[Git][security-tracker-team/security-tracker][master] 2 commits: Merge changes for updates with CVEs via bookworm 12.9
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Jan 11 09:40:44 GMT 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
09a44675 by Salvatore Bonaccorso at 2025-01-10T21:21:31+01:00
Merge changes for updates with CVEs via bookworm 12.9
- - - - -
4700e960 by Salvatore Bonaccorso at 2025-01-11T09:40:39+00:00
Merge branch 'bookworm-12.9' into 'master'
Merge changes accepted for bookworm 12.9 release
See merge request security-tracker-team/security-tracker!199
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -7965,7 +7965,7 @@ CVE-2024-47543 (GStreamer is a library for constructing graphs of media-handling
CVE-2024-47542 (GStreamer is a library for constructing graphs of media-handling compo ...)
{DLA-3999-1}
- gst-plugins-base1.0 1.24.10-1
- [bookworm] - gst-plugins-base1.0 <no-dsa> (Minor issue)
+ [bookworm] - gst-plugins-base1.0 1.22.0-3+deb12u4
- gst-plugins-base0.10 <removed>
NOTE: https://securitylab.github.com/advisories/GHSL-2024-235_Gstreamer/
NOTE: https://gstreamer.freedesktop.org/security/sa-2024-0008.html
@@ -12818,7 +12818,7 @@ CVE-2024-52814 (Argo Helm is a collection of community maintained charts for `ar
CVE-2024-52804 (Tornado is a Python web framework and asynchronous networking library. ...)
{DLA-4007-1}
- python-tornado 6.4.2-1 (bug #1088112)
- [bookworm] - python-tornado <no-dsa> (will be fixed via point release)
+ [bookworm] - python-tornado 6.2.0-3+deb12u1
NOTE: https://github.com/tornadoweb/tornado/security/advisories/GHSA-8w49-h785-mj3c
NOTE: Fixed by: https://github.com/tornadoweb/tornado/commit/d5ba4a1695fbf7c6a3e54313262639b198291533 (v6.4.2)
CVE-2024-52802 (RIOT is an operating system for internet of things (IoT) devices. In v ...)
@@ -14703,13 +14703,13 @@ CVE-2024-5030 (The CM Table Of Contents WordPress plugin before 1.2.3 does not
CVE-2024-52947 (A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.2 ...)
{DLA-3979-1}
- lemonldap-ng 2.20.1+ds-1
- [bookworm] - lemonldap-ng <no-dsa> (Minor issue, will be fixed via spu)
+ [bookworm] - lemonldap-ng 2.16.1+ds-deb12u4
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3257
NOTE: Fixed by: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/600ba2c0b3d4bb0a4dd2eb9d8b612edcca8805dc (v2.20.1)
CVE-2024-52946 (An issue was discovered in LemonLDAP::NG before 2.20.1. An Improper Ch ...)
{DLA-3979-1}
- lemonldap-ng 2.20.1+ds-1
- [bookworm] - lemonldap-ng <no-dsa> (Minor issue, will be fixed via spu)
+ [bookworm] - lemonldap-ng 2.16.1+ds-deb12u4
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3255
NOTE: Fixed by: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/63a045e4a4ad579559cfe04e644b0cefe2f1137b (v2.20.1)
NOTE: Fixed by: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/065b71ba4e97d7f8dbfe61900e9d4d587109f11b (v2.20.1)
@@ -15805,7 +15805,7 @@ CVE-2024-23919 (Improper buffer restrictions in some Intel(R) Graphics software
CVE-2024-23918 (Improper conditions check in some Intel(R) Xeon(R) processor memory co ...)
{DLA-4002-1}
- intel-microcode 3.20241112.1 (bug #1087532)
- [bookworm] - intel-microcode <no-dsa> (Minor issue)
+ [bookworm] - intel-microcode 3.20241112.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01079.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112
CVE-2024-23312 (Uncontrolled search path for some Intel(R) Binary Configuration Tool s ...)
@@ -15826,7 +15826,7 @@ CVE-2024-22185 (Time-of-check Time-of-use Race Condition in some Intel(R) proces
CVE-2024-21853 (Improper finite state machines (FSMs) in the hardware logic in some 4t ...)
{DLA-4002-1}
- intel-microcode 3.20241112.1 (bug #1087532)
- [bookworm] - intel-microcode <no-dsa> (Minor issue)
+ [bookworm] - intel-microcode 3.20241112.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01101.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112
CVE-2024-21850 (Sensitive information in resource not removed before reuse in some Int ...)
@@ -15834,7 +15834,7 @@ CVE-2024-21850 (Sensitive information in resource not removed before reuse in so
CVE-2024-21820 (Incorrect default permissions in some Intel(R) Xeon(R) processor memor ...)
{DLA-4002-1}
- intel-microcode 3.20241112.1 (bug #1087532)
- [bookworm] - intel-microcode <no-dsa> (Minor issue)
+ [bookworm] - intel-microcode 3.20241112.1~deb12u1
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01079.html
NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112
CVE-2024-21808 (Improper buffer restrictions in some Intel(R) VPL software before vers ...)
@@ -16134,7 +16134,7 @@ CVE-2024-11168 (The urllib.parse.urlsplit() and urlparse() functions improperly
{DLA-3980-1}
- python3.12 <not-affected> (Fixed with first upload to Debian unstable)
- python3.11 3.11.4-1
- [bookworm] - python3.11 <no-dsa> (Minor issue)
+ [bookworm] - python3.11 3.11.2-6+deb12u5
- python3.9 <removed>
NOTE: https://github.com/python/cpython/issues/103848
NOTE: https://github.com/python/cpython/pull/103849
@@ -16817,7 +16817,7 @@ CVE-2023-32736 (A vulnerability has been identified in SIMATIC S7-PLCSIM V16 (Al
CVE-2024-49369 (Icinga is a monitoring system which checks the availability of network ...)
{DLA-3953-1}
- icinga2 2.14.3-1 (bug #1087384)
- [bookworm] - icinga2 <no-dsa> (Will be fixed via point release; Only affects deployments with access to Icinga API via client certificates)
+ [bookworm] - icinga2 2.13.6-2+deb12u2
NOTE: https://github.com/Icinga/icinga2/security/advisories/GHSA-j7wq-r9mg-9wpv
NOTE: https://icinga.com/blog/2024/11/12/critical-icinga-2-security-releases-2-14-3/
NOTE: Fixed by: https://github.com/Icinga/icinga2/commit/2febc5e18ae0c93d989e64ebc2a9fd90e7205ad8 (v2.14.3)
@@ -16849,7 +16849,7 @@ CVE-2024-8881 (A post-authentication command injection vulnerability in the CGI
CVE-2024-52533 (gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one erro ...)
