[Git][security-tracker-team/security-tracker][master] Revert "Mark Bullseye as not affected by CVE-2024-50305 and CVE-2024-50306"
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Wed Jan 1 05:24:50 GMT 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c250a7db by Salvatore Bonaccorso at 2025-01-01T06:18:58+01:00
Revert "Mark Bullseye as not affected by CVE-2024-50305 and CVE-2024-50306"
This reverts commit c18e4d4c51909cd536fce66fb58090352d4a8b2c.
Temporarily revert tback the triage status. That an andvisory does not
list specific older versions can have many reasons and depends on
policies upstream. For instance if upstream does not support anymore
a specific older version they might not consider those versions anymore
in advisories. Other doe not triage when an issue was introduced and
only mention supported versions.
In fact the initgorups() (for CVE-2024-50306) is not checked as well in
the 8.1.y version.
This is just a temporary revert until situation is clarified.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -12476,7 +12476,6 @@ CVE-2024-10146 (The Simple File List WordPress plugin before 6.1.13 does not san
NOT-FOR-US: WordPress plugin
CVE-2024-50306 (Unchecked return value can allow Apache Traffic Server to retain privi ...)
- trafficserver <unfixed> (bug #1087531)
- [bullseye] - trafficserver <not-affected> (Only affects 9.x and 10.x)
NOTE: https://www.openwall.com/lists/oss-security/2024/11/13/1
NOTE: https://github.com/apache/trafficserver/pull/11855
NOTE: Fixed by: https://github.com/apache/trafficserver/commit/27f504883547502b1f5e4e389edd7f26e3ab246f (9.2.6-rc0)
@@ -12491,7 +12490,6 @@ CVE-2024-38479 (Improper Input Validation vulnerability in Apache Traffic Server
NOTE: https://github.com/apache/trafficserver/commit/b8861231702ac5df7d5de401e82440c1cf20b633 (9.2.6-rc0)
CVE-2024-50305 (Valid Host header field can cause Apache Traffic Server to crash on so ...)
- trafficserver <unfixed> (bug #1087531)
- [bullseye] - trafficserver <not-affected> (Only affects 9.x and 10.x)
NOTE: https://www.openwall.com/lists/oss-security/2024/11/13/1
NOTE: https://github.com/apache/trafficserver/issues/8461
NOTE: https://github.com/apache/trafficserver/commit/5e39658f7c0bc91613468c9513ba22ede1739d7e (9.2.6-rc0)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c250a7dba72fd75392f441a27df918cf389d2817
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c250a7dba72fd75392f441a27df918cf389d2817
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250101/b2176a29/attachment.htm>
More information about the debian-security-tracker-commits
mailing list