Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
420bed9d by Moritz Muehlenhoff at 2023-12-15T16:53:00+01:00
bookworm/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -222,6 +222,8 @@ CVE-2023-47261 (Dokmee ECM 7.4.6 allows remote code
execution because the respon
NOT-FOR-US: Dokmee ECM
CVE-2023-46750 (URL Redirection to Untrusted Site ('Open Redirect')
vulnerability when ...)
- shiro <unfixed>
+ [bookworm] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro <no-dsa> (Minor issue)
NOTE: https://lists.apache.org/thread/hoc9zdyzmmrfj1zhctsvvtx844tcq6w9
CVE-2023-46348 (SQL njection vulnerability in SunnyToo sturls before version
1.1.13, a ...)
NOT-FOR-US: PrestaShop module
@@ -298,32 +300,43 @@ CVE-2023-6680
CVE-2023-6564
- gitlab <not-affected> (Specific to EE)
CVE-2023-49347 (Temporary data passed between application components by Budgie
Extras ...)
- - budgie-extras 1.7.1-1
+ - budgie-extras 1.7.1-1 (unimportant)
NOTE: https://bugs.launchpad.net/bugs/2044373
NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1
NOTE:
https://github.com/UbuntuBudgie/budgie-extras/commit/588cbe6ffa72df904213d77728a3fd5bfae7195e
(v1.7.1)
+ NOTE: Neutralised by kernel hardening
CVE-2023-49346 (Temporary data passed between application components by Budgie
Extras ...)
- budgie-extras 1.7.1-1
+ [bookworm] - budgie-extras <no-dsa> (Minor issue)
+ [bullseye] - budgie-extras <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/bugs/2044373
NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1
NOTE:
https://github.com/UbuntuBudgie/budgie-extras/commit/0092025ef25b48c287a75946c0ee797d3c142760
(v1.7.1)
CVE-2023-49345 (Temporary data passed between application components by Budgie
Extras ...)
- budgie-extras 1.7.1-1
+ [bookworm] - budgie-extras <no-dsa> (Minor issue)
+ [bullseye] - budgie-extras <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/bugs/2044373
NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1
NOTE:
https://github.com/UbuntuBudgie/budgie-extras/commit/588cbe6ffa72df904213d77728a3fd5bfae7195e
(v1.7.1)
CVE-2023-49344 (Temporary data passed between application components by Budgie
Extras ...)
- budgie-extras 1.7.1-1
+ [bookworm] - budgie-extras <no-dsa> (Minor issue)
+ [bullseye] - budgie-extras <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/bugs/2044373
NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1
NOTE:
https://github.com/UbuntuBudgie/budgie-extras/commit/11b02011ad2f6d46485b292713af09f7314843a5
(v1.7.1)
CVE-2023-49343 (Temporary data passed between application components by Budgie
Extras ...)
- budgie-extras 1.7.1-1
+ [bookworm] - budgie-extras <no-dsa> (Minor issue)
+ [bullseye] - budgie-extras <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/bugs/2044373
NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1
NOTE:
https://github.com/UbuntuBudgie/budgie-extras/commit/e75c94af249191bdbd33eebf7a62d4234a0d8be5
(v1.7.1)
CVE-2023-49342 (Temporary data passed between application components by Budgie
Extras ...)
- budgie-extras 1.7.1-1
+ [bookworm] - budgie-extras <no-dsa> (Minor issue)
+ [bullseye] - budgie-extras <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/bugs/2044373
NOTE: https://www.openwall.com/lists/oss-security/2023/12/14/1
NOTE:
https://github.com/UbuntuBudgie/budgie-extras/commit/d03083732569126d2f21c8810d5a69554ccc5900
(v1.7.1)
@@ -349,6 +362,9 @@ CVE-2023-50439 (ZED containers produced by PRIMX ZED! for
Windows before Q.2020.
NOT-FOR-US: PRIMX
CVE-2023-50268 (jq is a command-line JSON processor. Version 1.7 is vulnerable
to stac ...)
