Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2e88c288 by Moritz Mühlenhoff at 2023-05-28T20:21:24+02:00
bookworm/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -458,6 +458,7 @@ CVE-2023-32409
CVE-2023-32373
- webkit2gtk <unfixed>
- wpewebkit <unfixed>
+ [bullseye] - wpewebkit <ignored> (wpewebkit not covered by security
support in Bookworm)
NOTE: https://bugs.webkit.org/show_bug.cgi?id=254840
NOTE:
https://github.com/WebKit/WebKit/commit/85fd2302d16a09a82d9a6e81eb286babb23c4b3c
CVE-2023-32350 (Versions 00.07.00 through 00.07.03 of Teltonika\u2019s RUT
router firm ...)
@@ -1506,6 +1507,7 @@ CVE-2023-2614 (Cross-site Scripting (XSS) - DOM in GitHub
repository pimcore/pim
NOT-FOR-US: pimcore
CVE-2023-2610 (Integer Overflow or Wraparound in GitHub repository vim/vim
prior to 9 ...)
- vim <unfixed> (bug #1035955)
+ [bookworm] - vim <no-dsa> (Minor issue)
[bullseye] - vim <no-dsa> (Minor issue)
[buster] - vim <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/31e67340-935b-4f6c-a923-f7246bc29c7d
@@ -6647,6 +6649,7 @@ CVE-2023-29580 (yasm 1.3.0.55.g101bc was discovered to
contain a segmentation vi
NOTE: Crash in CLI tool, no security impact
CVE-2023-29579 (yasm 1.3.0.55.g101bc was discovered to contain a stack
overflow via th ...)
- yasm <unfixed> (bug #1035951)
+ [bookworm] - yasm <no-dsa> (Minor issue)
[bullseye] - yasm <no-dsa> (Minor issue)
[buster] - yasm <no-dsa> (Minor issue)
NOTE: https://github.com/yasm/yasm/issues/214
@@ -7457,6 +7460,7 @@ CVE-2014-125094 (A vulnerability classified as
problematic was found in phpMiniA
NOT-FOR-US: phpMiniAdmin
CVE-2023-29383 (In Shadow 4.13, it is possible to inject control characters
into field ...)
- shadow <unfixed> (bug #1034482)
+ [bookworm] - shadow <no-dsa> (Minor issue)
[bullseye] - shadow <no-dsa> (Minor issue)
[buster] - shadow <no-dsa> (Minor issue)
NOTE: https://github.com/shadow-maint/shadow/pull/687
@@ -8584,6 +8588,7 @@ CVE-2023-29008 (The SvelteKit framework offers developers
an option to create si
NOT-FOR-US: SvelteKit
CVE-2023-29007 (Git is a revision control system. Prior to versions 2.30.9,
2.31.8, 2. ...)
- git 1:2.40.1-1 (bug #1034835)
+ [bookworm] - git <no-dsa> (Minor issue)
[bullseye] - git <no-dsa> (Minor issue)
[buster] - git <no-dsa> (Minor issue)
NOTE: https://lore.kernel.org/lkml/[email protected]/
@@ -9987,6 +9992,8 @@ CVE-2023-22300 (An unauthenticated remote attacker could
force all authenticated
CVE-2023-1523
RESERVED
- snapd 2.59.5-1
+ [bookworm] - snapd <no-dsa> (Minor issue)
+ [bullseye] - snapd <no-dsa> (Minor issue)
NOTE: Preparation:
https://github.com/snapcore/snapd/commit/e4681c57bd5805c8d2dec5c3ddf7d85ebf1d2c4c
(2.59.5)
NOTE: Fixed by:
https://github.com/snapcore/snapd/commit/dddcfd6ac8daa84feb80eb6fd88f852ced70629c
(2.59.5)
NOTE: Fixed by:
https://github.com/snapcore/snapd/commit/52af545f3c0d8b086500ab86f161703905638951
(2.59.5)
@@ -10602,6 +10609,7 @@ CVE-2023-28451
RESERVED
CVE-2023-28450 (An issue was discovered in Dnsmasq before 2.90. The default
maximum ED ...)
