[Git][security-tracker-team/security-tracker][master] 2 commits: mark CVEs affecting libbson-xs-perl

Roberto C. Sánchez (@roberto) roberto at debian.org
Sat May 3 21:42:13 BST 2025 


Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8ce0103a by Roberto C. Sánchez at 2025-05-03T16:41:30-04:00
mark CVEs affecting libbson-xs-perl

- - - - -
5bfe0488 by Roberto C. Sánchez at 2025-05-03T16:41:43-04:00
LTS: update notes on libbson-xs-perl

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -16454,6 +16454,7 @@ CVE-2024-21760 (An improper control of generation of code ('Code Injection') vul
 CVE-2023-47539 (An improper access control vulnerability in FortiMail version 7.4.0 co ...)
 	NOT-FOR-US: Fortinet
 CVE-2025-0755 (The various bson_appendfunctions in the MongoDB C driver library may b ...)
+	- libbson-xs-perl <removed>
 	- mongo-c-driver 1.27.5-1
 	[bookworm] - mongo-c-driver <no-dsa> (Minor issue; can be fixed via point-release)
 	NOTE: https://jira.mongodb.org/browse/SERVER-94461
@@ -88653,6 +88654,7 @@ CVE-2024-6463
 CVE-2024-6461
 	REJECTED
 CVE-2024-6383 (The bson_string_append function in MongoDB C Driver may be vulnerable  ...)
+	- libbson-xs-perl <removed>
 	- mongo-c-driver 1.27.1-1
 	[bookworm] - mongo-c-driver <no-dsa> (Minor issue)
 	[bullseye] - mongo-c-driver <no-dsa> (Minor issue)
@@ -88895,6 +88897,7 @@ CVE-2024-6438 (A vulnerability has been found in Hitout Carsale 1.0 and classifi
 CVE-2024-6382 (Incorrect handling of certain string inputs may result in MongoDB Rust ...)
 	NOT-FOR-US: MongoDB rust driver
 CVE-2024-6381 (The bson_strfreev function in the MongoDB C driver library may be susc ...)
+	- libbson-xs-perl <removed>
 	- mongo-c-driver 1.26.2-1
 	[bookworm] - mongo-c-driver <no-dsa> (Minor issue)
 	[bullseye] - mongo-c-driver <no-dsa> (Minor issue)
@@ -199339,6 +199342,7 @@ CVE-2023-0439 (The NEX-Forms WordPress plugin before 8.4.4 does not escape its f
 CVE-2023-0438 (Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa ...)
 	NOT-FOR-US: Modoboa
 CVE-2023-0437 (When calling bson_utf8_validateon some inputs a loop with an exit cond ...)
+	- libbson-xs-perl <removed>
 	- mongo-c-driver 1.25.0-1
 	[bookworm] - mongo-c-driver <no-dsa> (Minor issue)
 	[bullseye] - mongo-c-driver <no-dsa> (Minor issue)
@@ -506481,6 +506485,7 @@ CVE-2018-16791 (In SolarWinds SFTP/SCP Server through 2018-09-10, the configurat
 CVE-2018-16790 (_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in  ...)
 	- libbson <removed> (bug #913896)
 	[stretch] - libbson <no-dsa> (Minor issue)
+	- libbson-xs-perl <removed>
 	- mongo-c-driver 1.13.0-1 (bug #913963)
 	NOTE: https://jira.mongodb.org/browse/CDRIVER-2819
 	NOTE: https://github.com/mongodb/mongo-c-driver/commit/0d9a4d98bfdf4acd2c0138d4aaeb4e2e0934bd84
@@ -562601,6 +562606,7 @@ CVE-2017-14228 (In Netwide Assembler (NASM) 2.14rc0, there is an illegal address
 CVE-2017-14227 (In MongoDB libbson 1.7.0, the bson_iter_codewscope function in bson-it ...)
 	- libbson 1.8.0-1 (bug #874754)
 	[stretch] - libbson <no-dsa> (Minor issue)
+	- libbson-xs-perl <removed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1489355
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1489356
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1489362


=====================================
data/dla-needed.txt
=====================================
@@ -153,6 +153,8 @@ krb5
 libbson-xs-perl (roberto)
   NOTE: 20250331: Added by Front-Desk (Beuc)
   NOTE: 20250331: Cf. mongo-c-driver (provides libbson which libbson-xs-perl embeds) (Beuc/front-desk)
+  NOTE: 20250503: Backported patches for bookworm and bullseye to fix all open CVEs. (roberto)
+  NOTE: 20250503: Contacted maintainer on whether changes should go in team repo or not. (roberto)
 --
 libeconf (Chris Lamb)
   NOTE: 20250430: Added by Front-Desk (lamby)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/82d379152b3414c93153abaac1aa0fabccd2f1d8...5bfe04881ef922599d8f8ee0f7f4c1608015f23e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/82d379152b3414c93153abaac1aa0fabccd2f1d8...5bfe04881ef922599d8f8ee0f7f4c1608015f23e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250503/1909dddf/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list