[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Jan 21 17:09:28 GMT 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
45945d7d by Moritz Muehlenhoff at 2025-01-21T18:08:52+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -113,7 +113,8 @@ CVE-2024-57930 [tracing: Have process_string() also allow arrays]
 CVE-2022-4975
 	NOT-FOR-US: Red Hat Advanced Cluster Security
 CVE-2025-24014 [segmentation fault in win_line()]
-	- vim <unfixed>
+	- vim <unfixed> (unimportant)
+	NOTE: Crash in CLI tool, no security impact
 	NOTE: https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955
 	NOTE: Fixed by: https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919 (v9.1.1043)
 CVE-2025-24337 (WriteFreely through 0.15.1, when MySQL is used, allows local users to  ...)
@@ -154,6 +155,7 @@ CVE-2024-22347 (IBM DevOps Velocity 5.0.0 and IBM UrbanCode Velocity 4.0.0 throu
 	NOT-FOR-US: IBM
 CVE-2024-13176 (Issue summary: A timing side-channel which could potentially allow rec ...)
 	- openssl <unfixed>
+	[bookworm] - openssl <no-dsa> (Minor issue)
 	NOTE: https://openssl-library.org/news/secadv/20250120.txt
 	NOTE: https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f (openssl-3.4.0)
 	NOTE: https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902 (openssl-3.3.0)
@@ -1717,6 +1719,7 @@ CVE-2024-11322 (A denial-of-service vulnerability exists in CyberPower PowerPane
 	NOT-FOR-US: CyberPower PowerPanel Business
 CVE-2024-11029 (A flaw was found in the FreeIPA API audit, where it sends the whole Fr ...)
 	- freeipa <unfixed> (bug #1093383)
+	[bookworm] - freeipa <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325557
 	NOTE: Fixed by: https://pagure.io/freeipa/c/3b38efe75865d0696829b4f26572575a8e74ddce (release-4-12-3)
 	NOTE: Fixed by: https://pagure.io/freeipa/c/7a5a10b6bf2e3eafd4b69362ffaece39791be2a8 (release-4-12-3)
@@ -8480,6 +8483,7 @@ CVE-2024-52046 (The ObjectSerializationDecoder in Apache MINA uses Java\u2019s n
 	[bookworm] - mina <no-dsa> (Minor issue)
 	[bullseye] - mina <postponed> (Minor issue; need specific conditions)
 	- mina2 <unfixed> (bug #1091530)
+	[bookworm] - mina2 <no-dsa> (Minor issue)
 	NOTE: https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8
 CVE-2024-47978 (Dell NativeEdge, version(s) 2.1.0.0, contain(s) an Execution with Unne ...)
 	NOT-FOR-US: Dell
@@ -9158,10 +9162,12 @@ CVE-2023-4617 (Incorrect authorization vulnerability in HTTP POST method in Gove
 	NOT-FOR-US: Govee Home application on Android and iOS
 CVE-2024-9102 (phpLDAPadmin since at least version 1.2.0 through the latest version 1 ...)
 	- phpldapadmin <unfixed> (bug #1090914)
+	[bookworm] - phpldapadmin <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - phpldapadmin <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/
 CVE-2024-9101 (A reflected cross-site scripting (XSS) vulnerability in the 'Entry Cho ...)
 	- phpldapadmin <unfixed> (bug #1090914)
+	[bookworm] - phpldapadmin <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - phpldapadmin <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/
 CVE-2024-56319 (In Matter (aka connectedhomeip or Project CHIP) through 1.4.0.0 before ...)
@@ -19241,6 +19247,7 @@ CVE-2024-36276 (Insecure inherited permissions for some Intel(R) CIP software be
 	NOT-FOR-US: Intel
 CVE-2024-36275 (NULL pointer dereference in some Intel(R) Optane(TM) PMem Management s ...)
 	- ipmctl <unfixed> (bug #1087731)
+	[bookworm] - ipmctl <no-dsa> (Minor issue)
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01189.html
 	NOTE: https://github.com/intel/ipmctl/commit/59d74ca68fcde3f1a11298a935b470fac09904aa (v03.00.00.0499)
 	NOTE: Fixed in 03.00.00.0499 and later upstream.


=====================================
data/dsa-needed.txt
=====================================
@@ -27,6 +27,8 @@ gh
 --
 git (carnil)
 --
+git-lfs (jmm)
+--
 jetty9
 --
 jpeg-xl
@@ -52,6 +54,8 @@ pagure
 --
 pam-u2f (carnil)
 --
+pdns-recursor (jmm)
+--
 php-laravel-framework
 --
 python-django



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45945d7d8fea43f281e0c45f87092c8946b7a710

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45945d7d8fea43f281e0c45f87092c8946b7a710
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250121/101bf2f5/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list