bullseye triage

Moritz Muehlenhoff (@jmm) Sat, 17 Feb 2024 06:05:07 -0800


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
03264623 by Moritz Muehlenhoff at 2024-02-17T15:03:17+01:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1377,6 +1377,8 @@ CVE-2024-21624 (nonebot2 is a cross-platform Python 
asynchronous chatbot framewo
        NOT-FOR-US: nonebot2
 CVE-2024-21490 (This affects versions of the package angular from 1.3.0. A 
regular exp ...)
        - angular.js <unfixed>
+       [bookworm] - angular.js <no-dsa> (Minor issue)
+       [bullseye] - angular.js <no-dsa> (Minor issue)
        [buster] - angular.js <postponed> (Fix along with the next DLA)
        NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113
 CVE-2024-1406 (A vulnerability was found in Linksys WRT54GL 4.30.18. It has 
been decl ...)
@@ -1654,6 +1656,8 @@ CVE-2024-25190 (l8w8jwt 2.2.1 uses memcmp (which is not 
constant time) to verify
        NOT-FOR-US: l8w8jwt
 CVE-2024-25189 (libjwt 1.15.3 uses strcmp (which is not constant time) to 
verify authe ...)
        - libjwt <unfixed> (bug #1063534)
+       [bookworm] - libjwt <no-dsa> (Minor issue)
+       [bullseye] - libjwt <no-dsa> (Minor issue)
        NOTE: 
https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md
        NOTE: 
https://github.com/benmcollins/libjwt/commit/f73bac57c5bece16ac24f1a70022aa34355fc1bf
 (v1.17.0)
        NOTE: 
https://github.com/benmcollins/libjwt/commit/a5d61ef4f1b383876e0a78534383f38159471fd6
 (v1.17.0)
@@ -2773,6 +2777,8 @@ CVE-2024-23824 (mailcow is a dockerized email package, 
with multiple containers
        NOT-FOR-US: mailcow
 CVE-2024-23635 (AntiSamy is a library for performing fast, configurable 
cleansing of H ...)
        - libowasp-antisamy-java <unfixed> (bug #1062846)
+       [bookworm] - libowasp-antisamy-java <no-dsa> (Minor issue)
+       [bullseye] - libowasp-antisamy-java <no-dsa> (Minor issue)
        NOTE: 
https://github.com/nahsra/antisamy/security/advisories/GHSA-2mrq-w8pv-5pvq
 CVE-2024-22851 (Directory Traversal Vulnerability in LiveConfig before v.2.5.2 
allows  ...)
        NOT-FOR-US: LiveConfig
@@ -3545,6 +3551,8 @@ CVE-2024-1030 (A vulnerability was found in Cogites 
eReserv 7.7.58. It has been
        NOT-FOR-US: Cogites eReserv
 CVE-2024-1019 (ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a 
WAF bypa ...)
        - modsecurity 3.0.12-1
+       [bookworm] - modsecurity <no-dsa> (Minor issue)
+       [bullseye] - modsecurity <no-dsa> (Minor issue)
        NOTE: 
https://owasp.org/www-project-modsecurity/tab_cves#cve-2024-1019-2024-01-30
 CVE-2024-0676 (Weak password requirement vulnerability   in Lamassu Bitcoin 
ATM Douro ...)
        NOT-FOR-US: Lamassu Bitcoin ATM Douro machines
@@ -9947,6 +9955,8 @@ CVE-2023-51775 (The jose4j component before 0.9.4 for 
Java allows attackers to c
        NOTE: https://bitbucket.org/b_c/jose4j/commits/1afaa1e174b3
 CVE-2023-51774 (The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes 
allows bypa ...)
        - ruby-json-jwt <unfixed>
+       [bookworm] - ruby-json-jwt <postponed> (Revisit when addressed upstream)
+       [bullseye] - ruby-json-jwt <postponed> (Revisit when addressed upstream)
        NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/novjson-jwt.md
        NOTE: https://github.com/nov/json-jwt/issues/113
 CVE-2023-51773 (BACnet Stack before 1.3.2 has a decode function APDU buffer 
over-read  ...)
@@ -30375,6 +30385,7 @@ CVE-2023-38802 (FRRouting FRR 7.5.1 through 9.0 and 
Pica8 PICOS 4.3.3.2 allow a
        NOTE: 
https://github.com/FRRouting/frr/commit/46817adab03802355c3cce7b753c7a735bdcc5ae
 CVE-2023-38283 (In OpenBGPD before 8.1, incorrect handling of BGP update data 
(length  ...)
        - openbgpd 8.1-1
+       [bookworm] - openbgpd <no-dsa> (Minor issue)
        NOTE: 
https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig
 CVE-2023-34039 (Aria Operations for Networks contains an Authentication Bypass 
vulnera ...)
        NOT-FOR-US: VMware


=====================================
data/dsa-needed.txt
=====================================
@@ -30,6 +30,8 @@ gtkwave
 --
 h2o (jmm)
 --
+imagemagick (jmm)
+--
 iwd (carnil)
 --
 libreswan (jmm)
@@ -48,7 +50,7 @@ opennds/stable
 --
 openvswitch
 --
-pdns-recursor
+pdns-recursor (jmm)
 --
 php-cas/oldstable
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03264623db87c09c7203a74eb9b04447ac3a756c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03264623db87c09c7203a74eb9b04447ac3a756c
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Reply via email to