bullseye triage

Moritz Muehlenhoff (@jmm) Fri, 11 Aug 2023 14:04:04 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
8e9524f3 by Moritz Muehlenhoff at 2023-08-11T23:03:29+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -252,6 +252,8 @@ CVE-2023-37625 (A stored cross-site scripting (XSS) 
vulnerability in Netbox v3.4
        - netbox <itp> (bug #1017079)
 CVE-2023-37543 (Cacti before 1.2.6 allows IDOR (Insecure Direct Object 
Reference) for  ...)
        - cacti <unfixed>
+       [bookworm] - cacti <no-dsa> (Minor issue)
+       [bullseye] - cacti <no-dsa> (Minor issue)
        NOTE: 
https://github.com/Cacti/cacti/security/advisories/GHSA-4x82-8w8m-w8hj
        NOTE: 
https://medium.com/%40hussainfathy99/exciting-news-my-first-cve-discovery-cve-2023-37543-idor-vulnerability-in-cacti-bbb6c386afed
        TODO: check details once GHSA-4x82-8w8m-w8hj accessible, 1.2.6 does not 
seem correct, reporter claims 1.2.25 wich is not released
@@ -1430,6 +1432,8 @@ CVE-2023-3329 (SpiderControl SCADA Webserver versions 
2.08 and prior are vulnera
        NOT-FOR-US: SpiderControl SCADA Webserver
 CVE-2023-3180 (A flaw was found in the QEMU virtual crypto device while 
handling data ...)
        - qemu 1:8.0.4+dfsg-1
+       [bookworm] - qemu <no-dsa> (Minor issue)
+       [bullseye] - qemu <no-dsa> (Minor issue)
        NOTE: Introduced by: 
https://gitlab.com/qemu-project/qemu/-/commit/04b9b37edda85964cca033a48dcc0298036782f2
 (v2.8.0-rc0)
        NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/9d38a8434721a6479fe03fb5afb150ca793d3980
 (master)
        NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/49f1e02bac166821c712534aaa775f50e1afe17f
 (v8.0.4)
@@ -1722,6 +1726,8 @@ CVE-2023-3364 (An issue has been discovered in GitLab 
CE/EE affecting all versio
        - gitlab <unfixed>
 CVE-2023-3301 [net: triggerable assertion due to race condition in hot-unplug]
        - qemu 1:8.0.3+dfsg-1
+       [bookworm] - qemu <no-dsa> (Minor issue)
+       [bullseye] - qemu <no-dsa> (Minor issue)
        [buster] - qemu <not-affected> (vhost-vdpa introduced in v5.1)
        NOTE: 
https://github.com/qemu/qemu/commit/a0d7215e339b61c7d7a7b3fcf754954d80d93eb8 
(v8.1.0-rc0)
        NOTE: 
https://github.com/qemu/qemu/commit/aab37b2002811f112d5c26337473486d7d585881 
(v8.0.3)
@@ -3209,6 +3215,8 @@ CVE-2023-37889 (Cross-Site Request Forgery (CSRF) 
vulnerability in WPAdmin WPAdm
        NOT-FOR-US: WordPress plugin
 CVE-2023-37788 (goproxy v1.1 was discovered to contain an issue which can lead 
to a De ...)
        - golang-github-elazarl-goproxy <unfixed> (bug #1042474)
+       [bookworm] - golang-github-elazarl-goproxy <no-dsa> (Minor issue)
+       [bullseye] - golang-github-elazarl-goproxy <no-dsa> (Minor issue)
        NOTE: https://github.com/elazarl/goproxy/issues/502
 CVE-2023-37758 (D-LINK DIR-815 v1.01 was discovered to contain a buffer 
overflow via t ...)
        NOT-FOR-US: D-LINK
@@ -17013,6 +17021,7 @@ CVE-2023-29409 (Extremely large RSA keys in certificate 
chains can cause a clien
        - golang-1.20 1.20.7-1
        - golang-1.19 1.19.12-1
        - golang-1.15 <removed>
+       [bullseye] - golang-1.15 <no-dsa> (Minor issue)
        - golang-1.11 <removed>
        [buster] - golang-1.11 <postponed> (Limited support, follow bullseye 
DSAs/point-releases)
        NOTE: https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI
@@ -17031,6 +17040,7 @@ CVE-2023-29406 (The HTTP/1 client does not fully 
validate the contents of the Ho
        - golang-1.19 1.19.11-1
        [bookworm] - golang-1.19 <no-dsa> (Minor issue)
        - golang-1.15 <removed>
+       [bullseye] - golang-1.15 <no-dsa> (Minor issue)
        - golang-1.11 <removed>
        [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        NOTE: https://groups.google.com/g/golang-announce/c/2q13H6LEEx0
@@ -27388,6 +27398,7 @@ CVE-2023-26082
 CVE-2023-26081 (In Epiphany (aka GNOME Web) through 43.0, untrusted web 
content can tr ...)
        {DLA-3423-1}
        - epiphany-browser 43.1-1 (bug #1031727)
+       [bullseye] - epiphany-browser <no-dsa> (Minor issue)
        NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275
        NOTE: 
https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd
        NOTE: 
https://gitlab.gnome.org/GNOME/epiphany/-/commit/b8f34863485095bc59b97a6c250ed5e976d39dd4
 (43.1)


=====================================
data/dsa-needed.txt
=====================================
@@ -19,6 +19,8 @@ cinder/oldstable
 frr (aron)
   maintainer proposed to update to 8.4.4 for bookworm, which might be a good 
idea
 --
+gst-plugins-ugly1.0 (jmm)
+--
 librsvg
 --
 linux (carnil)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e9524f390a2359ca74dacd7faaad6bc74ec533c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e9524f390a2359ca74dacd7faaad6bc74ec533c
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Reply via email to