{DLA-3962-1}
- glib2.0 2.82.1-1 (bug #1087419)
- [bookworm] - glib2.0 <no-dsa> (Minor issue)
+ [bookworm] - glib2.0 2.74.6-2+deb12u5
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/3461
NOTE: https://gitlab.gnome.org/GNOME/glib/-/commit/25833cefda24c60af913d6f2d532b5afd608b821 (main)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/commit/ec0b708b981af77fef8e4bbb603cde4de4cd2e29 (2.82.1)
@@ -16858,7 +16858,7 @@ CVE-2024-52532 (GNOME libsoup before 3.6.1 has an infinite loop, and memory cons
- libsoup3 3.6.0-4 (bug #1087416)
[bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 2.74.3-8.1 (bug #1089238)
- [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
+ [bookworm] - libsoup2.4 2.74.3-1+deb12u1
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/391
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/410
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/6adc0e3eb74c257ed4e2a23eb4b2774fdb0d67be (master)
@@ -16869,7 +16869,7 @@ CVE-2024-52531 (GNOME libsoup before 3.6.1 allows a buffer overflow in applicati
- libsoup3 3.6.0-4 (bug #1087417)
[bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 2.74.3-8.1 (bug #1089240)
- [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
+ [bookworm] - libsoup2.4 2.74.3-1+deb12u1
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/commit/3c54033634ae537b52582900a7ba432c52ae8174
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283
@@ -16878,7 +16878,7 @@ CVE-2024-52530 (GNOME libsoup before 3.6.0 allows HTTP request smuggling in some
- libsoup3 3.5.2-1
[bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 2.74.3-8.1 (bug #1088812)
- [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
+ [bookworm] - libsoup2.4 2.74.3-1+deb12u1
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b (3.5.2)
CVE-2024-52288 (libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised D ...)
@@ -17117,7 +17117,7 @@ CVE-2024-49393 (In neomutt and mutt, the To and Cc email headers are not validat
NOTE: Protected headers introduced in mutt 1.12
CVE-2024-11079 (A flaw was found in Ansible-Core. This vulnerability allows attackers ...)
- ansible-core 2.18.0-2 (bug #1088106)
- [bookworm] - ansible-core <no-dsa> (Minor issue)
+ [bookworm] - ansible-core 2.14.18-0+deb12u1
- ansible 5.4.0-1
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325171
@@ -17933,7 +17933,7 @@ CVE-2024-48010 (Dell PowerProtect DD, versions prior to 8.1.0.0, 7.13.1.10, 7.10
CVE-2024-47072 (XStream is a simple library to serialize objects to XML and back again ...)
{DLA-4001-1}
- libxstream-java 1.4.21-1 (bug #1087274)
- [bookworm] - libxstream-java <no-dsa> (Minor issue)
+ [bookworm] - libxstream-java 1.4.20-1+deb12u1
NOTE: https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
NOTE: https://x-stream.github.io/CVE-2024-47072.html
NOTE: Fixed by: https://github.com/x-stream/xstream/commit/fdd9f7d3de0d7ccf2f9979bcd09fbf3e6a0c881a (XSTREAM_1_4_21)
@@ -18505,7 +18505,7 @@ CVE-2024-10027 (The WP Booking Calendar WordPress plugin before 10.6.3 does not
CVE-2024-9902 (A flaw was found in Ansible. The ansible-core `user` module can allow ...)
{DLA-3963-1}
- ansible-core 2.18.0-1 (bug #1086883)
- [bookworm] - ansible-core <no-dsa> (Minor issue)
+ [bookworm] - ansible-core 2.14.18-0+deb12u1
- ansible 5.4.0-1
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2318271
@@ -21703,7 +21703,7 @@ CVE-2024-8036 (ABB is aware of privately reported vulnerabilities in the product
CVE-2024-49767 (Werkzeug is a Web Server Gateway Interface web application library. Ap ...)
[experimental] - python-werkzeug 3.1.3-1
- python-werkzeug 3.1.3-2 (bug #1086062)
- [bookworm] - python-werkzeug <no-dsa> (Minor issue; can be fixed via point release)
+ [bookworm] - python-werkzeug 2.2.2-3+deb12u1
[bullseye] - python-werkzeug <not-affected> (Vulnerable code introduced later)
- quart 0.19.9-1 (bug #1086063)
[bookworm] - quart <no-dsa> (Minor issue)
@@ -22184,7 +22184,7 @@ CVE-2023-50355 (HCL Sametime is impacted by the error messages containing sensit
NOT-FOR-US: HCL
CVE-2024-0126 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...)
- nvidia-graphics-drivers 535.216.01-1 (bug #1085968)
- [bookworm] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-graphics-drivers 535.216.01-1~deb12u1
[bullseye] - nvidia-graphics-drivers <ignored> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1085969)
- nvidia-graphics-drivers-legacy-390xx <unfixed> (bug #1085970)
@@ -22202,7 +22202,7 @@ CVE-2024-0126 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner
- nvidia-graphics-drivers-tesla 525.147.05-6 (bug #1085975)
NOTE: 525.147.05-6 turned the package into a metapackage to aid switching to nvidia-graphics-drivers
- nvidia-open-gpu-kernel-modules 535.216.01-1 (bug #1085976)
- [bookworm] - nvidia-open-gpu-kernel-modules <no-dsa> (Contrib not supported)
+ [bookworm] - nvidia-open-gpu-kernel-modules 535.216.01-1~deb12u1
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5586
CVE-2024-48936 (SchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in ...)
- slurm-wlm 24.05.4-1 (bug #1086003)
@@ -22535,11 +22535,11 @@ CVE-2024-9287 (A vulnerability has been found in the CPython `venv` module and C
- python3.13 3.13.1-1
- python3.12 3.12.8-1
- python3.11 <removed>
- [bookworm] - python3.11 <no-dsa> (Minor issue)
+ [bookworm] - python3.11 3.11.2-6+deb12u5
- python3.9 <removed>
- python2.7 <not-affected> (Vulnerable code not present)
- pypy3 7.3.17+dfsg-3 (bug #1089117)
- [bookworm] - pypy3 <no-dsa> (Minor issue)
+ [bookworm] - pypy3 7.3.11+dfsg-2+deb12u3
NOTE: https://mail.python.org/archives/list/security-announce@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
NOTE: https://github.com/python/cpython/issues/124651
NOTE: https://github.com/python/cpython/pull/124712
@@ -27817,7 +27817,7 @@ CVE-2024-33049 (Transient DOS while parsing noninheritance IE of Extension eleme
NOT-FOR-US: Qualcomm
CVE-2024-31449 (Redis is an open source, in-memory database that persists on disk. An ...)
- redis 5:7.0.15-2 (bug #1084805)
- [bookworm] - redis <no-dsa> (Minor issue)
+ [bookworm] - redis 5:7.0.15-1~deb12u2
[bullseye] - redis <ignored> (lua-bitop-dev is used instead)
- redict 7.3.1+ds-1
- valkey 8.0.1+dfsg1-1
@@ -27830,7 +27830,7 @@ CVE-2024-31449 (Redis is an open source, in-memory database that persists on dis
CVE-2024-31228 (Redis is an open source, in-memory database that persists on disk. Aut ...)
{DLA-3973-1}
- redis 5:7.0.15-2 (bug #1084805)
- [bookworm] - redis <no-dsa> (Minor issue)
+ [bookworm] - redis 5:7.0.15-1~deb12u2
- redict 7.3.1+ds-1
- valkey 8.0.1+dfsg1-1
NOTE: https://github.com/redis/redis/security/advisories/GHSA-66gq-c942-6976
@@ -27840,7 +27840,7 @@ CVE-2024-31228 (Redis is an open source, in-memory database that persists on dis
NOTE: https://github.com/valkey-io/valkey/commit/4fbab5740bfef66918d6c2950dd2b3b4e07815a2 (8.0.1)
CVE-2024-31227 (Redis is an open source, in-memory database that persists on disk. An ...)
- redis 5:7.0.15-2 (bug #1084805)
- [bookworm] - redis <no-dsa> (Minor issue)
+ [bookworm] - redis 5:7.0.15-1~deb12u2
[bullseye] - redis <not-affected> (Vulnerable code not present)
- redict 7.3.1+ds-1
- valkey 8.0.1+dfsg1-1
@@ -32164,7 +32164,7 @@ CVE-2024-8797 (The WP Booking System \u2013 Booking Calendar plugin for WordPres
CVE-2024-8775 (A flaw was found in Ansible, where sensitive information stored in Ans ...)
