upstream)
@@ -624299,13 +624302,8 @@ CVE-2016-2143 (The fork implementation in the Linux kernel before 4.5 on s390 pl
CVE-2016-2142 (Red Hat OpenShift Enterprise 3.1 uses world-readable permissions on th ...)
NOT-FOR-US: OpenShift
CVE-2016-2141 (It was found that JGroups did not require necessary headers for encryp ...)
- - libjgroups-java <unfixed> (low; bug #867493)
- [bookworm] - libjgroups-java <ignored> (Minor issue, only used as build dep)
- [bullseye] - libjgroups-java <ignored> (Minor issue, only used as build dep)
- [buster] - libjgroups-java <ignored> (Minor issue, only used as build dep)
- [stretch] - libjgroups-java <ignored> (Minor issue, only used as build dep)
- [jessie] - libjgroups-java <no-dsa> (Minor issue)
- [wheezy] - libjgroups-java <no-dsa> (Minor issue, only used as build dependency)
+ - libjgroups-java <unfixed> (unimportant; bug #867493)
+ NOTE: Negligible security impact, only used as a build dependency
CVE-2016-2140 (The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) ...)
- nova 2:13.0.0-1
[jessie] - nova <no-dsa> (Minor issue)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0520556c9f8dcb9d19fc1d5e7d8059170400987f
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0520556c9f8dcb9d19fc1d5e7d8059170400987f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250421/67499045/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list