Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0fd31e5c by Moritz Mühlenhoff at 2023-05-23T21:11:20+02:00
bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -916,6 +916,7 @@ CVE-2023-2641 (A vulnerability was found in SourceCodester
Online Internship Man
NOT-FOR-US: SourceCodester Online Internship Management System
CVE-2023-32076 (in-toto is a framework to protect supply chain integrity. The
in-toto ...)
- in-toto <unfixed> (bug #1035934)
+ [bookworm] - in-toto <no-dsa> (Minor issue)
[bullseye] - in-toto <no-dsa> (Minor issue)
NOTE:
https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf
NOTE:
https://github.com/in-toto/in-toto/commit/f88138c90861953c77a1384ea2fcc58126e6fe59
(v2.0.0)
@@ -5983,6 +5984,7 @@ CVE-2023-29660
RESERVED
CVE-2023-29659 (A Segmentation fault caused by a floating point exception
exists in li ...)
- libheif <unfixed> (bug #1035607)
+ [bookworm] - libheif <no-dsa> (Minor issue)
[bullseye] - libheif <no-dsa> (Minor issue)
[buster] - libheif <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libheif/issues/794
@@ -9968,6 +9970,7 @@ CVE-2023-1437
RESERVED
CVE-2023-1436 (An infinite recursion is triggered in Jettison when
constructing a JSO ...)
- libjettison-java <unfixed> (bug #1033846)
+ [bookworm] - libjettison-java <no-dsa> (Minor issue)
[bullseye] - libjettison-java <no-dsa> (Minor issue)
[buster] - libjettison-java <postponed> (Minor issue, DoS)
NOTE:
https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/
@@ -10180,6 +10183,7 @@ CVE-2023-28429 (Pimcore is an open source data and
experience management platfor
NOT-FOR-US: Pimcore
CVE-2023-28428 (PDFio is a C library for reading and writing PDF files. In
versions 1. ...)
- ippsample <unfixed> (bug #1034155)
+ [bookworm] - ippsample <no-dsa> (Minor issue)
NOTE:
https://github.com/michaelrsweet/pdfio/commit/97d4955666779dc5b0665e15dd951a5c12426a31
(v1.1.1)
NOTE:
https://github.com/michaelrsweet/pdfio/security/advisories/GHSA-68x8-9phf-j7jf
CVE-2023-28427 (matrix-js-sdk is a Matrix messaging protocol Client-Server SDK
for Jav ...)
@@ -14347,12 +14351,14 @@ CVE-2023-27104
RESERVED
CVE-2023-27103 (Libde265 v1.0.11 was discovered to contain a heap buffer
overflow via ...)
- libde265 <unfixed> (bug #1033257)
+ [bookworm] - libde265 <no-dsa> (Minor issue)
[bullseye] - libde265 <no-dsa> (Minor issue)
[buster] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/394
NOTE:
https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995
CVE-2023-27102 (Libde265 v1.0.11 was discovered to contain a segmentation
violation vi ...)
- libde265 <unfixed> (bug #1033257)
+ [bookworm] - libde265 <no-dsa> (Minor issue)
[bullseye] - libde265 <no-dsa> (Minor issue)
[buster] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/393
@@ -16806,6 +16812,8 @@ CVE-2023-26126 (All versions of the package m.static
are vulnerable to Directory
NOT-FOR-US: m.static
CVE-2023-26125 (Versions of the package github.com/gin-gonic/gin before 1.9.0
are vuln ...)
- golang-github-gin-gonic-gin <unfixed> (bug #1035498)
+ [bookworm] - golang-github-gin-gonic-gin <no-dsa> (Minor issue)
+ [bullseye] - golang-github-gin-gonic-gin <no-dsa> (Minor issue)
NOTE: https://github.com/gin-gonic/gin/pull/3500
NOTE: https://github.com/gin-gonic/gin/pull/3503
NOTE:
https://github.com/gin-gonic/gin/commit/81ac7d55a09e34013225db0aeac6e70c1ae68928
(v1.9.0)
@@ -21921,6 +21929,8 @@ CVE-2023-0476 (A LDAP injection vulnerability exists in
Tenable.sc due to improp
NOT-FOR-US: Tenable
CVE-2023-0475 (HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to
decompressi ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1032100)
+ [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited
support, minor issue, follow bullseye DSAs/point-releases)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125
CVE-2023-0474 (Use after free in GuestView in Google Chrome prior to
109.0.5414.119 a ...)
@@ -26294,10 +26304,9 @@ CVE-2023-0198 (NVIDIA GPU Display Driver for Linux
contains a vulnerability in t
CVE-2023-0197 (NVIDIA vGPU software contains a vulnerability in the Virtual
GPU Manag ...)
NOT-FOR-US: NVIDIA vGPU software
CVE-2023-0196 (NVIDIA CUDA Toolkit SDK contains a bug in cuobjdump, where a
local use ...)
- - nvidia-cuda-toolkit <unfixed> (bug #1032668)
- [bullseye] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
- [buster] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+ - nvidia-cuda-toolkit <unfixed> (unimportant; bug #1032668)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5446
+ NOTE: Crash in CLI tool, no security impact
CVE-2023-0195 (NVIDIA GPU Display Driver for Windows contains a vulnerability
in the ...)
