bookworm triage

Moritz Muehlenhoff (@jmm) Wed, 28 Jun 2023 03:27:18 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
8ab4d6fb by Moritz Muehlenhoff at 2023-06-28T12:26:48+02:00
bullseye/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -241,6 +241,8 @@ CVE-2023-2992 (An unauthenticated denial of service 
vulnerability exists in the
        NOT-FOR-US: Lenovo
 CVE-2023-36675 (An issue was discovered in MediaWiki before 1.35.11, 1.36.x 
through 1. ...)
        - mediawiki <unfixed>
+       [bookworm] - mediawiki <postponed> (Fix in next security release)
+       [bullseye] - mediawiki <postponed> (Fix in next security release)
        NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/921452
        NOTE: https://phabricator.wikimedia.org/T332889
 CVE-2023-36666 (INEX IXP-Manager before 6.3.1 allows XSS. 
list-preamble.foil.php, page ...)
@@ -1356,6 +1358,8 @@ CVE-2023-31671 (PrestaShop postfinance <= 17.1.13 is 
vulnerable to SQL Injection
        NOT-FOR-US: PrestaShop postfinance
 CVE-2023-2976 (Use of Java's default temporary directory for file creation in 
`FileBa ...)
        - guava-libraries 32.0.1-1 (bug #1038979)
+       [bookworm] - guava-libraries <no-dsa> (Minor issue)
+       [bullseye] - guava-libraries <no-dsa> (Minor issue)
        NOTE: https://github.com/google/guava/releases/tag/v32.0.0
        NOTE: https://github.com/google/guava/issues/2575
 CVE-2023-35149 (A missing permission check in Jenkins Digital.ai App 
Management Publis ...)
@@ -2343,6 +2347,8 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with 
use of yajl_tree_parse
        [bookworm] - r-cran-jsonlite <no-dsa> (Minor issue)
        [bullseye] - r-cran-jsonlite <no-dsa> (Minor issue)
        - ruby-yajl <unfixed>
+       [bookworm] - ruby-yajl <no-dsa> (Minor issue)
+       [bullseye] - ruby-yajl <no-dsa> (Minor issue)
 CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in 
URIParser::parse , ...)
        NOT-FOR-US: Sogou Workflow
 CVE-2023-33381 (A command injection vulnerability was found in the ping 
functionality  ...)
@@ -2552,6 +2558,8 @@ CVE-2023-34410 (An issue was discovered in Qt before 
5.15.15, 6.x before 6.2.9,
        - qt6-base 6.4.2+dfsg-11 (bug #1037209)
        [bookworm] - qt6-base <no-dsa> (Minor issue)
        - qtbase-opensource-src 5.15.8+dfsg-12 (bug #1037210)
+       [bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
+       [bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
        [buster] - qtbase-opensource-src <no-dsa> (Minor issue)
        - qtbase-opensource-src-gles <unfixed>
        [bookworm] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
@@ -3879,6 +3887,7 @@ CVE-2023-33285 (An issue was discovered in Qt 5.x before 
5.15.14, 6.x before 6.2
        - qt6-base 6.4.2+dfsg-10 (bug #1036848)
        [bookworm] - qt6-base <no-dsa> (Minor issue)
        - qtbase-opensource-src 5.15.8+dfsg-11
+       [bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
        [buster] - qtbase-opensource-src <no-dsa> (Minor issue)
        - qtbase-opensource-src-gles <unfixed>
        [bookworm] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
@@ -4042,6 +4051,7 @@ CVE-2019-25137 (Umbraco CMS 4.11.8 through 7.15.10, and 
7.12.4, allows Remote Co
 CVE-2023-32763 (An issue was discovered in Qt before 5.15.15, 6.x before 
6.2.9, and 6. ...)
        - qt6-base 6.4.2+dfsg-8
        - qtbase-opensource-src 5.15.8+dfsg-10
+       [bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
