Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f35d7aa3 by Moritz Muehlenhoff at 2023-10-04T14:21:50+02:00
bullseye/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -248,6 +248,8 @@ CVE-2023-5345 (A use-after-free vulnerability in the Linux
kernel's fs/smb/clien
NOTE: https://kernel.dance/#e6e43b8aa7cd3c3af686caf0c2e11819a886d705
CVE-2023-5344 (Heap-based Buffer Overflow in GitHub repository vim/vim prior
to 9.0.1 ...)
- vim <unfixed>
+ [bookworm] - vim <no-dsa> (Minor issue)
+ [bullseye] - vim <no-dsa> (Minor issue)
NOTE:
https://github.com/vim/vim/commit/3bd7fa12e146c6051490d048a4acbfba974eeb04
NOTE: https://huntr.dev/bounties/530cb762-899e-48d7-b50e-dad09eb775bf
CVE-2023-5334 (The WP Responsive header image slider plugin for WordPress is
vulnerab ...)
@@ -457,8 +459,9 @@ CVE-2023-5112 (Os Commerce is currently susceptible to a
Cross-Site Scripting (X
CVE-2023-5111 (Os Commerce is currently susceptible to a Cross-Site Scripting
(XSS) v ...)
NOT-FOR-US: Os Commerce
CVE-2023-43907 (OptiPNG v0.7.7 was discovered to contain a global buffer
overflow via ...)
- - optipng <unfixed>
+ - optipng <unfixed> (unimportant)
NOTE:
https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/optipng-global-buffer-overflow1/optipng-global-buffer-overflow1.md
+ NOTE: Crash in CLI tool, no security impact
CVE-2023-43735 (Os Commerce is currently susceptible to a Cross-Site Scripting
(XSS) v ...)
NOT-FOR-US: Os Commerce
CVE-2023-43734 (Os Commerce is currently susceptible to a Cross-Site Scripting
(XSS) v ...)
@@ -561,6 +564,8 @@ CVE-2023-5201 (The OpenHook plugin for WordPress is
vulnerable to Remote Code Ex
NOT-FOR-US: OpenHook plugin for WordPress
CVE-2023-44270 (An issue was discovered in PostCSS before 8.4.31. It affects
linters u ...)
- node-postcss <unfixed> (bug #1053282)
+ [bookworm] - node-postcss <no-dsa> (Minor issue)
+ [bullseye] - node-postcss <no-dsa> (Minor issue)
NOTE:
https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5
(8.4.31)
CVE-2023-43711 (Os Commerce is currently susceptible to a Cross-Site Scripting
(XSS) v ...)
NOT-FOR-US: Os Commerce
@@ -1475,6 +1480,8 @@ CVE-2023-43775 (Denial-of-service vulnerability in the
web server of the Eaton S
NOT-FOR-US: Eaton
CVE-2023-43646 (get-func-name is a module to retrieve a function's name
securely and c ...)
- node-get-func-name <unfixed> (bug #1053262)
+ [bookworm] - node-get-func-name <no-dsa> (Minor issue)
+ [bullseye] - node-get-func-name <no-dsa> (Minor issue)
NOTE:
https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5
NOTE:
https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69
(v2.0.1)
CVE-2023-43614 (Cross-site scripting vulnerability in Order Data Edit page of
Welcart ...)
@@ -4042,8 +4049,8 @@ CVE-2023-40743 (** UNSUPPORTED WHEN ASSIGNED ** When
integrating Apache Axis 1.x
NOTE:
https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
CVE-2023-34322 [top-level shadow reference dropped too early for 64-bit PV
guests]
- xen <unfixed>
- [bookworm] - xen <no-dsa> (Minor issue, fix along in future DSA or
point release)
- [bullseye] - xen <no-dsa> (Minor issue, fix along in future DSA or
point release)
+ [bookworm] - xen <postponed> (Minor issue, fix along in future DSA or
point release)
+ [bullseye] - xen <postponed> (Minor issue, fix along in future DSA or
point release)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://xenbits.xen.org/xsa/advisory-438.html
CVE-2023-34321 [arm32: The cache may not be properly cleaned/invalidated]
@@ -24821,6 +24828,8 @@ CVE-2023-29338 (Visual Studio Code Information
Disclosure Vulnerability)
NOT-FOR-US: Microsoft
CVE-2023-29337 (NuGet Client Remote Code Execution Vulnerability)
- nuget <unfixed> (bug #1050835)
+ [bookworm] - nuget <no-dsa> (Minor issue)
+ [bullseye] - nuget <no-dsa> (Minor issue)
[buster] - nuget <postponed> (Can wait for next update)
NOTE:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337
CVE-2023-29336 (Win32k Elevation of Privilege Vulnerability)
@@ -62647,6 +62656,8 @@ CVE-2023-20588 (A division-by-zero error on some AMD
processors can potentially
{DSA-5492-1 DSA-5480-1}
- linux 6.4.13-1
- xen <unfixed>
+ [bookworm] - xen <postponed> (Minor issue, fix along in future DSA or
point release)
+ [bullseye] - xen <postponed> (Minor issue, fix along in future DSA or
point release)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE:
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7007.html
NOTE:
https://git.kernel.org/linus/77245f1c3c6495521f6a3af082696ee2f8ce3921
=====================================
data/dsa-needed.txt
=====================================
@@ -17,6 +17,8 @@ audiofile
--
cacti
--
+chromium (jmm)
+--
cinder/oldstable
--
gpac/oldstable (jmm)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f35d7aa3d93c21a88de45c605f4456a417d54bd5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f35d7aa3d93c21a88de45c605f4456a417d54bd5
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