- nvidia-open-gpu-kernel-modules 525.105.17-1 (bug #1033783)
- nvidia-graphics-drivers-tesla 525.105.17-1 (bug #1033782)
@@ -26341,10 +26350,9 @@ CVE-2023-0194 (NVIDIA GPU Display Driver for Windows
and Linux contains a vulner
[buster] - nvidia-graphics-drivers <ignored> (Non-free not supported,
no updates provided by Nvidia anymore)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5452
CVE-2023-0193 (NVIDIA CUDA Toolkit SDK contains a vulnerability in cuobjdump,
where a ...)
- - nvidia-cuda-toolkit <unfixed> (bug #1032668)
- [bullseye] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
- [buster] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+ - nvidia-cuda-toolkit <unfixed> (unimportant; bug #1032668)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5446
+ NOTE: Crash in CLI tool, no security impact
CVE-2023-0192 (NVIDIA GPU Display Driver for Windows contains a vulnerability
in the ...)
NOT-FOR-US: NVIDIA GPU Display Driver for Windows
CVE-2023-0191 (NVIDIA GPU Display Driver for Windows and Linux contains a
vulnerabili ...)
@@ -27617,6 +27625,7 @@ CVE-2014-125042
REJECTED
CVE-2023-22665 (There is insufficient checking of user queries in Apache Jena
versions ...)
- apache-jena <unfixed> (bug #1035952)
+ [bookworm] - apache-jena <no-dsa> (Minor issue)
NOTE: https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s
CVE-2023-22652
RESERVED
@@ -68002,6 +68011,7 @@ CVE-2022-31471 (untangle is a python library to convert
XML data to python objec
NOTE: https://github.com/stchris/untangle/pull/94
CVE-2022-2393 (A flaw was found in pki-core, which could allow a user to get a
certif ...)
- dogtag-pki <unfixed> (bug #1034802)
+ [bookworm] - dogtag-pki <no-dsa> (Minor issue)
[bullseye] - dogtag-pki <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2101046
CVE-2022-2392 (The Lana Downloads Manager WordPress plugin before 1.8.0 is
affected b ...)
@@ -83144,6 +83154,7 @@ CVE-2022-30324 (HashiCorp Nomad and Nomad Enterprise
version 0.2.0 up to 1.3.0 w
- nomad <not-affected> (In Debian Nomad doesn't bundle go-getter, but
build depends a shared deb)
CVE-2022-30323 (go-getter up to 1.5.11 and 2.0.2 panicked when processing
password-pro ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+ [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited
support, minor issue, follow bullseye DSAs/point-releases)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
@@ -83151,6 +83162,7 @@ CVE-2022-30323 (go-getter up to 1.5.11 and 2.0.2
panicked when processing passwo
NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
CVE-2022-30322 (go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource
exhaustio ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+ [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited
support, minor issue, follow bullseye DSAs/point-releases)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
@@ -83158,6 +83170,7 @@ CVE-2022-30322 (go-getter up to 1.5.11 and 2.0.2
allowed asymmetric resource exh
NOTE:
https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45
(v1.6.0)
CVE-2022-30321 (go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access
via go- ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+ [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited
support, minor issue, follow bullseye DSAs/point-releases)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
@@ -93246,6 +93259,7 @@ CVE-2022-26946
RESERVED
CVE-2022-26945 (go-getter up to 1.5.11 and 2.0.2 allowed protocol switching,
endless r ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
+ [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited
support, minor issue, follow bullseye DSAs/point-releases)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
@@ -121652,6 +121666,7 @@ CVE-2021-42837 (An issue was discovered in Talend
Data Catalog before 7.3-202109
CVE-2021-42836 (GJSON before 1.9.3 allows a ReDoS (regular expression denial
of servic ...)
[experimental] - golang-github-tidwall-gjson 1.14.4-1
- golang-github-tidwall-gjson <unfixed> (bug #1000225)
+ [bookworm] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
[bullseye] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
[buster] - golang-github-tidwall-gjson <postponed> (Limited support,
minor issue, follow bullseye DSAs/point-releases)
NOTE:
https://github.com/tidwall/gjson/commit/590010fdac311cc8990ef5c97448d4fec8f29944
@@ -124481,6 +124496,7 @@ CVE-2021-42249
CVE-2021-42248 (GJSON <= 1.9.2 allows attackers to cause a redos via crafted
JSON inpu ...)
[experimental] - golang-github-tidwall-gjson 1.14.4-1
- golang-github-tidwall-gjson <unfixed> (bug #1011616)
+ [bookworm] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
[bullseye] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
[buster] - golang-github-tidwall-gjson <postponed> (Limited support,
minor issue, follow bullseye DSAs/point-releases)
NOTE: https://github.com/tidwall/gjson/issues/237
@@ -260180,6 +260196,7 @@ CVE-2020-1697 (It was found in all keycloak versions
before 9.0.0 that links to
NOT-FOR-US: Keycloak
CVE-2020-1696 (A flaw was found in the all pki-core 10.x.x versions, where
Token Proc ...)
- dogtag-pki <unfixed> (bug #1014854)
+ [bookworm] - dogtag-pki <no-dsa> (Minor issue)
[bullseye] - dogtag-pki <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1780707
CVE-2020-1695 (A flaw was found in all resteasy 3.x.x versions prior to
3.12.0.Final ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fd31e5c0d922eca7e74459721102d59d8e542d4
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fd31e5c0d922eca7e74459721102d59d8e542d4
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
