[Git][security-tracker-team/security-tracker][master] trixie triage

Mon Apr 21 22:23:28 BST 2025


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d34b25c6 by Moritz Muehlenhoff at 2025-04-21T22:36:12+02:00
trixie triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -70860,6 +70860,7 @@ CVE-2024-6688 (The Oxygen Builder plugin for WordPress is vulnerable to unauthor
 	NOT-FOR-US: WordPress plugin
 CVE-2024-45321 (The App::cpanminus package through 1.7047 for Perl downloads code via  ...)
 	- cpanminus <unfixed> (bug #1081559)
+	[trixie] - cpanminus <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - cpanminus <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - cpanminus <postponed> (Minor issue)
 	NOTE: https://security.metacpan.org/2024/08/26/cpanminus-downloads-code-using-insecure-http.html
@@ -71489,6 +71490,7 @@ CVE-2024-42845 (An eval Injection vulnerability in the component invesalius/read
 	[bookworm] - invesalius <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - invesalius <postponed> (Minor issue)
 	NOTE: https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845
+	NOTE: https://github.com/invesalius/invesalius3/commit/020cd6056c30105a870cfea99939282b6ec5640b
 CVE-2024-42766 (Kashipara Bus Ticket Reservation System v1.0 0 is vulnerable to Incorr ...)
 	NOT-FOR-US: Kashipara Bus Ticket Reservation System
 CVE-2024-42765 (A SQL injection vulnerability in "/login.php" of the Kashipara Bus Tic ...)
@@ -123358,16 +123360,14 @@ CVE-2023-49986 (A cross-site scripting (XSS) vulnerability in the component /adm
 CVE-2023-47415 (Cypress Solutions CTM-200 v2.7.1.5600 and below was discovered to cont ...)
 	NOT-FOR-US: Cypress Solutions CTM-200
 CVE-2024-2236 (A timing-based side-channel flaw was found in libgcrypt's RSA implemen ...)
-	- libgcrypt20 <unfixed> (bug #1065683)
-	[bookworm] - libgcrypt20 <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - libgcrypt20 <no-dsa> (Minor issue)
-	[buster] - libgcrypt20 <postponed> (Minor issue; side-channel timing attack)
+	- libgcrypt20 <unfixed> (unimportant; bug #1065683)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2268268
 	NOTE: https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html
 	NOTE: https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt
 	NOTE: https://people.redhat.com/~hkario/marvin/
 	NOTE: https://dev.gnupg.org/T7136
 	NOTE: https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/17
+	NOTE: Not in scope for libgcrypt security policy, work ongoing to add support in the protocol layer
 CVE-2024-1299 (A privilege escalation vulnerability was discovered in GitLab affectin ...)
 	- gitlab 16.8.4-1
 CVE-2024-0199 (An authorization bypass vulnerability was discovered in GitLab affecti ...)
@@ -309957,6 +309957,7 @@ CVE-2021-37819 (PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite
 	[bullseye] - libitext-java <no-dsa> (Minor issue)
 	[buster] - libitext-java <no-dsa> (Minor issue)
 	- libitext1-java <unfixed> (bug #1059319)
+	[trixie] - libitext1-java <ignored> (Minor issue)
 	[bookworm] - libitext1-java <ignored> (Minor issue)
 	[bullseye] - libitext1-java <no-dsa> (Minor issue)
 	[buster] - libitext1-java <no-dsa> (Minor issue)
@@ -319633,6 +319634,7 @@ CVE-2021-33814
 CVE-2021-33813 (An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to c ...)
 	{DLA-2712-1 DLA-2696-1}
 	- libjdom2-intellij-java <unfixed> (bug #990673)
+	[trixie] - libjdom2-intellij-java <ignored> (Minor issue)
 	[bookworm] - libjdom2-intellij-java <ignored> (Minor issue)
 	[bullseye] - libjdom2-intellij-java <no-dsa> (Minor issue)
 	[buster] - libjdom2-intellij-java <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d34b25c6e5602bc0597be3a557279ba41405f9ac

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d34b25c6e5602bc0597be3a557279ba41405f9ac
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250421/42aeeb28/attachment.htm>
