Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
53964b73 by Markus Koschany at 2023-09-24T23:27:33+02:00
CVE-2023-39663,mathjax: Buster is no-dsa
Minor issue
- - - - -
25f4985c by Markus Koschany at 2023-09-24T23:27:33+02:00
Add jetty9 dla-needed.txt and claim it.
- - - - -
206d32b2 by Markus Koschany at 2023-09-24T23:27:34+02:00
CVE-2023-38285,modsecurity: Buster is no-dsa
Minor issue
- - - - -
3706666d by Markus Koschany at 2023-09-24T23:27:36+02:00
CVE-2023-42467,qemu: Buster is no-dsa
Minor issue
- - - - -
a6eb22cb by Markus Koschany at 2023-09-24T23:27:37+02:00
Triage ruster-users temp CVE as no-dsa for Buster
Minor issue
- - - - -
2a965da5 by Markus Koschany at 2023-09-24T23:27:37+02:00
Add vim to dla-needed.txt
- - - - -
0808083e by Markus Koschany at 2023-09-24T23:27:37+02:00
Add zabbix to dla-needed.txt
- - - - -
42617eeb by Markus Koschany at 2023-09-24T23:27:37+02:00
Add netatalk to dla-needed.txt and claim it.
- - - - -
7cf8eab5 by Markus Koschany at 2023-09-24T23:27:37+02:00
Add qemu to dla-needed.txt
- - - - -
ab7ffa4d by Markus Koschany at 2023-09-24T23:27:37+02:00
Add mosquitto to dla-needed.txt
- - - - -
2e1ec1a5 by Markus Koschany at 2023-09-24T23:27:37+02:00
Add axis to dla-needed.txt
- - - - -
74659477 by Markus Koschany at 2023-09-24T23:27:37+02:00
Add freerdp2 to dla-needed.txt
- - - - -
5ea70a64 by Markus Koschany at 2023-09-24T23:27:39+02:00
CVE-2023-4759,jgit: Buster is no-dsa
Minor issue, only case-insensitive filesystems are affected.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1109,6 +1109,7 @@ CVE-2023-4913 (Cross-site Scripting (XSS) - Reflected in
GitHub repository cecil
NOT-FOR-US: cecil.app
CVE-2023-4759 (Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse
JGit, al ...)
- jgit <unfixed>
+ [buster] - jgit <no-dsa> (Minor issue. Only case-insensitive
filesystems are affected)
NOTE:
https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1
(v6.6.1.202309021850-r)
NOTE:
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11
CVE-2023-4501 (User authentication with username and password credentials is
ineffect ...)
@@ -1326,6 +1327,7 @@ CVE-2023-XXXX [RUSTSEC-2023-0059: Unaligned read of
*const *const c_char pointer
- rust-users <unfixed> (bug #1051808)
[bookworm] - rust-users <no-dsa> (Minor issue)
[bullseye] - rust-users <no-dsa> (Minor issue)
+ [buster] - rust-users <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0059.html
NOTE: https://github.com/ogham/rust-users/issues/55
NOTE: Proposed patch:
https://github.com/dhruvkb/rust-users/commit/e6ba8a88e0127f0d17ddd99f80f85d2c1722b227
@@ -1585,6 +1587,7 @@ CVE-2023-42467 (QEMU through 8.0.0 could trigger a
division by zero in scsi_disk
- qemu <unfixed> (bug #1051899)
[bookworm] - qemu <no-dsa> (Minor issue)
[bullseye] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <no-dsa> (Minor issue)
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1813
CVE-2023-40040 (An issue was discovered in the MyCrops HiGrade "THC Testing &
Cannabi" ...)
NOT-FOR-US: MyCrops HiGrade "THC Testing & Cannabi" application
@@ -3242,6 +3245,7 @@ CVE-2023-39663 (Mathjax up to v2.7.9 was discovered to
contain two Regular expre
- mathjax <unfixed>
[bookworm] - mathjax <no-dsa> (Minor issue)
[bullseye] - mathjax <no-dsa> (Minor issue)
+ [buster] - mathjax <no-dsa> (Minor issue)
NOTE: https://github.com/mathjax/MathJax/issues/3074
CVE-2023-39616 (AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid
read mem ...)