- jq <unfixed>
+ [bookworm] - jq <not-affected> (Introduced in 1.7)
+ [bullseye] - jq <not-affected> (Introduced in 1.7)
+ [buster] - jq <not-affected> (Introduced in 1.7)
NOTE:
https://github.com/jqlang/jq/security/advisories/GHSA-7hmr-442f-qc8j
NOTE: https://github.com/jqlang/jq/pull/2804
NOTE: Fixed by:
https://github.com/jqlang/jq/commit/c9a51565214eece8f1053089739aea73145bfd6b
(jq-1.7.1)
@@ -361,6 +377,9 @@ CVE-2023-50248 (CKAN is an open-source data management
system for powering data
NOT-FOR-US: CKAN
CVE-2023-50246 (jq is a command-line JSON processor. Version 1.7 is vulnerable
to heap ...)
- jq <unfixed>
+ [bookworm] - jq <not-affected> (Introduced in 1.7)
+ [bullseye] - jq <not-affected> (Introduced in 1.7)
+ [buster] - jq <not-affected> (Introduced in 1.7)
NOTE:
https://github.com/jqlang/jq/security/advisories/GHSA-686w-5m7m-54vc
NOTE: Fixed by:
https://github.com/jqlang/jq/commit/71c2ab509a8628dbbad4bc7b3f98a64aa90d3297
(jq-1.7.1)
CVE-2023-49878 (IBM System Storage Virtualization Engine TS7700 3957-VEC,
3948-VED and ...)
@@ -849,6 +868,8 @@ CVE-2023-6193 (quiche v. 0.15.0 through 0.19.0 was
discovered to be vulnerable t
NOT-FOR-US: Cloudflare quiche
CVE-2023-50495 (NCurse v6.4-20230418 was discovered to contain a segmentation
fault vi ...)
- ncurses 6.4+20230625-1
+ [bookworm] - ncurses <no-dsa> (Minor issue)
+ [bullseye] - ncurses <no-dsa> (Minor issue)
NOTE:
https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00020.html
NOTE:
https://lists.gnu.org/archive/html/bug-ncurses/2023-04/msg00029.html
NOTE: Fixed in ncurses-6.4-20230424 patchlevel
@@ -4267,6 +4288,7 @@ CVE-2023-6134 (A flaw was found in Keycloak that prevents
certain schemes in red
NOT-FOR-US: Keycloak
CVE-2023-5764 (A template injection flaw was found in Ansible where a user's
controll ...)
- ansible-core <unfixed> (bug #1057427)
+ [bookworm] - ansible-core <no-dsa> (Minor issue)
- ansible 5.4.0-1
[bullseye] - ansible <no-dsa> (Minor issue)
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in
experimental/5.4.0-1 in sid
@@ -11688,6 +11710,7 @@ CVE-2023-34324 [linux/xen: Possible deadlock in Linux
kernel event handling]
NOTE:
https://git.kernel.org/linus/87797fad6cce28ec9be3c13f031776ff4f104cfc (6.6-rc6)
CVE-2023-46837 [arm32: The cache may not be properly cleaned/invalidated (take
two)]
- xen <unfixed>
+ [bookworm] - xen <postponed> (Minor issue, fix along in next DSA)
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://xenbits.xen.org/xsa/advisory-447.html
@@ -16651,6 +16674,7 @@ CVE-2023-39510 (Cacti is an open source operational
monitoring and fault managem
CVE-2023-39366 (Cacti is an open source operational monitoring and fault
management fr ...)
- cacti 1.2.25+ds1-1
[bookworm] - cacti 1.2.24+ds1-1+deb12u1
+ [bullseye] - cacti <no-dsa> (Minor issue)
NOTE:
https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv
NOTE:
https://github.com/Cacti/cacti/commit/c67daa614d91c8592b8792298da8e3aa017c4009
CVE-2023-39365 (Cacti is an open source operational monitoring and fault
management fr ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
If needed, specify the release by adding a slash after the name of the source
package.
+--
+asterisk
--
bluez (carnil)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/420bed9d3494e66231d49fd26371edf5222611aa
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/420bed9d3494e66231d49fd26371edf5222611aa
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