{DLA-3963-1}
- ansible-core 2.17.5-5 (bug #1082851)
- [bookworm] - ansible-core <no-dsa> (Minor issue)
+ [bookworm] - ansible-core 2.14.18-0+deb12u1
- ansible 5.4.0-1
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2312119
@@ -33910,7 +33910,7 @@ CVE-2024-44838 (RapidCMS v1.3.1 was discovered to contain a SQL injection vulner
CVE-2024-8443 (A heap-based buffer overflow vulnerability was found in the libopensc ...)
{DLA-4004-1}
- opensc 0.25.1-2.1 (bug #1082853)
- [bookworm] - opensc <no-dsa> (Minor issue)
+ [bookworm] - opensc 0.23.0-0.3+deb12u2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2310494
NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2024-8443
NOTE: Fixed by https://github.com/OpenSC/OpenSC/commit/02e847458369c08421fd2d5e9a16a5f272c2de9e (0.26.0-rc1)
@@ -35014,38 +35014,38 @@ CVE-2024-37136 (Dell Path to PowerProtect, versions 1.1, 1.2, contains an Exposu
CVE-2024-45620 (A vulnerability was found in the pkcs15-init tool in OpenSC. An attack ...)
{DLA-4004-1}
- opensc 0.25.1-2.1 (bug #1082864)
- [bookworm] - opensc <no-dsa> (Minor issue)
+ [bookworm] - opensc 0.23.0-0.3+deb12u2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309289
NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2024-45620
CVE-2024-45619 (A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, min ...)
{DLA-4004-1}
- opensc 0.25.1-2.1 (bug #1082863)
- [bookworm] - opensc <no-dsa> (Minor issue)
+ [bookworm] - opensc 0.23.0-0.3+deb12u2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309288
NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2024-45619
CVE-2024-45618 (A vulnerability was found in pkcs15-init in OpenSC. An attacker could ...)
{DLA-4004-1}
- opensc 0.25.1-2.1 (bug #1082862)
- [bookworm] - opensc <no-dsa> (Minor issue)
+ [bookworm] - opensc 0.23.0-0.3+deb12u2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309287
NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2024-45618
CVE-2024-45617 (A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, min ...)
{DLA-4004-1}
- opensc 0.25.1-2.1 (bug #1082861)
- [bookworm] - opensc <no-dsa> (Minor issue)
+ [bookworm] - opensc 0.23.0-0.3+deb12u2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309286
NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2024-45617
CVE-2024-45616 (A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, min ...)
{DLA-4004-1}
- opensc 0.25.1-2.1 (bug #1082860)
- [bookworm] - opensc <no-dsa> (Minor issue)
+ [bookworm] - opensc 0.23.0-0.3+deb12u2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309290
NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2024-45616
NOTE: https://github.com/OpenSC/OpenSC/security/advisories/GHSA-h5f7-rjr5-vx54
CVE-2024-45615 (A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, min ...)
{DLA-4004-1}
- opensc 0.25.1-2.1 (bug #1082859)
- [bookworm] - opensc <no-dsa> (Minor issue)
+ [bookworm] - opensc 0.23.0-0.3+deb12u2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309285
NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2024-45615
NOTE: https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
@@ -38039,7 +38039,7 @@ CVE-2024-7592 (There is a LOW severity vulnerability affecting CPython, specific
- python3.13 3.13.0~rc2-1
- python3.12 3.12.6-1
- python3.11 <removed>
- [bookworm] - python3.11 <postponed> (Minor issue, wait until merged into 3.11 branch)
+ [bookworm] - python3.11 3.11.2-6+deb12u5
- python3.9 <removed>
NOTE: https://github.com/python/cpython/pull/123075
NOTE: https://github.com/python/cpython/issues/123067
@@ -41758,7 +41758,7 @@ CVE-2024-7537 (oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-24-1077/
CVE-2024-7006 (A null pointer dereference flaw was found in Libtiff via `tif_dirinfo. ...)
- tiff 4.5.1+git230720-5 (bug #1078648)
- [bookworm] - tiff <no-dsa> (Minor issue)
+ [bookworm] - tiff 4.5.0-6+deb12u2
[bullseye] - tiff <no-dsa> (Minor issue)
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/559
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/624
@@ -41986,7 +41986,7 @@ CVE-2024-6331 (stitionai/devika main branch as of commit cdfb782b0e634b773b10963
NOT-FOR-US: stitionai/devika
CVE-2024-7409 (A flaw was found in the QEMU NBD Server. This vulnerability allows a d ...)
- qemu 1:9.0.2+ds-3
- [bookworm] - qemu <no-dsa> (Minor issue)
+ [bookworm] - qemu 1:7.2+dfsg-7+deb12u8
[bullseye] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2302487
NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/c8a76dbd90c2f48df89b75bef74917f90a59b623 (v9.1.0-rc2)
@@ -42330,7 +42330,7 @@ CVE-2024-6923 (There is a MEDIUM severity vulnerability affecting CPython. The
- python3.13 3.13.0~rc2-1
- python3.12 3.12.5-1
- python3.11 <removed>
- [bookworm] - python3.11 <postponed> (Minor issue, wait until merged into 3.11 branch)
+ [bookworm] - python3.11 3.11.2-6+deb12u5
- python3.9 <removed>
- python2.7 <removed>
[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
@@ -46814,7 +46814,7 @@ CVE-2024-6540 (Improper filtering of fields when using the export function in th
CVE-2024-6345 (A vulnerability in the package_index module of pypa/setuptools version ...)
{DLA-3876-1}
- setuptools 70.3.0-2
- [bookworm] - setuptools <no-dsa> (Minor issue)
+ [bookworm] - setuptools 66.1.1-1+deb12u1
NOTE: https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
NOTE: Fixed by merge: https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0 (v70.0.0)
CVE-2024-6289 (The WPS Hide Login WordPress plugin before 1.9.16.4 does not prevent r ...)
@@ -54025,7 +54025,7 @@ CVE-2024-37891 (urllib3 is a user-friendly HTTP client library for Python. When
{DLA-3998-1}
[experimental] - python-urllib3 2.2.3-1
- python-urllib3 2.2.3-3 (bug #1074149)
- [bookworm] - python-urllib3 <no-dsa> (Minor issue)
+ [bookworm] - python-urllib3 1.26.12-1+deb12u1
NOTE: https://github.com/urllib3/urllib3/security/advisories/GHSA-34jh-p97f-mpxf
NOTE: https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e (2.2.2)
CVE-2024-37890 (ws is an open source WebSocket client and server for Node.js. A reques ...)
@@ -68855,7 +68855,7 @@ CVE-2024-34078 (html-sanitizer is an allowlist-based HTML cleaner. If using `kee
NOTE: https://github.com/matthiask/html-sanitizer/commit/48db42fc5143d0140c32d929c46b802f96913550 (2.4.2)
CVE-2024-34069 (Werkzeug is a comprehensive WSGI web application library. The debugger ...)
- python-werkzeug 3.0.3-1 (bug #1070711)
- [bookworm] - python-werkzeug <no-dsa> (Minor issue)
+ [bookworm] - python-werkzeug 2.2.2-3+deb12u1
[bullseye] - python-werkzeug <postponed> (Minor issue)
[buster] - python-werkzeug <postponed> (Minor issue)
NOTE: https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985
@@ -68864,7 +68864,7 @@ CVE-2024-34069 (Werkzeug is a comprehensive WSGI web application library. The de
CVE-2024-34064 (Jinja is an extensible templating engine. The `xmlattr` filter in affe ...)