[experimental] - aom 3.7.0-1~exp1
@@ -7727,6 +7731,7 @@ CVE-2023-38285 (Trustwave ModSecurity 3.x before 3.0.10
has Inefficient Algorith
- modsecurity 3.0.10-1 (bug #1042475)
[bookworm] - modsecurity <no-dsa> (Minor issue)
[bullseye] - modsecurity <no-dsa> (Minor issue)
+ [buster] - modsecurity <no-dsa> (Minor issue)
NOTE:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
CVE-2023-38261 (The issue was addressed with improved memory handling. This
issue is f ...)
NOT-FOR-US: Apple
=====================================
data/dla-needed.txt
=====================================
@@ -29,6 +29,9 @@ audiofile
NOTE: 20230918: Added by Front-Desk (apo)
NOTE: 20230919: unfixed upstream (apo)
--
+axis
+ NOTE: 20230924: Added by Front-Desk (apo)
+--
bind9 (Thorsten Alteholz)
NOTE: 20230921: Added by Front-Desk (apo)
--
@@ -79,6 +82,10 @@ freeimage (gladk)
NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should
roll
NOTE: 20230826: out the DLA/ELA now. (utkarsh)
--
+freerdp2
+ NOTE: 20230924: Added by Front-Desk (apo)
+ NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo)
+--
gerbv (Adrian Bunk)
NOTE: 20230903: Added by Front-Desk (gladk)
NOTE: 20230918: DLA coming soon. (bunk)
@@ -101,6 +108,9 @@ imagemagick
NOTE: 20230622: Added by Front-Desk (Beuc)
NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs
(Beuc/front-desk)
--
+jetty9 (Markus Koschany)
+ NOTE: 20230924: Added by Front-Desk (apo)
+--
libreswan
NOTE: 20230817: Added by Front-Desk (ta)
NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to
@@ -112,6 +122,9 @@ libreswan
linux (Ben Hutchings)
NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
--
+mosquitto (Markus Koschany)
+ NOTE: 20230924: Added by Front-Desk (apo)
+--
nasm (tobi)
NOTE: 20230907: Added by Front-Desk (lamby)
NOTE: 20230907: Added due to CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686,
@@ -120,6 +133,9 @@ nasm (tobi)
ncurses
NOTE: 20230921: Added by Front-Desk (apo)
--
+netatalk (Markus Koschany)
+ NOTE: 20230924: Added by Front-Desk (apo)
+--
nova
NOTE: 20230302: Re-add, request by maintainer (Beuc)
NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific
CVE-2022-47951 backport that introduces regression
@@ -164,6 +180,10 @@ python-os-brick
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store,
python-os-brick, nova and cinder.
--
+qemu
+ NOTE: 20230924: Added by Front-Desk (apo)
+ NOTE: 20230924: Consider fixing postponed issues as well. (apo)
+--
qt4-x11
NOTE: 20230822: Re-added for one remaining open CVE (roberto)
NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved,
fix or remove entry from this file (roberto)
@@ -221,3 +241,9 @@ trafficserver (Adrian Bunk)
NOTE: 20230826: I have the answer here. (utkarsh)
NOTE: 20230918: Needs first fixing in bullseye. (bunk)
--
+vim
+ NOTE: 20230924: Added by Front-Desk (apo)
+--
+zabbix
+ NOTE: 20230924: Added by Front-Desk (apo)
+--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e5b18520bbb8df59044db4eb682f1b301268c75...5ea70a64a6a25a3cd1abe61b6894f25c018f10d9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e5b18520bbb8df59044db4eb682f1b301268c75...5ea70a64a6a25a3cd1abe61b6894f25c018f10d9
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
