[Git][security-tracker-team/security-tracker][master] 15 commits: CVE-2024-53990,async-http-client: bullseye is postponed
Markus Koschany (@apo)
apo at debian.org
Mon Jan 6 09:31:17 GMT 2025
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
a9739d23 by Markus Koschany at 2025-01-06T10:30:53+01:00
CVE-2024-53990,async-http-client: bullseye is postponed
Minor issue
- - - - -
701531fc by Markus Koschany at 2025-01-06T10:30:54+01:00
CVE-2024-54662,dante: bullseye is postponed
Minor issue
- - - - -
03c95901 by Markus Koschany at 2025-01-06T10:30:54+01:00
Add fort-validator to dla-needed.txt
I believe we should fix this right away and not postpone it. Patches are
available.
- - - - -
19c96601 by Markus Koschany at 2025-01-06T10:30:56+01:00
CVE-2024-52792,ldap-account-manager: bullseye is ignored
This issue stems from manipulated configuration files which should only be
editable by administrators. Part of the solution is to move from a text format
to JSON.
- - - - -
2e6d71e2 by Markus Koschany at 2025-01-06T10:30:56+01:00
Add asterisk to dla-needed.txt
- - - - -
a3199fe3 by Markus Koschany at 2025-01-06T10:30:56+01:00
Claim sympa in dla-needed.txt
- - - - -
5739e2ec by Markus Koschany at 2025-01-06T10:30:56+01:00
Add shadow to dla-needed.txt with notes.
- - - - -
35be2fde by Markus Koschany at 2025-01-06T10:30:56+01:00
Add percona-toolkit to dla-needed.txt
- - - - -
fb95ea09 by Markus Koschany at 2025-01-06T10:30:56+01:00
Claim openjpeg2 in dla-needed.txt
- - - - -
05fa9d82 by Markus Koschany at 2025-01-06T10:30:56+01:00
Add jinja2 to dla-needed.txt
- - - - -
e1624e10 by Markus Koschany at 2025-01-06T10:30:56+01:00
Add grub2 to dla-needed.txt
- - - - -
cf2c9c09 by Markus Koschany at 2025-01-06T10:30:58+01:00
CVE-2024-47855,libjson-java: bullseye is postponed
Minor issue
- - - - -
4006fa01 by Markus Koschany at 2025-01-06T10:30:58+01:00
Add rails to dla-needed.txt
- - - - -
a319a859 by Markus Koschany at 2025-01-06T10:30:58+01:00
Add libtheora to dla-needed.txt
- - - - -
68c85eda by Markus Koschany at 2025-01-06T10:30:59+01:00
CVE-2024-53432,pcl: bullseye is postoned
Minor issue
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -3828,6 +3828,7 @@ CVE-2024-53688 (Improper neutralization of special elements used in an OS comman
CVE-2024-52792 (LDAP Account Manager (LAM) is a php webfrontend for managing entries ( ...)
- ldap-account-manager <unfixed> (bug #1090934)
[bookworm] - ldap-account-manager <ignored> (Minor issue)
+ [bullseye] - ldap-account-manager <ignored> (Minor issue)
NOTE: https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6cp9-j5r7-xhcc
NOTE: Only affects mis-configurations and fix involved moving the config file format from text to JSON
CVE-2024-51175 (An issue in H3C switch h3c-S1526 allows a remote attacker to obtain se ...)
@@ -3947,6 +3948,7 @@ CVE-2024-54677 (Uncontrolled Resource Consumption vulnerability in the examples
CVE-2024-54662 (Dante 1.4.0 through 1.4.3 (fixed in 1.4.4) has incorrect access contro ...)
- dante <unfixed> (bug #1090930)
[bookworm] - dante <no-dsa> (Minor issue)
+ [bullseye] - dante <postponed> (Minor issue)
NOTE: https://www.inet.no/dante/advisory-2024-12-16.txt
CVE-2024-52542 (Dell AppSync, version 4.6.0.x, contain a Symbolic Link (Symlink) Follo ...)
NOT-FOR-US: Dell
@@ -8388,6 +8390,7 @@ CVE-2024-53992 (unzip-bot is a Telegram bot to extract various types of archives
CVE-2024-53990 (The AsyncHttpClient (AHC) library allows Java applications to easily e ...)
- async-http-client <unfixed> (bug #1089228)
[bookworm] - async-http-client <no-dsa> (Minor issue)
+ [bullseye] - async-http-client <postponed> (Minor issue)
NOTE: https://github.com/AsyncHttpClient/async-http-client/security/advisories/GHSA-mfj5-cf8g-g2fv
NOTE: https://github.com/AsyncHttpClient/async-http-client/issues/1964
NOTE: https://github.com/AsyncHttpClient/async-http-client/pull/2033
@@ -10887,6 +10890,7 @@ CVE-2024-7016 (Improper Neutralization of Input During Web Page Generation (XSS
CVE-2024-53432 (While parsing certain malformed PLY files, PCL version 1.14.1 crashes ...)
- pcl <unfixed> (bug #1088186)
[bookworm] - pcl <no-dsa> (Minor issue)
+ [bullseye] - pcl <postponed> (Minor issue)
NOTE: https://github.com/PointCloudLibrary/pcl/issues/6162
NOTE: https://github.com/PointCloudLibrary/pcl/pull/6179
CVE-2024-53429 (Open62541 v1.4.6 is has an assertion failure in fuzz_binary_decode, wh ...)
@@ -26382,6 +26386,7 @@ CVE-2024-6442 (In ascs_cp_rsp_add in /subsys/bluetooth/audio/ascs.c, an unchecke
NOT-FOR-US: Zephyr, different from src:zephyr
CVE-2024-47855 (util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalance ...)
- libjson-java 3.1.0+dfsg-1 (bug #1084191)
+ [bullseye] - libjson-java <postponed> (Minor issue)
NOTE: Fixed by: https://github.com/kordamp/json-lib/commit/a0c4a0eae277130e22979cf307c95dec4005a78e (v3.1.0)
CVE-2024-47854 (An XSS vulnerability was discovered in Veritas Data Insight before 7.1 ...)
NOT-FOR-US: Veritas Data Insight
=====================================
data/dla-needed.txt
=====================================
@@ -34,6 +34,9 @@ ansible (lee)
NOTE: 20241120: Waiting for release by Lee testsuite is ok
NOTE: 20241123: Made a partial release. only CVE-2024-11079 needed but more upstream backport work needed
--
+asterisk
+ NOTE: 20250105: Added by Front-Desk (apo)
+--
busybox (tobi)
NOTE: 20241204: Added by Front-Desk (santiago)
NOTE: 20241204: Added to address the CVEs from 2021, after a request from a sponsor
@@ -95,6 +98,9 @@ flatpak (Adrian Bunk)
NOTE: 20240815: Follow fixes from DSA-5749-1 (CVE-2024-42472) (Beuc/front-desk)
NOTE: 20241002: See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082927 (Beuc/front-desk)
--
+fort-validator
+ NOTE: 20250105: Added by Front-Desk (apo)
+--
freeimage
NOTE: 20240922: Added by Front-Desk (apo)
NOTE: 20240922: Many postponed CVE.
@@ -106,16 +112,26 @@ glewlwyd (Thorsten Alteholz)
NOTE: 20240815: pu scheduled https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007884
NOTE: 20241230: testing package
--
+grub2
+ NOTE: 20250105: Added by Front-Desk (apo)
+ NOTE: 20250105: high-profile package but not enough details yet. (apo)
+--
gst-plugins-good1.0 (Adrian Bunk)
NOTE: 20241213: Added by Front-Desk (lamby)
NOTE: 20241213: See also gst-plugins-base1.0 (lamby)
--
-jetty9
+jetty9 (Markus Koschany)
NOTE: 20241110: Added by Front-Desk (apo)
--
+jinja2
+ NOTE: 20250105: Added by Front-Desk (apo)
+--
knot-resolver
NOTE: 20240924: Added by Front-Desk (lamby)
--
+libtheora
+ NOTE: 20250105: Added by Front-Desk (apo)
+--
linux (Ben Hutchings)
NOTE: 20230111: Perma-added, Linux package specifically delegated to bwh (LTS Team)
--
@@ -131,6 +147,12 @@ openafs (Abhijith PA)
NOTE: 20241207: Added by Front-Desk (santiago)
NOTE: 20250102: Looking at CVE-2024-10394
--
+openjpeg2 (Markus Koschany)
+ NOTE: 20250105: Added by Front-Desk (apo)
+--
+percona-toolkit
+ NOTE: 20250105: Added by Front-Desk (apo)
+--
python-aiohttp
NOTE: 20240523: Added by oldstable Security Team (jmm)
NOTE: 20240815: A bookworm DSA is planned (Beuc/front-desk)
@@ -148,6 +170,9 @@ qemu (santiago)
NOTE: 20241119: Bookworm PU in progress https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1086572
NOTE: 20241227: WIP
--
+rails
+ NOTE: 20250105: Added by Front-Desk (apo)
+--
ruby-sinatra
NOTE: 20241110: Added by Front-Desk (apo)
NOTE: 20241122: Was awaiting approved upstream fix; still working on package. (lamby)
@@ -159,6 +184,11 @@ ruby2.7 (rouca)
NOTE: 20241208: 6 CVEs in REXML that should all be fixed, Ruby and XML knowledge required. (bunk)
NOTE: 20250105: Fixed CVE-2024-35176, CVE-2024-41946, CVE-2024-49761, CVE-2024-43398 waiting upstream for more information for remaining (rouca)
--
+shadow
+ NOTE: 20250105: Added by Front-Desk (apo)
+ NOTE: 20250105: shadow is a high-profile package. Upstream discussion for CVE-2024-56433 is
+ NOTE: 20250105: ongoing. I'm adding it to dla-needed.txt to keep it on our radar.
+--
sogo
NOTE: 20240922: Added by Front-Desk (apo)
NOTE: 20240922: See also postponed issues.
@@ -178,6 +208,9 @@ symfony
NOTE: 20241201: Contacted David Prévot for guidance regarding tests. (dleidert)
NOTE: 20241201: During build, packages built by symfony are already installed and can lead to build/test failures. (dleidert)
--
+sympa (Markus Koschany)
+ NOTE: 20250105: Added by Front-Desk (apo)
+--
tcpdf (Adrian Bunk)
NOTE: 20241205: Added by Front-Desk (santiago)
NOTE: 20241230: https://lists.debian.org/debian-lts/2024/12/msg00057.html (bunk)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dc30aa5fa1a8c6d92258d3ea633e1af2597744fd...68c85eda5a053d9343984f28c1a25660768f42c1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dc30aa5fa1a8c6d92258d3ea633e1af2597744fd...68c85eda5a053d9343984f28c1a25660768f42c1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250106/e73dc874/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list