{DLA-3988-1}
- jinja2 3.1.3-1.1 (bug #1070712)
- [bookworm] - jinja2 <no-dsa> (Minor issue)
+ [bookworm] - jinja2 3.1.2-1+deb12u1
[buster] - jinja2 <postponed> (Minor issue)
NOTE: https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj
NOTE: Fixed by: https://github.com/pallets/jinja/commit/d655030770081e2dfe46f90e27620472a502289d (3.1.4)
@@ -72368,7 +72368,7 @@ CVE-2023-52647 (In the Linux kernel, the following vulnerability has been resolv
CVE-2024-4340 (Passing a heavily nested list to sqlparse.parse() leads to a Denial of ...)
{DLA-4000-1}
- sqlparse 0.5.0-1 (bug #1070148)
- [bookworm] - sqlparse <no-dsa> (Minor issue)
+ [bookworm] - sqlparse 0.4.2-1+deb12u1
[buster] - sqlparse <postponed> (Minor issue)
NOTE: Fixed by: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 (0.5.0)
NOTE: https://github.com/advisories/GHSA-2m57-hf25-phgg
@@ -76585,7 +76585,7 @@ CVE-2024-1183 (An SSRF (Server-Side Request Forgery) vulnerability exists in the
CVE-2024-1135 (Gunicorn fails to properly validate Transfer-Encoding headers, leading ...)
{DLA-3996-1 DLA-3851-1}
- gunicorn 22.0.0-1 (bug #1069126)
- [bookworm] - gunicorn <no-dsa> (Minor issue)
+ [bookworm] - gunicorn 20.1.0-6+deb12u1
[buster] - gunicorn <postponed> (Minor issue)
NOTE: https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1
NOTE: https://github.com/benoitc/gunicorn/commit/ac29c9b0a758d21f1e0fb3b3457239e523fa9f1d
@@ -86589,7 +86589,7 @@ CVE-2024-28752 (A SSRF vulnerability using the Aegis DataBinding in versions of
NOT-FOR-US: Apache CXF
CVE-2024-23944 (Information disclosure in persistent watchers handling in Apache ZooKe ...)
- zookeeper 3.9.2-1 (bug #1066947)
- [bookworm] - zookeeper <no-dsa> (Minor issue)
+ [bookworm] - zookeeper 3.8.0-11+deb12u2
[bullseye] - zookeeper <ignored> (Minor issue; hard to backport)
NOTE: https://www.openwall.com/lists/oss-security/2024/03/14/2
NOTE: https://issues.apache.org/jira/browse/ZOOKEEPER-4799
@@ -93040,7 +93040,7 @@ CVE-2024-25274 (An arbitrary file upload vulnerability in the component /sysFile
CVE-2024-25262 (texlive-bin commit c515e was discovered to contain heap buffer overflo ...)
{DLA-3941-1}
- texlive-bin 2023.20230311.66589-9 (bug #1064517)
- [bookworm] - texlive-bin <no-dsa> (Minor issue)
+ [bookworm] - texlive-bin 2022.20220321.62855-5.1+deb12u2
[buster] - texlive-bin <no-dsa> (Minor issue)
NOTE: https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/ChangeLog?revision=69605&view=co
NOTE: https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912
@@ -93557,7 +93557,7 @@ CVE-2024-1633 (During the secure boot, bl2 (the second stage of the bootloader)
CVE-2024-1597 (pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if u ...)
{DLA-3995-1 DLA-3812-1}
- libpgjava 42.7.2-1
- [bookworm] - libpgjava <no-dsa> (Minor issue)
+ [bookworm] - libpgjava 42.5.5-0+deb12u1
NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
NOTE: https://github.com/pgjdbc/pgjdbc/commit/93b0fcb2711d9c1e3a2a03134369738a02a58b40 (REL42.7.2)
NOTE: https://github.com/pgjdbc/pgjdbc/commit/06abfb78a627277a580d4df825f210e96a4e14ee (REL42.7.2)
@@ -94806,7 +94806,7 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4
{DSA-5633-1 DSA-5626-1 DSA-5621-1 DSA-5620-1 DLA-3974-1 DLA-3859-1 DLA-3816-1 DLA-3736-1}
- bind9 1:9.19.21-1
- dnsmasq 2.90-1
- [bookworm] - dnsmasq <no-dsa> (Update proposed for next point release)
+ [bookworm] - dnsmasq 2.90-4~deb12u1
- knot-resolver 5.7.1-1
[bullseye] - knot-resolver <ignored> (Too intrusive to backport, if DNSSEC is used Bookworm can be used)
[buster] - knot-resolver <ignored> (Too intrusive to backport)
@@ -94855,7 +94855,7 @@ CVE-2023-50868 (The Closest Encloser Proof aspect of the DNS protocol (in RFC 51
{DSA-5633-1 DSA-5626-1 DSA-5621-1 DSA-5620-1 DLA-3974-1 DLA-3859-1 DLA-3816-1 DLA-3736-1}
- bind9 1:9.19.21-1
- dnsmasq 2.90-1
- [bookworm] - dnsmasq <no-dsa> (Update proposed for next point release)
+ [bookworm] - dnsmasq 2.90-4~deb12u1
- knot-resolver 5.7.1-1
[bullseye] - knot-resolver <ignored> (Too intrusive to backport, if DNSSEC is used Bookworm can be used)
[buster] - knot-resolver <ignored> (Too intrusive to backport, if DNSSEC is used Bookworm can be used)
@@ -95111,7 +95111,7 @@ CVE-2024-1459 (A path traversal vulnerability was found in Undertow. This issue
CVE-2024-1454 (The use-after-free vulnerability was found in the AuthentIC driver in ...)
{DLA-4004-1}
- opensc 0.25.0~rc1-1
- [bookworm] - opensc <no-dsa> (Minor issue)
+ [bookworm] - opensc 0.23.0-0.3+deb12u2
[buster] - opensc <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2263929
NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2024-1454
@@ -97447,7 +97447,7 @@ CVE-2024-1062 (A heap overflow flaw was found in 389-ds-base. This issue leads t
CVE-2023-5992 (A vulnerability was found in OpenSC where PKCS#1 encryption padding re ...)
{DLA-4004-1}
- opensc 0.25.0~rc1-1 (bug #1064189)
- [bookworm] - opensc <no-dsa> (Minor issue)
+ [bookworm] - opensc 0.23.0-0.3+deb12u2
[buster] - opensc <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2248685
NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2023-5992
@@ -97969,7 +97969,7 @@ CVE-2023-6470
CVE-2023-52389 (UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer overflow a ...)
[experimental] - poco 1.13.0-1
- poco 1.13.0-6
- [bookworm] - poco <no-dsa> (Minor issue)
+ [bookworm] - poco 1.11.0-3+deb12u1
[bullseye] - poco <no-dsa> (Minor issue)
[buster] - poco <no-dsa> (Minor issue)
NOTE: https://pocoproject.org/blog/?p=1226
@@ -98401,7 +98401,7 @@ CVE-2023-5675 (A flaw was found in Quarkus. When a Quarkus RestEasy Classic or R
CVE-2023-52356 (A segment fault (SEGV) flaw was found in libtiff that could be trigger ...)
