Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: a5e371d0 by Moritz Muehlenhoff at 2024-05-22T16:57:21+02:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -2335,6 +2335,8 @@ CVE-2024-3155 (The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post NOT-FOR-US: WordPress plugin CVE-2024-35195 (Requests is a HTTP library. Prior to 2.32.0, when making requests thro ...) - requests <unfixed> (bug #1071593) + [bookworm] - requests <no-dsa> (Minor issue) + [bullseye] - requests <no-dsa> (Minor issue) NOTE: https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56 NOTE: https://github.com/psf/requests/pull/6655 NOTE: https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356 (v2.32.0) @@ -4493,6 +4495,8 @@ CVE-2023-47282 (Out-of-bounds write in Intel(R) Media SDK all versions and some NOT-FOR-US: Intel CVE-2023-47210 (Improper input validation for some Intel(R) PROSet/Wireless WiFi softw ...) - firmware-nonfree <unfixed> + [bookworm] - firmware-nonfree <no-dsa> (Minor issue) + [bullseye] - firmware-nonfree <no-dsa> (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html TODO: check, likely fixed in 20240513 tag update CVE-2023-47169 (Improper buffer restrictions in Intel(R) Media SDK software all versio ...) @@ -4577,6 +4581,8 @@ CVE-2023-38420 (Improper conditions check in Intel(R) Power Gadget software for NOT-FOR-US: Intel CVE-2023-38417 (Improper input validation for some Intel(R) PROSet/Wireless WiFi softw ...) - firmware-nonfree <unfixed> + [bookworm] - firmware-nonfree <no-dsa> (Minor issue) + [bullseye] - firmware-nonfree <no-dsa> (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html TODO: check, likely fixed in 20240513 tag update CVE-2023-38399 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) @@ -4865,6 +4871,7 @@ CVE-2024-35183 (wolfictl is a command line tool for working with Wolfi. A git au CVE-2024-35176 (REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a den ...) - ruby3.2 <unfixed> - ruby3.1 <unfixed> + [bookworm] - ruby3.1 <no-dsa> (Minor issue) - ruby2.7 <removed> - ruby2.5 <removed> NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh @@ -5743,22 +5750,24 @@ CVE-2024-4764 (Multiple WebRTC threads could have claimed a newly connected audi - firefox 126.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4764 CVE-2024-4855 (Use after free issue in editcap could cause denial of service via craf ...) - - wireshark 4.2.5-1 - [buster] - wireshark <postponed> (can be piggyback'd with the next update) + - wireshark 4.2.5-1 (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://www.wireshark.org/security/wnpa-sec-2024-09.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19782 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19783 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19784 CVE-2024-4854 (MONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4. ...) - wireshark 4.2.5-1 + [bookworm] - wireshark <no-dsa> (Minor issue) + [bullseye] - wireshark <no-dsa> (Minor issue) [buster] - wireshark <postponed> (can be piggyback'd with the next update) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-07.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19726 NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15047 NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15499 CVE-2024-4853 (Memory handling issue in editcap could cause denial of service via cra ...) - - wireshark 4.2.5-1 - [buster] - wireshark <postponed> (can be piggyback'd with the next update) + - wireshark 4.2.5-1 (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://www.wireshark.org/security/wnpa-sec-2024-08.