[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Jan 23 11:33:25 GMT 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1179caca by Moritz Muehlenhoff at 2025-01-23T12:33:06+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -271,6 +271,7 @@ CVE-2025-20156 (A vulnerability in the REST API of Cisco Meeting Management coul
 	NOT-FOR-US: Cisco
 CVE-2025-20128 (A vulnerability in the Object Linking and Embedding 2 (OLE2) decryptio ...)
 	- clamav <unfixed>
+	[bookworm] - clamav <no-dsa> (clamav is being updated via -updates)
 	NOTE: https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html
 CVE-2025-0651 (Improper Privilege Management vulnerability in Cloudflare WARP on Wind ...)
 	NOT-FOR-US: Cloudflare
@@ -286,6 +287,7 @@ CVE-2025-0604 (A flaw was found in Keycloak. When an Active Directory user reset
 	NOT-FOR-US: Keycloak
 CVE-2025-0395 (When the assert() function in the GNU C Library versions 2.13 to 2.40  ...)
 	- glibc 2.40-6
+	[bookworm] - glibc <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=32582
 	NOTE: https://www.openwall.com/lists/oss-security/2025/01/22/4
 	NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c (2.40-branch)
@@ -873,6 +875,7 @@ CVE-2025-22262 (Improper Neutralization of Input During Web Page Generation ('Cr
 CVE-2025-22150 (Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to v ...)
 	[experimental] - node-undici 7.2.3+dfsg1+~cs24.12.11-1
 	- node-undici <unfixed>
+	[bookworm] - node-undici <no-dsa> (Minor issue)
 	NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
 	NOTE: Fixed by: https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0 (v5.28.5)
 	NOTE: Fixed by: https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385 (v6.21.1)
@@ -10095,10 +10098,12 @@ CVE-2024-37962 (Improper Neutralization of Input During Web Page Generation ('Cr
 	NOT-FOR-US: Agency Dominion Fusion
 CVE-2024-12801 (Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logba ...)
 	- logback <unfixed> (bug #1091320)
+	[bookworm] - logback <no-dsa> (Minor issue)
 	NOTE: https://logback.qos.ch/news.html#1.5.13
 	NOTE: Fixed by: https://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d (v_1.5.13)
 CVE-2024-12798 (ACE vulnerability in JaninoEventEvaluator  by QOS.CH logback-core      ...)
 	- logback <unfixed> (bug #1091319)
+	[bookworm] - logback <no-dsa> (Minor issue)
 	NOTE: https://logback.qos.ch/news.html#1.5.13
 	NOTE: Fixed by: https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183 (v_1.5.13)
 CVE-2024-12794 (A vulnerability, which was classified as critical, was found in Codezi ...)
@@ -10194,6 +10199,7 @@ CVE-2024-4229 (Incorrect Default Permissions vulnerability in Edgecross Basic So
 	NOT-FOR-US: Edgecross Basic Software for Windows
 CVE-2024-45338 (An attacker can craft an input to the Parse functions that would be pr ...)
 	- golang-golang-x-net <unfixed> (bug #1091168)
+	[bookworm] - golang-golang-x-net <no-dsa> (Minor issue)
 	[bullseye] - golang-golang-x-net <postponed> (minor issue; DoS)
 	NOTE: https://go-review.googlesource.com/c/net/+/637536
 	NOTE: https://github.com/golang/go/issues/70906


=====================================
data/dsa-needed.txt
=====================================
@@ -47,6 +47,8 @@ mosquitto (carnil)
 --
 nodejs
 --
+openjdk-17 (jmm)
+--
 openjpeg2
 --
 opennds



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1179caca34b536788b47db21b132ea2b87ee3e0c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1179caca34b536788b47db21b132ea2b87ee3e0c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250123/d7891adf/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list