{DLA-3758-1}
- tiff 4.5.1+git230720-4 (bug #1061524)
- [bookworm] - tiff <no-dsa> (Minor issue)
+ [bookworm] - tiff 4.5.0-6+deb12u2
[bullseye] - tiff <no-dsa> (Minor issue)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/622
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/546
@@ -100991,7 +100991,7 @@ CVE-2023-6040 (An out-of-bounds access vulnerability involving netfilter was rep
NOTE: https://git.kernel.org/linus/f1082dd31fe461d482d69da2a8eccfeb7bf07ac2 (5.18-rc1)
CVE-2023-52339 (In libebml before 1.4.5, an integer overflow in MemIOCallback.cpp can ...)
- libebml 1.4.5-1
- [bookworm] - libebml <no-dsa> (Minor issue)
+ [bookworm] - libebml 1.4.4-1+deb12u1
[bullseye] - libebml <no-dsa> (Minor issue)
[buster] - libebml <no-dsa> (Minor issue)
NOTE: https://github.com/Matroska-Org/libebml/issues/147
@@ -101256,7 +101256,7 @@ CVE-2022-4958 (A vulnerability classified as problematic has been found in qkmc-
CVE-2024-22195 (Jinja is an extensible templating engine. Special placeholders in the ...)
{DLA-3988-1 DLA-3715-1}
- jinja2 3.1.3-1 (bug #1060748)
- [bookworm] - jinja2 <no-dsa> (Minor issue)
+ [bookworm] - jinja2 3.1.2-1+deb12u1
NOTE: https://github.com/pallets/jinja/security/advisories/GHSA-h5c8-rqwp-cp95
NOTE: Fixed by: https://github.com/pallets/jinja/commit/7dd3680e6eea0d77fde024763657aa4d884ddb23 (3.1.3)
CVE-2024-22194 (cdo-local-uuid project provides a specialized UUID-generating function ...)
@@ -110259,7 +110259,7 @@ CVE-2023-6251 (Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p
CVE-2023-49298 (OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios i ...)
{DLA-3766-1}
- zfs-linux 2.1.14-1 (bug #1056752)
- [bookworm] - zfs-linux <no-dsa> (contrib not supported)
+ [bookworm] - zfs-linux 2.1.11-1+deb12u1
[bullseye] - zfs-linux <no-dsa> (contrib not supported)
NOTE: https://github.com/openzfs/zfs/issues/15526
NOTE: https://github.com/openzfs/zfs/pull/15571
@@ -112275,7 +112275,7 @@ CVE-2023-47117 (Label Studio is an open source data labeling tool. In all curren
CVE-2023-46446 (An issue in AsyncSSH before 2.14.1 allows attackers to control the rem ...)
{DLA-3899-1}
- python-asyncssh 2.15.0-1 (bug #1055999)
- [bookworm] - python-asyncssh <no-dsa> (Minor issue)
+ [bookworm] - python-asyncssh 2.10.1-2+deb12u2
[buster] - python-asyncssh <no-dsa> (Minor issue)
NOTE: https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm
NOTE: https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e (v2.14.1)
@@ -112283,7 +112283,7 @@ CVE-2023-46446 (An issue in AsyncSSH before 2.14.1 allows attackers to control t
CVE-2023-46445 (An issue in AsyncSSH before 2.14.1 allows attackers to control the ext ...)
{DLA-3899-1}
- python-asyncssh 2.15.0-1 (bug #1056000)
- [bookworm] - python-asyncssh <no-dsa> (Minor issue)
+ [bookworm] - python-asyncssh 2.10.1-2+deb12u2
[buster] - python-asyncssh <no-dsa> (Minor issue)
NOTE: https://github.com/ronf/asyncssh/security/advisories/GHSA-cfc2-wr2v-gxm5
NOTE: https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e (v2.14.1)
@@ -115352,7 +115352,7 @@ CVE-2023-46158 (IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0
CVE-2023-46136 (Werkzeug is a comprehensive WSGI web application library. If an upload ...)
[experimental] - python-werkzeug 3.0.1-1
- python-werkzeug 3.0.1-2 (bug #1054553)
- [bookworm] - python-werkzeug <no-dsa> (Minor issue)
+ [bookworm] - python-werkzeug 2.2.2-3+deb12u1
[bullseye] - python-werkzeug <not-affected> (Vulnerable code introduced later)
[buster] - python-werkzeug <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
@@ -116781,7 +116781,7 @@ CVE-2023-45901 (Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Reques
CVE-2023-45803 (urllib3 is a user-friendly HTTP client library for Python. urllib3 pre ...)
{DLA-3998-1 DLA-3649-1}
- python-urllib3 1.26.18-1 (bug #1054226)
- [bookworm] - python-urllib3 <no-dsa> (Minor issue)
+ [bookworm] - python-urllib3 1.26.12-1+deb12u1
NOTE: https://github.com/urllib3/urllib3/security/advisories/GHSA-g4mx-q9vg-27p4
NOTE: https://github.com/urllib3/urllib3/commit/b594c5ceaca38e1ac215f916538fb128e3526a36 (1.26.18)
CVE-2023-45010 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alex ...)
@@ -119075,7 +119075,7 @@ CVE-2023-3430 (A vulnerability was found in OpenImageIO, where a heap buffer ove
CVE-2023-38473 (A vulnerability was found in Avahi. A reachable assertion exists in th ...)
{DLA-3990-1}
- avahi 0.8-14 (bug #1054880)
- [bookworm] - avahi <no-dsa> (Minor issue)
+ [bookworm] - avahi 0.8-10+deb12u1
[buster] - avahi <postponed> (Minor issue; re-evaluate when fixed upstream)
NOTE: https://github.com/avahi/avahi/issues/451
NOTE: https://github.com/avahi/avahi/pull/486
@@ -119084,7 +119084,7 @@ CVE-2023-38473 (A vulnerability was found in Avahi. A reachable assertion exists
CVE-2023-38472 (A vulnerability was found in Avahi. A reachable assertion exists in th ...)
{DLA-3990-1}
- avahi 0.8-14 (bug #1054879)
- [bookworm] - avahi <no-dsa> (Minor issue)
+ [bookworm] - avahi 0.8-10+deb12u1
[buster] - avahi <postponed> (Minor issue; re-evaluate when fixed upstream)
NOTE: https://github.com/avahi/avahi/issues/452
NOTE: https://github.com/avahi/avahi/pull/490
@@ -119093,7 +119093,7 @@ CVE-2023-38472 (A vulnerability was found in Avahi. A reachable assertion exists
CVE-2023-38471 (A vulnerability was found in Avahi. A reachable assertion exists in th ...)
{DLA-3990-1}
- avahi 0.8-14 (bug #1054878)
- [bookworm] - avahi <no-dsa> (Minor issue)
+ [bookworm] - avahi 0.8-10+deb12u1
[buster] - avahi <postponed> (Minor issue; re-evaluate when fixed upstream)
NOTE: https://github.com/avahi/avahi/issues/453
NOTE: https://github.com/avahi/avahi/pull/494
@@ -119102,7 +119102,7 @@ CVE-2023-38471 (A vulnerability was found in Avahi. A reachable assertion exists
CVE-2023-38470 (A vulnerability was found in Avahi. A reachable assertion exists in th ...)
{DLA-3990-1}
- avahi 0.8-14 (bug #1054877)
- [bookworm] - avahi <no-dsa> (Minor issue)
+ [bookworm] - avahi 0.8-10+deb12u1
[buster] - avahi <postponed> (Minor issue; re-evaluate when fixed upstream)
NOTE: https://github.com/avahi/avahi/issues/454
NOTE: https://github.com/avahi/avahi/pull/457
@@ -119111,7 +119111,7 @@ CVE-2023-38470 (A vulnerability was found in Avahi. A reachable assertion exists
CVE-2023-38469 (A vulnerability was found in Avahi, where a reachable assertion exists ...)
