[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Jan 13 18:55:39 GMT 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
faaaaf44 by Moritz Muehlenhoff at 2025-01-13T19:55:02+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1178,10 +1178,10 @@ CVE-2024-51737 (RediSearch is a Redis module that provides querying, secondary i
 CVE-2024-51480 (RedisTimeSeries is a time-series database (TSDB) module for Redis, by  ...)
 	NOT-FOR-US: RedisTimeSeries Redis module
 CVE-2024-51442 (Command Injection in Minidlna version v1.3.3 and before allows an atta ...)
-	- minidlna <unfixed>
-	[bullseye] - minidlna <postponed> (Minor issue, revisit when fixed upstream)
+	- minidlna <unfixed> (unimportant)
 	NOTE: https://sourceforge.net/p/minidlna/bugs/364/
 	NOTE: https://github.com/mselbrede/CVE-2024-51442
+	NOTE: Doesn't cross any security boundary, non issue
 CVE-2024-45345
 	REJECTED
 CVE-2024-45344
@@ -5277,6 +5277,7 @@ CVE-2024-8950 (Improper Neutralization of Special Elements used in an SQL Comman
 	NOT-FOR-US: Arne Informatics Piramit Automation
 CVE-2024-56431 (oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0 71 ...)
 	- libtheora <unfixed> (bug #1091633)
+	[bookworm] - libtheora <no-dsa> (Minor issue)
 	NOTE: https://github.com/UnionTech-Software/libtheora-CVE-2024-56431-PoC
 	NOTE: https://github.com/advisories/GHSA-8xp8-gmmj-xc8w
 	NOTE: https://github.com/xiph/theora/issues/18
@@ -5294,6 +5295,7 @@ CVE-2024-52534 (Dell ECS, version(s) prior to ECS 3.8.1.3, contain(s) an Authent
 	NOT-FOR-US: Dell
 CVE-2024-52046 (The ObjectSerializationDecoder in Apache MINA uses Java\u2019s native  ...)
 	- mina <unfixed>
+	[bookworm] - mina <no-dsa> (Minor issue)
 	- mina2 <unfixed> (bug #1091530)
 	NOTE: https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8
 CVE-2024-47978 (Dell NativeEdge, version(s) 2.1.0.0, contain(s) an Execution with Unne ...)
@@ -6932,6 +6934,7 @@ CVE-2024-11841 (The Tithe.ly Giving Button WordPress plugin through 1.1 does not
 	NOT-FOR-US: WordPress plugin
 CVE-2024-7701 (Use of Password Hash With Insufficient Computational Effort vulnerabil ...)
 	- percona-toolkit <unfixed> (bug #1091435)
+	[bookworm] - percona-toolkit <no-dsa> (Minor issue)
 	NOTE: https://github.com/percona/percona-toolkit/pull/896
 	NOTE: Fixed by: https://github.com/percona/percona-toolkit/commit/78f20304859ce8d6b236bc2c9c18d74c0b273dd7 (v3.7.0)
 	NOTE: Fixed by: https://github.com/percona/percona-toolkit/commit/3dd1f7da83f642a4e823a098cb4c97e6dc11f478 (v3.7.0)
@@ -20507,6 +20510,7 @@ CVE-2024-7883 (When using Arm Cortex-M Security Extensions (CMSE), Secure stack
 	- llvm-toolchain-17 <unfixed>
 	- llvm-toolchain-18 <unfixed>
 	- llvm-toolchain-19 <unfixed>
+	[bookworm] - llvm-toolchain-19 <ignored> (Minor issue, doesn't affect the default build flags in Debian and no backport into release branches planned)
 	NOTE: https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2322994
 	NOTE: https://github.com/llvm/llvm-project/pull/114433
@@ -264558,6 +264562,7 @@ CVE-2021-3857 (chaskiq is vulnerable to Improper Neutralization of Input During
 	NOT-FOR-US: chaskiq
 CVE-2021-41973 (In Apache MINA, a specifically crafted, malformed HTTP request may cau ...)
 	- mina <unfixed>
+	[bookworm] - mina <no-dsa> (Minor issue)
 	- mina2 2.1.5-1
 	NOTE: https://lists.apache.org/thread/sq0kkqvxcp7xjt8gxdyb650nj8dv6qv0
 CVE-2021-41972 (Apache Superset up to and including 1.3.1 allowed for database connect ...)
@@ -285512,18 +285517,22 @@ CVE-2021-33647 (When performing the inference shape operation of the Tile operat
 	NOT-FOR-US: Mindspore deep learning
 CVE-2021-33646 (The th_read() function doesn\u2019t free a variable t->th_buf.gnu_long ...)
 	- libtar <unfixed>
+	[bookworm] - libtar <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121295
 	NOTE: (not-upstream) patch from OpenEuler: https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch
 CVE-2021-33645 (The th_read() function doesn\u2019t free a variable t->th_buf.gnu_long ...)
 	- libtar <unfixed>
+	[bookworm] - libtar <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121295
 	NOTE: (not-upstream) patch from OpenEuler: https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch
 CVE-2021-33644 (An attacker who submits a crafted tar file with size in header struct  ...)
 	- libtar <unfixed>
+	[bookworm] - libtar <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121292
 	NOTE: (not-upstream) patch from OpenEuler: https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch
 CVE-2021-33643 (An attacker who submits a crafted tar file with size in header struct  ...)
 	- libtar <unfixed>
+	[bookworm] - libtar <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121289
 	NOTE: (not-upstream) patch from OpenEuler: https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch
 CVE-2021-33642 (When a file is processed, an infinite loop occurs in next_inline() of  ...)
@@ -460672,6 +460681,7 @@ CVE-2019-0232 (When running on Windows with enableCmdLineArguments enabled, the
 	NOTE: https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html
 CVE-2019-0231 (Handling of the close_notify SSL/TLS message does not lead to a connec ...)
 	- mina <unfixed>
+	[bookworm] - mina <no-dsa> (Minor issue)
 	- mina2 2.1.4-1
 CVE-2019-0230 (Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when eval ...)
 	- libstruts1.2-java <removed>


=====================================
data/dsa-needed.txt
=====================================
@@ -16,6 +16,9 @@ cacti
   Bastien (rouca) proposed to help out on the cacti DSA while working on the DLA for LTS
   WIP for review: https://salsa.debian.org/debian/cacti/-/tree/bookworm?ref_type=heads
 --
+fort-validator
+  probably best to bump bookworm to current upstream
+--
 frr
   coordination with the maintainer ongoing, Daniel Baumann proposing an update
 --
@@ -34,6 +37,10 @@ linux (carnil)
 mosquitto (carnil)
   Backports of patches for CVEs done, but autopkgtests fail as regression
 --
+nodejs
+--
+openjpeg2
+--
 opennds
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/faaaaf4470d4ee1d9e14248f6f3de3d9fe896238

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/faaaaf4470d4ee1d9e14248f6f3de3d9fe896238
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250113/2cfddd1d/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list