- dnsmasq <unfixed> (bug #1033165)
+ [bookworm] - dnsmasq <no-dsa> (Minor issue)
[bullseye] - dnsmasq <no-dsa> (Minor issue)
[buster] - dnsmasq <no-dsa> (Minor issue)
NOTE:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5
@@ -11473,6 +11481,7 @@ CVE-2023-28204
- qtwebkit-opensource-src <unfixed>
- webkit2gtk <unfixed>
- wpewebkit <unfixed>
+ [bullseye] - wpewebkit <ignored> (wpewebkit not covered by security
support in Bookworm)
NOTE: https://bugs.webkit.org/show_bug.cgi?id=254930
NOTE:
https://github.com/WebKit/WebKit/commit/698c6e293734c3c46f223b77d5b4ee48b320e32c
CVE-2023-28203
@@ -11650,6 +11659,8 @@ CVE-2023-28156
RESERVED
CVE-2023-28155 (The Request package through 2.88.1 for Node.js allows a bypass
of SSRF ...)
- node-request <unfixed> (bug #1033250)
+ [bookworm] - node-request <no-dsa> (Minor issue)
+ [bullseye] - node-request <no-dsa> (Minor issue)
NOTE: https://github.com/request/request/issues/3442
CVE-2023-28154 (Webpack 5 before 5.76.0 does not avoid cross-realm object
access. Impo ...)
- node-webpack 5.76.1+dfsg1+~cs17.16.16-1 (bug #1032904)
@@ -18245,6 +18256,7 @@ CVE-2023-25816 (Nextcloud is an Open Source private
cloud software. Versions 25.
- nextcloud-server <itp> (bug #941708)
CVE-2023-25815 (In Git for Windows, the Windows port of Git, no localized
messages are ...)
- git 1:2.40.1-1 (bug #1034835)
+ [bookworm] - git <no-dsa> (Minor issue)
[bullseye] - git <no-dsa> (Minor issue)
[buster] - git <no-dsa> (Minor issue)
NOTE: https://lore.kernel.org/lkml/[email protected]/
@@ -18985,6 +18997,7 @@ CVE-2023-25653 (node-jose is a JavaScript
implementation of the JSON Object Sign
NOTE:
https://github.com/cisco/node-jose/security/advisories/GHSA-5h4j-qrvg-9xhw
CVE-2023-25652 (Git is a revision control system. Prior to versions 2.30.9,
2.31.8, 2. ...)
- git 1:2.40.1-1 (bug #1034835)
+ [bookworm] - git <no-dsa> (Minor issue)
[bullseye] - git <no-dsa> (Minor issue)
[buster] - git <no-dsa> (Minor issue)
NOTE: https://lore.kernel.org/lkml/[email protected]/
@@ -55077,6 +55090,7 @@ CVE-2022-3214 (Delta Industrial Automation's DIAEnergy,
an industrial energy man
NOT-FOR-US: Delta
CVE-2022-3213 (A heap buffer overflow issue was found in ImageMagick. When an
applica ...)
- imagemagick <unfixed> (bug #1021141)
+ [bookworm] - imagemagick <no-dsa> (Minor issue)
[bullseye] - imagemagick <no-dsa> (Minor issue)
[buster] - imagemagick <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2126824
@@ -132432,6 +132446,7 @@ CVE-2021-39360 (In GNOME libzapojit through 0.0.3,
zpj-skydrive.c does not enabl
NOTE: https://gitlab.gnome.org/GNOME/libzapojit/-/issues/4
CVE-2021-39359 (In GNOME libgda through 6.0.0, gda-web-provider.c does not
enable TLS ...)
- libgda5 <unfixed> (bug #993592)
+ [bookworm] - libgda5 <no-dsa> (Minor issue)
[bullseye] - libgda5 <no-dsa> (Minor issue)
[buster] - libgda5 <no-dsa> (Minor issue)
[stretch] - libgda5 <postponed> (Minor issue, revisit when/if fixed
upstream)
=====================================
data/dsa-needed.txt
=====================================
@@ -71,6 +71,13 @@ salt
--
samba
--
+webkit2gtk
+--
+wpewebkit
+--
+wireshark
+ bookworm to 4.0.6, bullseye isolated cherrypick
+--
xrdp
needs some additional clarification, tentatively DSA worthy
maybe upgrade to 0.9.21 within bullseye?
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e88c288042a1046ba02778a16cb0829560eaf2d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e88c288042a1046ba02778a16cb0829560eaf2d
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
