Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
67c2f495 by Moritz Muehlenhoff at 2023-05-30T13:06:05+02:00
bookworm triage
- - - - -
6d0e779d by Moritz Muehlenhoff at 2023-05-30T13:06:09+02:00
bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -9856,13 +9856,14 @@ CVE-2023-28709 (The fix for CVE-2023-24998 was
incomplete for Apache Tomcat 11.0
CVE-2023-28708 (When using the RemoteIpFilter with requests received from a
reverse ...)
{DSA-5381-1 DLA-3384-1}
- tomcat10 10.1.6-1
- - tomcat9 <unfixed> (bug #1033475)
+ - tomcat9 9.0.70-2
- tomcat8 <removed>
NOTE: https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
NOTE: https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
NOTE:
https://github.com/apache/tomcat/commit/f509bbf31fc00abe3d9f25ebfabca5e05173da5b
(10.1.6)
NOTE:
https://github.com/apache/tomcat/commit/3b51230764da595bb19e8d0962dd8c69ab40dfab
(9.0.72)
NOTE:
https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510
(8.5.86)
+ NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack,
using that as the fixed version
CVE-2023-28707 (Improper Input Validation vulnerability in Apache Software
Foundation ...)
NOT-FOR-US: Apache Airflow Drill Provider
CVE-2023-28706 (Improper Control of Generation of Code ('Code Injection')
vulnerabilit ...)
@@ -17275,6 +17276,7 @@ CVE-2023-0927 (Use after free in Web Payments API in
Google Chrome on Android pr
[buster] - chromium <end-of-life> (see DSA 5046)
CVE-2022-48340 (In Gluster GlusterFS 11.0, there is an
xlators/cluster/dht/src/dht-com ...)
- glusterfs <unfixed> (bug #1031796)
+ [bookworm] - glusterfs <no-dsa> (Minor issue)
[bullseye] - glusterfs <no-dsa> (Minor issue)
[buster] - glusterfs <no-dsa> (Minor issue)
NOTE: https://github.com/gluster/glusterfs/issues/3732
@@ -20983,7 +20985,7 @@ CVE-2023-24999 (HashiCorp Vault and Vault
Enterprise\u2019s approle auth method
NOT-FOR-US: Vault
CVE-2023-24998 (Apache Commons FileUpload before 1.5 does not limit the number
of requ ...)
- tomcat10 10.1.5-1
- - tomcat9 <unfixed>
+ - tomcat9 9.0.70-2
- libcommons-fileupload-java 1.4-2 (bug #1031733)
[bullseye] - libcommons-fileupload-java <no-dsa> (Minor issue)
[buster] - libcommons-fileupload-java <no-dsa> (Minor issue)
@@ -20993,6 +20995,7 @@ CVE-2023-24998 (Apache Commons FileUpload before 1.5
does not limit the number o
NOTE:
https://github.com/apache/tomcat/commit/8a2285f13affa961cc65595aad999db5efae45ce
(10.1.5)
NOTE:
https://github.com/apache/tomcat/commit/cf77cc545de0488fb89e24294151504a7432df74
(9.0.71)
NOTE: When fixing the issue make sure to apply complete fixes to not
open CVE-2023-28709
+ NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack,
using that as the fixed version
CVE-2023-24996 (A vulnerability has been identified in Tecnomatix Plant
Simulation (Al ...)
NOT-FOR-US: Siemens
CVE-2023-24995 (A vulnerability has been identified in Tecnomatix Plant
Simulation (Al ...)
@@ -39015,6 +39018,7 @@ CVE-2022-4056
RESERVED
CVE-2022-4055 (When xdg-mail is configured to use thunderbird for mailto URLs,
improp ...)
- xdg-utils <unfixed> (bug #1027160)
+ [bookworm] - xdg-utils <no-dsa> (Minor issue)
[bullseye] - xdg-utils <no-dsa> (Minor issue)
[buster] - xdg-utils <no-dsa> (Minor issue)
NOTE:
https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205#note_1494267
@@ -58844,6 +58848,7 @@ CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a
CommonMark parsing and re
[buster] - python-cmarkgfm <no-dsa> (Minor issue)
- ghostwriter 2.1.6+ds-1 (unimportant)
- ruby-commonmarker <unfixed> (bug #1034888)
+ [bookworm] - ruby-commonmarker <no-dsa> (Minor issue)
[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
[buster] - ruby-commonmarker <no-dsa> (Minor issue)
- r-cran-commonmark 1.8.1-1
@@ -61291,6 +61296,8 @@ CVE-2022-37343
RESERVED
CVE-2022-36788 (A heap-based buffer overflow vulnerability exists in the
TriangleMesh ...)
- slic3r <unfixed> (bug #1034848)
+ [bookworm] - slic3r <no-dsa> (Minor issue)
+ [bullseye] - slic3r <no-dsa> (Minor issue)
[buster] - slic3r <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1593
CVE-2022-36420
@@ -193965,6 +193972,7 @@ CVE-2020-27749 (A flaw was found in grub2 in versions
prior to 2.06. Variable na
[stretch] - grub2 <ignored> (No SecureBoot support in stretch)
CVE-2020-27748 (A flaw was found in the xdg-email component of
xdg-utils-1.1.0-rc1 and ...)
- xdg-utils <unfixed> (bug #975370)
+ [bookworm] - xdg-utils <postponed> (Minor issue; regression potential;
revisit when fixed upstream)
[bullseye] - xdg-utils <postponed> (Minor issue; regression potential;
revisit when fixed upstream)
[buster] - xdg-utils <postponed> (Minor issue; regression potential;
revisit when fixed upstream)
[stretch] - xdg-utils <postponed> (Minor issue; regression potential;
revisit when fixed upstream)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cb34a539ec2aaf81c68269fe48c6f28b0bc4fbec...6d0e779d8440edfb1a65e478363571b20ea0366f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cb34a539ec2aaf81c68269fe48c6f28b0bc4fbec...6d0e779d8440edfb1a65e478363571b20ea0366f
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
