Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0ebcf4e1 by Moritz Muehlenhoff at 2024-06-27T17:43:28+02:00
bookworm/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -105,9 +105,13 @@ CVE-2024-39241 (Cross Site Scripting (XSS) vulnerability
in skycaiji 2.8 allows
NOT-FOR-US: skycaiji
CVE-2024-38950 (Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows
attacker ...)
- libde265 <unfixed>
+ [bookworm] - libde265 <no-dsa> (Minor issue)
+ [bullseye] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/460
CVE-2024-38949 (Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows
attacker ...)
- libde265 <unfixed>
+ [bookworm] - libde265 <no-dsa> (Minor issue)
+ [bullseye] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/460
CVE-2024-38527 (ZenUML is JavaScript-based diagramming tool that requires no
server, u ...)
NOT-FOR-US: ZenUML
@@ -276,6 +280,8 @@ CVE-2024-6299 (Lack of consideration of key expiry when
validating signatures in
NOT-FOR-US: Conduit
CVE-2024-6257 (HashiCorp\u2019s go-getter library can be coerced into
executing Git u ...)
- golang-github-hashicorp-go-getter <unfixed>
+ [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ [bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081
CVE-2024-6238 (pgAdmin <= 8.8 has an installation Directory permission
issue.Because ...)
- pgadmin4 <itp> (bug #834129)
@@ -640,6 +646,8 @@ CVE-2024-6160 (SQL Injection vulnerability in MegaBIP
software allows attacker t
NOT-FOR-US: MegaBIP
CVE-2024-6104 (go-retryablehttp prior to 0.7.7 did not sanitize urls when
writing the ...)
- golang-github-hashicorp-go-retryablehttp <unfixed>
+ [bookworm] - golang-github-hashicorp-go-retryablehttp <no-dsa> (Minor
issue)
+ [bullseye] - golang-github-hashicorp-go-retryablehttp <no-dsa> (Minor
issue)
CVE-2024-5862 (Improper Restriction of Excessive Authentication Attempts
vulnerabilit ...)
NOT-FOR-US: Mia Technology Inc. Mia-Med Health Aplication
CVE-2024-5683 (Improper Control of Generation of Code ('Code Injection')
vulnerabilit ...)
@@ -15656,9 +15664,13 @@ CVE-2024-30268 (Cacti provides an operational
monitoring and fault management fr
NOTE:
https://github.com/Cacti/cacti/commit/a38b9046e9772612fda847b46308f9391a49891e
CVE-2024-30259 (FastDDS is a C++ implementation of the DDS (Data Distribution
Service) ...)
- fastdds 2.14.1+ds-1
+ [bookworm] - fastdds <no-dsa> (Minor issue)
+ [bullseye] - fastdds <no-dsa> (Minor issue)
NOTE:
https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-qcj9-939p-p662
CVE-2024-30258 (FastDDS is a C++ implementation of the DDS (Data Distribution
Service) ...)
- fastdds 2.14.1+ds-1
+ [bookworm] - fastdds <no-dsa> (Minor issue)
+ [bullseye] - fastdds <no-dsa> (Minor issue)
NOTE:
https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-53xw-465j-rxfh
NOTE:
https://github.com/eProsima/Fast-DDS/commit/65236f93e9c4ea3ff9a49fba4dfd9e43eb94037b
CVE-2024-29895 (Cacti provides an operational monitoring and fault management
framewor ...)
@@ -66821,6 +66833,8 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of
service (server resource
- jetty9 9.4.53-1
- netty 1:4.1.48-8 (bug #1054234)
- dnsdist 1.8.2-2
+ [bookworm] - dnsdist <no-dsa> (Minor issue)
+ [bullseye] - dnsdist <no-dsa> (Minor issue)
[buster] - dnsdist <not-affected> (HTTP/2 support was added later)
- varnish <unfixed> (bug #1056156)
[bookworm] - varnish <ignored> (Minor issue, too intrusive to backport)
=====================================
data/dsa-needed.txt
=====================================
@@ -14,11 +14,6 @@ If needed, specify the release by adding a slash after the
name of the source pa
--
cacti
--
-composer/oldstable (jmm)
- Regression update for #1073931
---
-dnsdist (jmm)
---
dnsmasq
--
frr
@@ -32,8 +27,8 @@ gpac/oldstable
--
h2o (jmm)
--
-libreswan (jmm)
- Maintainer prepared bookworm-security update, but needs work on
bullseye-security backports
+libreswan
+ Waiting on feedback from maintainer, proposal to EOL Bullseye
--
linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
@@ -45,6 +40,7 @@ nbconvert/oldstable
nodejs (aron)
--
opennds/stable
+ pinged maintainer, but no reply yet. should most probably be bumped to 10.x
--
php-cas/oldstable
--
@@ -61,11 +57,9 @@ python-aiohttp
--
python-asyncssh
--
-ring/oldstable
- might make sense to rebase to current version
+ring
--
ruby2.7/oldstable
- Utkarsh Gupta offered help in preparing updates
--
ruby-nokogiri/oldstable
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ebcf4e1fac473a2b3644d2510dd9f813c925583
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ebcf4e1fac473a2b3644d2510dd9f813c925583
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