        [buster] - qtbase-opensource-src <no-dsa> (Minor issue)
        - qtbase-opensource-src-gles 5.15.8+dfsg-3 (bug #1036702)
        [bullseye] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
@@ -4054,6 +4064,7 @@ CVE-2023-32763 (An issue was discovered in Qt before 
5.15.15, 6.x before 6.2.9,
 CVE-2023-32762 (An issue was discovered in Qt before 5.15.14, 6.x before 
6.2.9, and 6. ...)
        - qt6-base 6.4.2+dfsg-9
        - qtbase-opensource-src 5.15.8+dfsg-10
+       [bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
        [buster] - qtbase-opensource-src <postponed> (Can wait for next upload)
        - qtbase-opensource-src-gles <not-affected> (Not built in GLES variant)
        NOTE: 
https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
@@ -24400,6 +24411,7 @@ CVE-2023-24999 (HashiCorp Vault and Vault 
Enterprise\u2019s approle auth method
 CVE-2023-24998 (Apache Commons FileUpload before 1.5 does not limit the number 
of requ ...)
        - tomcat10 10.1.5-1
        - tomcat9 9.0.70-2
+       [bullseye] - tomcat9 <postponed> (Minor issue, fix along with future 
update)
        [buster] - tomcat9 <no-dsa> (Minor issue)
        - libcommons-fileupload-java 1.4-2 (bug #1031733)
        [bullseye] - libcommons-fileupload-java <no-dsa> (Minor issue)
@@ -58600,6 +58612,7 @@ CVE-2022-40717 (This vulnerability allows 
network-adjacent attackers to execute
        NOT-FOR-US: D-Link
 CVE-2022-40716 (HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, 
and 1.13. ...)
        - consul <unfixed> (bug #1027161)
+       [bullseye] - consul <no-dsa> (Minor issue)
        [buster] - consul <not-affected> (Vulnerable Code not present)
        NOTE: 
https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628
        NOTE: 
https://github.com/hashicorp/consul/commit/ae822d752ad36007e353249691a0ef318cf55d08
 (v1.11.9)
@@ -64897,6 +64910,7 @@ CVE-2022-2880 (Requests forwarded by ReverseProxy 
include the raw query paramete
        - golang-1.18 1.18.7-1
        - golang-1.17 <unfixed>
        - golang-1.15 <removed>
+       [bullseye] - golang-1.15 <no-dsa> (Minor issue)
        - golang-1.11 <removed>
        [buster] - golang-1.11 <postponed> (Limited support, follow bullseye 
DSAs/point-releases)
        NOTE: https://go.dev/issue/54663
@@ -64907,6 +64921,7 @@ CVE-2022-2879 (Reader.Read does not set a limit on the 
maximum size of file head
        - golang-1.18 1.18.7-1
        - golang-1.17 <unfixed>
        - golang-1.15 <removed>
+       [bullseye] - golang-1.15 <no-dsa> (Minor issue)
        - golang-1.11 <removed>
        [buster] - golang-1.11 <postponed> (Limited support, follow bullseye 
DSAs/point-releases)
        NOTE: https://go.dev/issue/54853
@@ -244559,6 +244574,8 @@ CVE-2020-8909
        RESERVED
 CVE-2020-8908 (A temp directory creation vulnerability exists in all versions 
of Guav ...)
        - guava-libraries 32.0.1-1 (bug #1038979)
+       [bookworm] - guava-libraries <no-dsa> (Minor issue)
+       [bullseye] - guava-libraries <no-dsa> (Minor issue)
        NOTE: https://github.com/google/guava/issues/4011
        NOTE: 
https://github.com/google/guava/commit/fec0dbc4634006a6162cfd4d0d09c962073ddf40
        NOTE: Issue incompletely fixed:



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ab4d6fba2521504196476b7fbcfe05efdc17261

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ab4d6fba2521504196476b7fbcfe05efdc17261
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Reply via email to