{DLA-3990-1}
- avahi 0.8-14 (bug #1054876)
- [bookworm] - avahi <no-dsa> (Minor issue; can be mitigated by setting disable-user-service-publishing to yes)
+ [bookworm] - avahi 0.8-10+deb12u1
[buster] - avahi <postponed> (Minor issue; can be mitigated by setting disable-user-service-publishing to yes)
NOTE: https://github.com/avahi/avahi/issues/455
NOTE: https://github.com/avahi/avahi/pull/500
@@ -119180,7 +119180,7 @@ CVE-2023-43838 (An arbitrary file upload vulnerability in Personal Management Sy
CVE-2023-43804 (urllib3 is a user-friendly HTTP client library for Python. urllib3 doe ...)
{DLA-3998-1 DLA-3610-1}
- python-urllib3 1.26.17-1 (bug #1053626)
- [bookworm] - python-urllib3 <no-dsa> (Minor issue)
+ [bookworm] - python-urllib3 1.26.12-1+deb12u1
NOTE: https://github.com/urllib3/urllib3/security/advisories/GHSA-v845-jxx5-vc9f
NOTE: https://github.com/urllib3/urllib3/commit/01220354d389cd05474713f8c982d05c9b17aafb (1.26.17)
CVE-2023-43261 (An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 b ...)
@@ -131097,7 +131097,7 @@ CVE-2023-37942 (Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 an
CVE-2023-3618 (A flaw was found in libtiff. A specially crafted tiff file can lead to ...)
{DLA-3513-1}
- tiff 4.5.1~rc3-1 (bug #1040945)
- [bookworm] - tiff <no-dsa> (Minor issue)
+ [bookworm] - tiff 4.5.0-6+deb12u2
[bullseye] - tiff <no-dsa> (Minor issue)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/529
NOTE: https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e03333ac16b5cfb11acaaeaa493334f8 (v4.5.1rc1)
@@ -134006,7 +134006,7 @@ CVE-2023-31410 (A remote unprivileged attacker can intercept the communication v
CVE-2023-2908 (A null pointer dereference issue was found in Libtiff's tif_dir.c file ...)
{DLA-3513-1}
- tiff 4.5.1~rc3-1
- [bookworm] - tiff <no-dsa> (Minor issue)
+ [bookworm] - tiff 4.5.0-6+deb12u2
[bullseye] - tiff <no-dsa> (Minor issue)
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/479
NOTE: https://gitlab.com/libtiff/libtiff/-/commit/9bd48f0dbd64fb94dc2b5b05238fde0bfdd4ff3f (v4.5.1rc1)
@@ -134915,7 +134915,7 @@ CVE-2023-34246 (Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Pri
{DLA-3989-1 DLA-3494-1}
[experimental] - ruby-doorkeeper 5.6.6-1
- ruby-doorkeeper 5.6.6-2 (bug #1038950)
- [bookworm] - ruby-doorkeeper <no-dsa> (Minor issue)
+ [bookworm] - ruby-doorkeeper 5.5.0-2+deb12u1
NOTE: https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w
NOTE: https://github.com/doorkeeper-gem/doorkeeper/issues/1589
NOTE: https://github.com/doorkeeper-gem/doorkeeper/pull/1646
@@ -135266,7 +135266,7 @@ CVE-2020-36705 (The Adning Advertising plugin for WordPress is vulnerable to arb
CVE-2023-33865 (RenderDoc before 1.27 allows local privilege escalation via a symlink ...)
{DLA-3987-1 DLA-3501-1}
- renderdoc 1.27+dfsg-1 (bug #1037208)
- [bookworm] - renderdoc <no-dsa> (Minor issue)
+ [bookworm] - renderdoc 1.24+dfsg-1+deb12u1
NOTE: https://www.openwall.com/lists/oss-security/2023/06/06/3
NOTE: https://github.com/baldurk/renderdoc/commit/601ed56111ce3803d8476d438ade1c92d6092856 (v1.27)
NOTE: https://github.com/baldurk/renderdoc/commit/e0464fea4f9a7f149c4ee1d84e5ac57839a4a862 (v1.27)
@@ -135276,7 +135276,7 @@ CVE-2023-33865 (RenderDoc before 1.27 allows local privilege escalation via a sy
CVE-2023-33864 (StreamReader::ReadFromExternal in RenderDoc before 1.27 allows an Inte ...)
{DLA-3987-1 DLA-3501-1}
- renderdoc 1.27+dfsg-1 (bug #1037208)
- [bookworm] - renderdoc <no-dsa> (Minor issue)
+ [bookworm] - renderdoc 1.24+dfsg-1+deb12u1
NOTE: https://www.openwall.com/lists/oss-security/2023/06/06/3
NOTE: https://github.com/baldurk/renderdoc/commit/601ed56111ce3803d8476d438ade1c92d6092856 (v1.27)
NOTE: https://github.com/baldurk/renderdoc/commit/e0464fea4f9a7f149c4ee1d84e5ac57839a4a862 (v1.27)
@@ -135286,7 +135286,7 @@ CVE-2023-33864 (StreamReader::ReadFromExternal in RenderDoc before 1.27 allows a
CVE-2023-33863 (SerialiseValue in RenderDoc before 1.27 allows an Integer Overflow wit ...)
{DLA-3987-1 DLA-3501-1}
- renderdoc 1.27+dfsg-1 (bug #1037208)
- [bookworm] - renderdoc <no-dsa> (Minor issue)
+ [bookworm] - renderdoc 1.24+dfsg-1+deb12u1
NOTE: https://www.openwall.com/lists/oss-security/2023/06/06/3
NOTE: https://github.com/baldurk/renderdoc/commit/601ed56111ce3803d8476d438ade1c92d6092856 (v1.27)
NOTE: https://github.com/baldurk/renderdoc/commit/e0464fea4f9a7f149c4ee1d84e5ac57839a4a862 (v1.27)
@@ -136797,7 +136797,7 @@ CVE-2023-2480 (Missing access permissions checks in M-Files Client before 23.5.1
CVE-2023-28370 (Open redirect vulnerability in Tornado versions 6.3.1 and earlier allo ...)
{DLA-4007-1}
- python-tornado 6.3.2-1 (bug #1036875)
- [bookworm] - python-tornado <no-dsa> (Minor issue)
+ [bookworm] - python-tornado 6.2.0-3+deb12u1
[buster] - python-tornado <no-dsa> (Minor issue)
- salt <removed> (bug #1059297)
[buster] - salt <end-of-life> (EOL in buster LTS)
@@ -140839,7 +140839,7 @@ CVE-2023-30609 (matrix-react-sdk is a react-based SDK for inserting a Matrix cha
CVE-2023-30608 (sqlparse is a non-validating SQL parser module for Python. In affected ...)
{DLA-4000-1 DLA-3425-1}
- sqlparse 0.4.4-1 (bug #1034615)
- [bookworm] - sqlparse <no-dsa> (Minor issue)
+ [bookworm] - sqlparse 0.4.2-1+deb12u1
NOTE: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
NOTE: Introduced by: https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a (0.1.15)
NOTE: Fixed by: https://github.com/andialbrecht/sqlparse/commit/c457abd5f097dd13fb21543381e7cfafe7d31cfb (0.4.4)
@@ -147693,7 +147693,7 @@ CVE-2023-28451 (An issue was discovered in Technitium 11.0.2. There is a vulnera
CVE-2023-28450 (An issue was discovered in Dnsmasq before 2.90. The default maximum ED ...)