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19724 CVE-2024-4840 (An flaw was found in the OpenStack Platform (RHOSP) director, a toolse ...) @@ -6081,7 +6090,10 @@ CVE-2024-28866 (GoCD is a continuous delivery server. GoCD versions from 19.4.0 NOT-FOR-US: GoCD CVE-2024-28285 (A Fault Injection vulnerability in the SymmetricDecrypt function in cr ...) - libcrypto++ <unfixed> - TODO: check details + [bookworm] - libcrypto++ <no-dsa> (Minor issue) + [bullseye] - libcrypto++ <no-dsa> (Minor issue) + NOTE: https://groups.google.com/g/cryptopp-users/c/UkVcH2IWR2M?pli=1 + NOTE: https://github.com/weidai11/cryptopp/issues/1262 CVE-2024-28279 (Code-projects Computer Book Store 1.0 is vulnerable to SQL Injection v ...) NOT-FOR-US: Code-projects Computer Book Store CVE-2024-28277 (In Sourcecodester School Task Manager v1.0, a vulnerability was identi ...) @@ -6175,6 +6187,8 @@ CVE-2024-29212 (Due to an unsafe de-serialization method used by the Veeam Serv NOT-FOR-US: Veeam CVE-2024-26306 (iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server wi ...) - iperf3 <unfixed> + [bookworm] - iperf3 <no-dsa> (Minor issue) + [bullseye] - iperf3 <no-dsa> (Minor issue) CVE-2023-5052 (vulnerability in Uniform Server Zero, version 10.2.5, consisting of an ...) NOT-FOR-US: Uniform Zero Server CVE-2024-4799 (A vulnerability, which was classified as critical, was found in Kaship ...) @@ -8315,11 +8329,15 @@ CVE-2024-34404 (A vulnerability was discovered in the Alta Recovery Vault featur NOT-FOR-US: Veritas NetBackup CVE-2024-34403 (An issue was discovered in uriparser through 0.9.7. ComposeQueryMalloc ...) - uriparser <unfixed> (bug #1070376) + [bookworm] - uriparser <no-dsa> (Minor issue) + [bullseye] - uriparser <no-dsa> (Minor issue) [buster] - uriparser <postponed> (Minor issue) NOTE: https://github.com/uriparser/uriparser/issues/183 NOTE: https://github.com/uriparser/uriparser/pull/186 CVE-2024-34402 (An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine ...) - uriparser <unfixed> (bug #1070376) + [bookworm] - uriparser <no-dsa> (Minor issue) + [bullseye] - uriparser <no-dsa> (Minor issue) [buster] - uriparser <postponed> (Minor issue) NOTE: https://github.com/uriparser/uriparser/pull/185 NOTE: https://github.com/uriparser/uriparser/issues/183 @@ -11400,9 +11418,13 @@ CVE-2024-29040 NOTE: https://github.com/tpm2-software/tpm2-tss/commit/710cd0b6adf3a063f34a8e92da46df7a107d9a99 (4.1.0) CVE-2024-29039 - tpm2-tools 5.7-1 (bug #1070139) + [bookworm] - tpm2-tools <no-dsa> (Minor issue) + [bullseye] - tpm2-tools <no-dsa> (Minor issue) NOTE: https://github.com/tpm2-software/tpm2-tools/commit/98599df9392a346216c5a059b8d35271286100bb (5.7) CVE-2024-29038 - tpm2-tools 5.7-1 (bug #1070139) + [bookworm] - tpm2-tools <no-dsa> (Minor issue) + [bullseye] - tpm2-tools <no-dsa> (Minor issue) NOTE: https://github.com/tpm2-software/tpm2-tools/commit/66d922d6547b7b4fe4f274fb2ec10b376e0e259c (5.7) CVE-2024-4327 (A vulnerability was found in Apryse WebViewer up to 10.8.0. It has bee ...) NOT-FOR-US: Apryse WebViewer @@ -13840,6 +13862,8 @@ CVE-2024-3825 (Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a NOT-FOR-US: Jenkins plugin CVE-2024-3817 (HashiCorp\u2019s go-getter library is vulnerable to argument injection ...) - golang-github-hashicorp-go-getter <unfixed> + [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) + [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue) [buster] - golang-github-hashicorp-go-getter <not-affected> (Vulnerable code not present) NOTE: https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040 CVE-2024-3333 (The Essential Addons for Elementor plugin for WordPress is vulnerable ...) @@ -55293,6 +55317,8 @@ CVE-2023-38552 (When the Node.js policy feature checks the integrity of a resour NOTE: https://github.com/nodejs/node/commit/1c538938ccadfd35fbc699d8e85102736cd5945c CVE-2023-36321 (Connected Vehicle Systems Alliance (COVESA) up to v2.18.8 was discover ...) - dlt-daemon 2.18.9-1 + [bookworm] - dlt-daemon <no-dsa> (Minor issue) + [bullseye] - dlt-daemon <no-dsa> (Minor issue) NOTE: https://github.com/COVESA/dlt-daemon/issues/436 NOTE: https://github.com/COVESA/dlt-daemon/commit/8ac9a080bee25e67e49bd138d81c992ce7b6d899 (v2.18.9-alpha) CVE-2023-35084 (Unsafe Deserialization of User Input could lead to Execution of Unauth ...) @@ -92753,6 +92779,8 @@ CVE-2023-26258 (Arcserve UDP through 9.0.6034 allows authentication bypass. The NOT-FOR-US: Arcserve CVE-2023-26257 (An issue was discovered in the Connected Vehicle Systems Alliance (COV ...) - dlt-daemon 2.18.9-1 + [bookworm] - dlt-daemon <no-dsa> (Minor issue) + [bullseye] - dlt-daemon <no-dsa> (Minor issue) NOTE: https://github.com/COVESA/dlt-daemon/issues/440 NOTE: https://github.com/COVESA/dlt-daemon/commit/b6149e203f919c899fefc702a17fbb78bdec3700 (v2.18.9-alpha) CVE-2023-26256 (An unauthenticated path traversal vulnerability affects the "STAGIL Na ...) @@ -133639,9 +133667,13 @@ CVE-2022-39838 (Systematic FIX Adapter (ALFAFX) 2.4.0.25 13/09/2017 allows remot NOT-FOR-US: Systematic FIX Adapter (ALFAFX) CVE-2022-39837 (An issue was discovered in Connected Vehicle Systems Alliance (COVESA) ...) - dlt-daemon 2.18.9-1 + [bookworm] - dlt-daemon <no-dsa> (Minor issue) + [bullseye] - dlt-daemon <no-dsa> (Minor issue) NOTE: https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272 (v2.18.9-alpha) CVE-2022-39836 (An issue was discovered in Connected Vehicle Systems Alliance (COVESA) ...) - dlt-daemon 2.18.9-1 + [bookworm] - dlt-daemon <no-dsa> (Minor issue) + [bullseye] - dlt-daemon <no-dsa> (Minor issue) NOTE: https://github.com/COVESA/dlt-daemon/commit/855e0017a980d2990c16f7dbf3b4983b48fac272 (v2.18.9-alpha) CVE-2022-39835 (An issue was discovered in Gajim through 1.4.7. The vulnerability allo ...) - gajim 1.5.0-1 @@ -169661,6 +169693,7 @@ CVE-2022-0997 (Improper file permissions in the CommandPost, Collector, and Sens CVE-2022-0996 (A vulnerability was found in the 389 Directory Server that allows expi ...) {DLA-3399-1} - 389-ds-base 2.0.15-1 + [bullseye] - 389-ds-base <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2064769 NOTE: https://github.com/389ds/389-ds-base/issues/5221 NOTE: https://github.com/389ds/389-ds-base/commit/b7fd028e5e67686afea617beb1791e9f3e7a4cb9 (389-ds-base-2.1.1) @@ -170780,6 +170813,7 @@ CVE-2022-0919 (The Salon booking system Free and pro WordPress plugins before 7. CVE-2022-0918 (A vulnerability was discovered in the 389 Directory Server that allows ...) {DLA-3399-1} - 389-ds-base 2.0.15-1.1 (bug #1016445) + [bullseye] - 389-ds-base <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2055815 NOTE: https://github.com/389ds/389-ds-base/issues/5242 NOTE: https://github.com/389ds/389-ds-base/commit/caad47ab207d7c5d61521ec4d33091db559c315a (master) @@ -190970,6 +191004,7 @@ CVE-2021-4092 (yetiforcecrm is vulnerable to Cross-Site Request Forgery (CSRF)) CVE-2021-4091 (A double-free was found in the way 389-ds-base handles virtual attribu ...) {DLA-3399-1} - 389-ds-base 2.0.15-1 + [bullseye] - 389-ds-base <no-dsa> (Minor issue) [stretch] - 389-ds-base <not-affected> (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2030307 NOTE: Introduced by: https://github.com/389ds/389-ds-base/commit/74c666b83e3e1789c2ef3f7935c327bd7555193e (389-ds-base-1.3.6.4) ===================================== data/dsa-needed.txt ===================================== @@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. +-- +cacti -- chromium (dilinger) -- @@ -21,6 +23,8 @@ dnsmasq frr Tobias Frost (tobi) proposed to work on preparing an update -- +git +-- gpac/oldstable -- h2o (jmm) @@ -53,6 +57,8 @@ pymatgen/stable -- python-asyncssh -- +python-pymysql +-- redmine/stable -- ring/oldstable @@ -63,7 +69,7 @@ ruby2.7/oldstable -- ruby-nokogiri/oldstable -- -ruby-rack +ruby-rack (jmm) Adrian Bunk proposed debdiffs for review -- ruby-rails-html-sanitizer View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5e371d0501503e50bbc46e8c864230bc8b5bdb2 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5e371d0501503e50bbc46e8c864230bc8b5bdb2 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits