Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
cb445d82 by Moritz Muehlenhoff at 2024-04-22T11:02:14+02:00
bullseye/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -54,12 +54,15 @@ CVE-2024-32460 [Low] OutOfBound Read in
interleaved_decompress]
NOTE: https://www.freerdp.com/2024/04/17/2_11_6-release
CVE-2024-32493 [SQL injection issue regarding Form IDs when cleaning up drafts]
- znuny 6.5.8-1
+ [bookworm] - znuny <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/advisories/zsa-2024-03
CVE-2024-32492 [Cross Site Scripting (XSS) in the Customer Portal Ticket View]
- znuny <not-affected> (Only affects Znuny from 7.0.1 up to including
7.0.16)
+ [bookworm] - znuny <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/advisories/zsa-2024-02
CVE-2024-32491 [Directory Traversal via File Upload]
- znuny 6.5.8-1
+ [bookworm] - znuny <no-dsa> (Non-free not supported)
NOTE: https://www.znuny.org/en/advisories/zsa-2024-01
CVE-2024-4020 (A vulnerability was found in Tenda FH1206 1.2.0.8(8155) and
classified ...)
NOT-FOR-US: Tenda
@@ -3676,9 +3679,13 @@ CVE-2024-3210 (The Paid Membership Plugin, Ecommerce,
User Registration Form, Lo
NOT-FOR-US: WordPress plugin
CVE-2024-3120 (A stack-buffer overflow vulnerability exists in all versions of
sngrep ...)
- sngrep 1.8.1-1 (bug #1068818)
+ [bookworm] - sngrep <no-dsa> (Minor issue)
+ [bullseye] - sngrep <no-dsa> (Minor issue)
NOTE:
https://github.com/irontec/sngrep/commit/f3f8ed8ef38748e6d61044b39b0dabd7e37c6809
(v1.8.1)
CVE-2024-3119 (A buffer overflow vulnerability exists in all versions of
sngrep since ...)
- sngrep 1.8.1-1 (bug #1068818)
+ [bookworm] - sngrep <no-dsa> (Minor issue)
+ [bullseye] - sngrep <no-dsa> (Minor issue)
NOTE:
https://github.com/irontec/sngrep/commit/dd5fec92730562af6f96891291cd4e102b80bfcc
(v1.8.1)
CVE-2024-3020 (The plugin is vulnerable to PHP Object Injection in versions up
to and ...)
NOT-FOR-US: WordPress plugin
@@ -4530,6 +4537,7 @@ CVE-2024-2201 [Native Branch History Injection]
NOTE: https://xenbits.xen.org/xsa/advisory-456.html
CVE-2024-31142 [x86: Incorrect logic for BTC/SRSO mitigations]
- xen <unfixed>
+ [bookworm] - xen <postponed> (Minor issue, fix along in next DSA)
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://xenbits.xen.org/xsa/advisory-455.html
@@ -5055,6 +5063,7 @@ CVE-2024-22328 (IBM Maximo Application Suite 8.10 and
8.11 could allow a remote
NOT-FOR-US: IBM
CVE-2024-XXXX [RUSTSEC-2024-0332: Degradation of service in h2 servers with
CONTINUATION Flood]
- rust-h2 0.4.4-1
+ [bookworm] - rust-h2 <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0332.html
NOTE: https://github.com/advisories/GHSA-q6cp-qfwq-4gcv
CVE-2024-3362 (A vulnerability was found in SourceCodester Online Library
System 1.0 ...)
@@ -24250,6 +24259,7 @@ CVE-2020-36771 (CloudLinux CageFS 7.1.1-1 or below
passes the authentication tok
NOT-FOR-US: CloudLinux CageFS
CVE-2023-46842 [x86 HVM hypercalls may trigger Xen bug check]
- xen <unfixed>
+ [bookworm] - xen <postponed> (Minor issue, fix along in next DSA)
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <not-affected> (Vulnerable code not present)
NOTE: https://xenbits.xen.org/xsa/advisory-454.html
@@ -39975,6 +39985,8 @@ CVE-2023-46345 (Catdoc v0.95 was discovered to contain
a NULL pointer dereferenc
CVE-2023-46233 (crypto-js is a JavaScript library of crypto standards. Prior
to versio ...)
{DLA-3669-1}
- cryptojs 3.1.2+dfsg-4 (bug #1055525)
+ [bookworm] - cryptojs <no-dsa> (Minor issue)
+ [bullseye] - cryptojs <no-dsa> (Minor issue)
NOTE:
https://github.com/brix/crypto-js/security/advisories/GHSA-xwcq-pm8m-c4vf
NOTE:
https://github.com/brix/crypto-js/commit/421dd538b2d34e7c24a5b72cc64dc2b9167db40a
(4.2.0)
CVE-2023-46232 (era-compiler-vyper is the EraVM Vyper compiler for zkSync Era,
a layer ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the
name of the source pa
--
atril
--
-cryptojs
---
dav1d
--
dnsdist (jmm)
@@ -71,7 +69,7 @@ python-asyncssh
--
redmine/stable
--
-ring
+ring/oldstable
might make sense to rebase to current version
--
ruby2.7/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb445d829db44c592501aed8473cc3b35d1e76b7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb445d829db44c592501aed8473cc3b35d1e76b7
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
