Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
119aca37 by Moritz Muehlenhoff at 2023-07-16T21:14:44+02:00
bullseye/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -322,6 +322,8 @@ CVE-2023-3319 (Improper Neutralization of Input During Web
Page Generation ('Cro
NOT-FOR-US: PlatPlay DSr
CVE-2023-38199 (coreruleset (aka OWASP ModSecurity Core Rule Set) through
3.3.4 does n ...)
- modsecurity-crs <unfixed> (bug #1041109)
+ [bookworm] - modsecurity-crs <no-dsa> (Minor issue)
+ [bullseye] - modsecurity-crs <no-dsa> (Minor issue)
NOTE: https://github.com/coreruleset/coreruleset/issues/3191
NOTE: https://github.com/coreruleset/coreruleset/pull/3237
CVE-2023-38198 (acme.sh before 3.0.6 runs arbitrary commands from a remote
server via ...)
@@ -3840,13 +3842,15 @@ CVE-2023-34867 (Jerryscript 3.0 (commit 05dbbd1) was
discovered to contain an As
CVE-2023-34865 (Directory traversal vulnerability in ujcms 6.0.2 allows
attackers to m ...)
NOT-FOR-US: ujcms
CVE-2023-34824 (fdkaac before 1.0.5 was discovered to contain a heap buffer
overflow i ...)
- - fdkaac <unfixed> (bug #1038951)
+ - fdkaac <unfixed> (unimportant; bug #1038951)
NOTE: https://github.com/nu774/fdkaac/issues/55
NOTE:
https://github.com/nu774/fdkaac/commit/22dbf72491541aa854835fdf2a9a0d92532728d8
(v1.0.5)
+ NOTE: Crash in CLI tool, no security impact
CVE-2023-34823 (fdkaac before 1.0.5 was discovered to contain a stack overflow
in read ...)
- - fdkaac <unfixed> (bug #1038951)
+ - fdkaac <unfixed> (unimportant; bug #1038951)
NOTE: https://github.com/nu774/fdkaac/issues/55
NOTE:
https://github.com/nu774/fdkaac/commit/22dbf72491541aa854835fdf2a9a0d92532728d8
(v1.0.5)
+ NOTE: Crash in CLI tool, no security impact
CVE-2023-34756 (bloofox v0.5.2.1 was discovered to contain a SQL injection
vulnerabili ...)
NOT-FOR-US: bloofox
CVE-2023-34755 (bloofox v0.5.2.1 was discovered to contain a SQL injection
vulnerabili ...)
@@ -4916,8 +4920,11 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with
use of yajl_tree_parse
NOTE: Introduced with:
https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb
(2.0.0)
NOTE: The original fix uploaded as 2.1.0-3.1 was incomplete.
- burp <unfixed>
+ [bookworm] - burp <no-dsa> (Minor issue)
+ [bullseye] - burp <no-dsa> (Minor issue)
[buster] - burp <postponed> (Minor issue; fix only after newer releases
got a fix)
- epics-base <unfixed>
+ [bookworm] - epics-base <no-dsa> (Minor issue)
[buster] - epics-base <postponed> (Minor issue; fix only after newer
releases got a fix)
- r-cran-jsonlite <unfixed>
[bookworm] - r-cran-jsonlite <no-dsa> (Minor issue)
@@ -6628,6 +6635,8 @@ CVE-2023-33203 (The Linux kernel before 6.2.9 has a race
condition and resultant
NOTE:
https://git.kernel.org/linus/6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 (6.3-rc4)
CVE-2023-33201 (Bouncy Castle For Java before 1.74 is affected by an LDAP
injection vu ...)
- bouncycastle <unfixed> (bug #1040050)
+ [bookworm] - bouncycastle <no-dsa> (Minor issue)
+ [bullseye] - bouncycastle <no-dsa> (Minor issue)
NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33201
CVE-2023-31729 (TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command
Injection.)
NOT-FOR-US: TOTOLINK
@@ -13339,6 +13348,7 @@ CVE-2023-29407
CVE-2023-29406 (The HTTP/1 client does not fully validate the contents of the
Host hea ...)
- golang-1.20 1.20.6-1
- golang-1.19 1.19.11-1
+ [bookworm] - golang-1.19 <no-dsa> (Minor issue)
- golang-1.15 <removed>
- golang-1.11 <removed>
NOTE: https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
@@ -106475,7 +106485,10 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL
JSON parsing and generation
[bookworm] - yajl <no-dsa> (Minor issue)
[bullseye] - yajl <no-dsa> (Minor issue)
- burp <unfixed> (bug #1040146)
+ [bookworm] - burp <no-dsa> (Minor issue)
+ [bullseye] - burp <no-dsa> (Minor issue)
- epics-base <unfixed> (bug #1040159)
+ [bookworm] - epics-base <no-dsa> (Minor issue)
- r-cran-jsonlite <unfixed> (bug #1040161)
[bookworm] - r-cran-jsonlite <no-dsa> (Minor issue)
[bullseye] - r-cran-jsonlite <no-dsa> (Minor issue)
@@ -152746,6 +152759,7 @@ CVE-2021-33797 (Buffer-overflow in jsdtoa.c in
Artifex MuJS in versions 1.0.1 to
NOTE:
https://github.com/ccxvii/mujs/commit/833b6f1672b4f2991a63c4d05318f0b84ef4d550
(1.1.2)
CVE-2021-33796 (In MuJS before version 1.1.2, a use-after-free flaw in the
regexp sour ...)
- mujs 1.1.3-2
+ [bullseye] - mujs <no-dsa> (Minor issue)
NOTE:
https://github.com/ccxvii/mujs/commit/7ef066a3bb95bf83e7c5be50d859e62e58fe8515
(1.1.2)
CVE-2021-3573 (A use-after-free in function hci_sock_bound_ioctl() of the
Linux kerne ...)
{DLA-2690-1 DLA-2689-1}
@@ -384237,7 +384251,10 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby,
when a crafted JSON file is
[bookworm] - yajl <no-dsa> (Minor issue)
[bullseye] - yajl <no-dsa> (Minor issue)
- burp <unfixed> (bug #1040146)
+ [bookworm] - burp <no-dsa> (Minor issue)
+ [bullseye] - burp <no-dsa> (Minor issue)
- epics-base <unfixed> (bug #1040159)
+ [bookworm] - epics-base <no-dsa> (Minor issue)
- r-cran-jsonlite <unfixed> (bug #1040161)
[bookworm] - r-cran-jsonlite <no-dsa> (Minor issue)
[bullseye] - r-cran-jsonlite <no-dsa> (Minor issue)
=====================================
data/dsa-needed.txt
=====================================
@@ -36,6 +36,8 @@ netatalk/oldstable
open regression with MacOS, tentative patch not yet merged upstream
See discussion on team mailing list.
--
+nodejs
+--
nova/oldstable
--
openjdk-11/oldstable (jmm)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/119aca372b3486a3903206d2da472e591c17391a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/119aca372b3486a3903206d2da472e591c17391a
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