{DLA-3974-1}
- dnsmasq 2.90-1 (bug #1033165)
- [bookworm] - dnsmasq <no-dsa> (Minor issue)
+ [bookworm] - dnsmasq 2.90-4~deb12u1
[buster] - dnsmasq <no-dsa> (Minor issue)
NOTE: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5
CVE-2023-1424 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ...)
@@ -152177,7 +152177,7 @@ CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-m
{DLA-3980-1 DLA-3966-1}
- python3.12 3.12.6-1 (bug #1059299)
- python3.11 <removed> (bug #1059298)
- [bookworm] - python3.11 <postponed> (Minor issue, wait until upstream has decided whether to backport to older branches)
+ [bookworm] - python3.11 3.11.2-6+deb12u5
- python3.10 <removed>
- python3.9 <removed>
- python3.7 <removed>
@@ -152186,7 +152186,7 @@ CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-m
[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
[buster] - python2.7 <postponed> (Minor issue)
- pypy3 7.3.17+dfsg-3 (bug #1072179)
- [bookworm] - pypy3 <postponed> (Minor issue, wait until upstream has decided whether to backport to older branches)
+ [bookworm] - pypy3 7.3.11+dfsg-2+deb12u3
[buster] - pypy3 <postponed> (Minor issue)
NOTE: https://github.com/python/cpython/issues/102988
NOTE: https://github.com/python/cpython/commit/15068242bd4405475f70a81805a8895ca309a310 (v3.12.6)
@@ -152350,7 +152350,7 @@ CVE-2023-26967
CVE-2023-26966 (libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() when lib ...)
{DLA-3513-1}
- tiff 4.5.1~rc3-1
- [bookworm] - tiff <no-dsa> (Minor issue)
+ [bookworm] - tiff 4.5.0-6+deb12u2
[bullseye] - tiff <no-dsa> (Minor issue)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/530
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/473
@@ -152358,7 +152358,7 @@ CVE-2023-26966 (libtiff 4.5.0 is vulnerable to Buffer Overflow in uv_encode() wh
CVE-2023-26965 (loadImage() in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-ba ...)
{DLA-3513-1}
- tiff 4.5.1~rc3-1
- [bookworm] - tiff <no-dsa> (Minor issue)
+ [bookworm] - tiff 4.5.0-6+deb12u2
[bullseye] - tiff <no-dsa> (Minor issue)
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/472
NOTE: https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf (v4.5.1rc1)
@@ -157102,7 +157102,7 @@ CVE-2023-25434 (libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContig
CVE-2023-25433 (libtiff 4.5.0 is vulnerable to Buffer Overflow via /libtiff/tools/tiff ...)
{DLA-3513-1}
- tiff 4.5.1~rc3-1
- [bookworm] - tiff <no-dsa> (Minor issue)
+ [bookworm] - tiff 4.5.0-6+deb12u2
[bullseye] - tiff <no-dsa> (Minor issue)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/520
NOTE: https://gitlab.com/libtiff/libtiff/-/commit/9c22495e5eeeae9e00a1596720c969656bb8d678 (v4.5.1rc1)
@@ -239159,6 +239159,7 @@ CVE-2022-24600 (Luocms v2.0 is affected by SQL Injection through /admin/login.ph
CVE-2022-24599 (In autofile Audio File Library 0.3.6, there exists one memory leak vul ...)
{DLA-3650-1}
- audiofile 0.3.6-6 (bug #1008017; unimportant)
+ [bookworm] - audiofile 0.3.6-5+deb12u1
NOTE: https://github.com/mpruett/audiofile/issues/60
NOTE: Memory leak in CLI tool, no security impact
CVE-2022-24598
@@ -294510,7 +294511,7 @@ CVE-2021-30185 (CERN Indico before 2.3.4 can use an attacker-supplied Host heade
NOT-FOR-US: CERN Indico
CVE-2021-30184 (GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted ...)
- gnuchess 6.2.9-0.1 (bug #986801)
- [bookworm] - gnuchess <no-dsa> (Minor issue)
+ [bookworm] - gnuchess 6.2.7-1+deb12u1
[bullseye] - gnuchess <no-dsa> (Minor issue)
[buster] - gnuchess <no-dsa> (Minor issue)
[stretch] - gnuchess <postponed> (Minor issue in a game; can be fixed in next update)
@@ -302129,7 +302130,7 @@ CVE-2013-20001 (An issue was discovered in OpenZFS through 2.0.3. When an NFS sh
{DLA-3766-1}
[experimental] - zfs-linux 2.2.0-1~exp1
- zfs-linux 2.2.2-1 (bug #1059322)
- [bookworm] - zfs-linux <no-dsa> (contrib not supported)
+ [bookworm] - zfs-linux 2.1.11-1+deb12u1
[bullseye] - zfs-linux <no-dsa> (contrib not supported)
NOTE: https://github.com/openzfs/zfs/commit/6cb5e1e7591da20af3a15793e022345a73e40fb7 (zfs-2.2.0-rc1)
CVE-2021-3411 (A flaw was found in the Linux kernel in versions prior to 5.10. A viol ...)
@@ -322063,7 +322064,7 @@ CVE-2020-35359 (Pure-FTPd 1.0.48 allows remote attackers to prevent legitimate s
CVE-2020-35357 (A buffer overflow can occur when calculating the quantile value using ...)
{DLA-3985-1 DLA-3576-1}
- gsl 2.7.1+dfsg-6 (bug #1052655)
- [bookworm] - gsl <no-dsa> (Minor issue)
+ [bookworm] - gsl 2.7.1+dfsg-5+deb12u1
NOTE: https://savannah.gnu.org/bugs/?59624
NOTE: https://git.savannah.gnu.org/cgit/gsl.git/commit/?id=989a193268b963aa1047814f7f1402084fb7d859
CVE-2020-35356
@@ -422485,7 +422486,7 @@ CVE-2019-13148 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2
CVE-2019-13147 (In Audio File Library (aka audiofile) 0.3.6, there exists one NULL poi ...)
{DLA-3650-1}
- audiofile 0.3.6-6 (low; bug #931343)
- [bookworm] - audiofile <no-dsa> (Minor issue)
+ [bookworm] - audiofile 0.3.6-5+deb12u1
[bullseye] - audiofile <ignored> (Minor issue)
[stretch] - audiofile <no-dsa> (Minor issue)
[jessie] - audiofile <postponed> (Minor issue, local DoS)
=====================================
data/next-point-update.txt
=====================================
@@ -1,168 +1,3 @@
-CVE-2024-23944
- [bookworm] - zookeeper 3.8.0-11+deb12u2
-CVE-2023-28450
- [bookworm] - dnsmasq 2.90-4~deb12u1
-CVE-2023-50387
- [bookworm] - dnsmasq 2.90-4~deb12u1
-CVE-2023-50868
- [bookworm] - dnsmasq 2.90-4~deb12u1
-CVE-2024-25262
- [bookworm] - texlive-bin 2022.20220321.62855-5.1+deb12u2
-CVE-2024-7409
- [bookworm] - qemu 1:7.2+dfsg-7+deb12u8
-CVE-2023-49298
- [bookworm] - zfs-linux 2.1.11-1+deb12u1
-CVE-2013-20001
- [bookworm] - zfs-linux 2.1.11-1+deb12u1
-CVE-2024-49369
- [bookworm] - icinga2 2.13.6-2+deb12u2
-CVE-2024-0126
- [bookworm] - nvidia-open-gpu-kernel-modules 535.216.01-1~deb12u1
- [bookworm] - nvidia-graphics-drivers 535.216.01-1~deb12u1
-CVE-2024-52533
- [bookworm] - glib2.0 2.74.6-2+deb12u5
-CVE-2024-52947
- [bookworm] - lemonldap-ng 2.16.1+ds-deb12u4
-CVE-2024-52946
- [bookworm] - lemonldap-ng 2.16.1+ds-deb12u4
-CVE-2024-31227
- [bookworm] - redis 5:7.0.15-1~deb12u2
-CVE-2024-31228
- [bookworm] - redis 5:7.0.15-1~deb12u2
-CVE-2024-31449
- [bookworm] - redis 5:7.0.15-1~deb12u2
-CVE-2023-46136
- [bookworm] - python-werkzeug 2.2.2-3+deb12u1
-CVE-2024-34069
- [bookworm] - python-werkzeug 2.2.2-3+deb12u1
-CVE-2024-49767
- [bookworm] - python-werkzeug 2.2.2-3+deb12u1
-CVE-2024-11079
- [bookworm] - ansible-core 2.14.18-0+deb12u1
-CVE-2024-8775
- [bookworm] - ansible-core 2.14.18-0+deb12u1
-CVE-2024-9902
- [bookworm] - ansible-core 2.14.18-0+deb12u1
-CVE-2023-27043
- [bookworm] - python3.11 3.11.2-6+deb12u5
-CVE-2024-6923
- [bookworm] - python3.11 3.11.2-6+deb12u5
-CVE-2024-7592
- [bookworm] - python3.11 3.11.2-6+deb12u5
-CVE-2024-9287
- [bookworm] - python3.11 3.11.2-6+deb12u5
-CVE-2024-11168
- [bookworm] - python3.11 3.11.2-6+deb12u5
-CVE-2020-35357
- [bookworm] - gsl 2.7.1+dfsg-5+deb12u1
-CVE-2024-23918
- [bookworm] - intel-microcode 3.20241112.1~deb12u1
-CVE-2024-21853
- [bookworm] - intel-microcode 3.20241112.1~deb12u1
-CVE-2024-21820
- [bookworm] - intel-microcode 3.20241112.1~deb12u1
-CVE-2024-22195
- [bookworm] - jinja2 3.1.2-1+deb12u1
-CVE-2024-34064
- [bookworm] - jinja2 3.1.2-1+deb12u1
-CVE-2023-34246
- [bookworm] - ruby-doorkeeper 5.5.0-2+deb12u1
-CVE-2023-33863
- [bookworm] - renderdoc 1.24+dfsg-1+deb12u1
-CVE-2023-33864
- [bookworm] - renderdoc 1.24+dfsg-1+deb12u1
-CVE-2023-33865
- [bookworm] - renderdoc 1.24+dfsg-1+deb12u1
-CVE-2024-52530
- [bookworm] - libsoup2.4 2.74.3-1+deb12u1
-CVE-2024-52531
- [bookworm] - libsoup2.4 2.74.3-1+deb12u1
-CVE-2024-52532
- [bookworm] - libsoup2.4 2.74.3-1+deb12u1
-CVE-2024-1597
- [bookworm] - libpgjava 42.5.5-0+deb12u1
-CVE-2023-38472
- [bookworm] - avahi 0.8-10+deb12u1
-CVE-2023-38469
- [bookworm] - avahi 0.8-10+deb12u1
-CVE-2023-38470
- [bookworm] - avahi 0.8-10+deb12u1
-CVE-2023-38471
- [bookworm] - avahi 0.8-10+deb12u1
-CVE-2023-38473
- [bookworm] - avahi 0.8-10+deb12u1
-CVE-2024-1135
- [bookworm] - gunicorn 20.1.0-6+deb12u1
-CVE-2024-47072
- [bookworm] - libxstream-java 1.4.20-1+deb12u1
-CVE-2023-43804
- [bookworm] - python-urllib3 1.26.12-1+deb12u1
-CVE-2023-45803
- [bookworm] - python-urllib3 1.26.12-1+deb12u1
-CVE-2024-37891
- [bookworm] - python-urllib3 1.26.12-1+deb12u1
-CVE-2023-5992
- [bookworm] - opensc 0.23.0-0.3+deb12u2
-CVE-2024-1454
- [bookworm] - opensc 0.23.0-0.3+deb12u2
-CVE-2024-8443
- [bookworm] - opensc 0.23.0-0.3+deb12u2
-CVE-2024-45615
- [bookworm] - opensc 0.23.0-0.3+deb12u2
-CVE-2024-45616
- [bookworm] - opensc 0.23.0-0.3+deb12u2
-CVE-2024-45617
- [bookworm] - opensc 0.23.0-0.3+deb12u2
-CVE-2024-45618
- [bookworm] - opensc 0.23.0-0.3+deb12u2
-CVE-2024-45619
- [bookworm] - opensc 0.23.0-0.3+deb12u2
-CVE-2024-45620
- [bookworm] - opensc 0.23.0-0.3+deb12u2
-CVE-2023-27043
- [bookworm] - pypy3 7.3.11+dfsg-2+deb12u3
-CVE-2024-9287
- [bookworm] - pypy3 7.3.11+dfsg-2+deb12u3
-CVE-2023-30608
- [bookworm] - sqlparse 0.4.2-1+deb12u1
-CVE-2024-4340
- [bookworm] - sqlparse 0.4.2-1+deb12u1
-CVE-2024-47542
- [bookworm] - gst-plugins-base1.0 1.22.0-3+deb12u4
-CVE-2023-52389
- [bookworm] - poco 1.11.0-3+deb12u1
-CVE-2024-6345
- [bookworm] - setuptools 66.1.1-1+deb12u1
-CVE-2024-52804
- [bookworm] - python-tornado 6.2.0-3+deb12u1
-CVE-2023-28370
- [bookworm] - python-tornado 6.2.0-3+deb12u1
-CVE-2023-46445
- [bookworm] - python-asyncssh 2.10.1-2+deb12u2
-CVE-2023-46446
- [bookworm] - python-asyncssh 2.10.1-2+deb12u2
-CVE-2021-30184
- [bookworm] - gnuchess 6.2.7-1+deb12u1
-CVE-2022-24599
- [bookworm] - audiofile 0.3.6-5+deb12u1
-CVE-2019-13147
- [bookworm] - audiofile 0.3.6-5+deb12u1
-CVE-2023-2908
- [bookworm] - tiff 4.5.0-6+deb12u2
-CVE-2023-3618
- [bookworm] - tiff 4.5.0-6+deb12u2
-CVE-2023-25433
- [bookworm] - tiff 4.5.0-6+deb12u2
-CVE-2023-26965
- [bookworm] - tiff 4.5.0-6+deb12u2
-CVE-2023-26966
- [bookworm] - tiff 4.5.0-6+deb12u2
-CVE-2023-52356
- [bookworm] - tiff 4.5.0-6+deb12u2
-CVE-2024-7006
- [bookworm] - tiff 4.5.0-6+deb12u2
-CVE-2023-52339
- [bookworm] - libebml 1.4.4-1+deb12u1
CVE-2024-9681
[bookworm] - curl 7.88.1-10+deb12u9
CVE-2024-46901
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/83784f9f486863126ae12e6cf78c97bca4af102a...4700e9600f7dde6ec1f96dd7ad38e31b922b37ed
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/83784f9f486863126ae12e6cf78c97bca4af102a...4700e9600f7dde6ec1f96dd7ad38e31b922b37ed
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250111/0a75fe2c/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list