Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
523d1e51 by Moritz Muehlenhoff at 2024-07-28T15:11:39+02:00
bookworm/bullseye triage
fix one dnsjava commit reference
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -844,8 +844,10 @@ CVE-2024-26020 (An arbitrary script execution
vulnerability exists in the MPV fu
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1993
CVE-2024-25638 (dnsjava is an implementation of DNS in Java. Records in DNS
replies ar ...)
- dnsjava <unfixed>
+ [bookworm] - dnsjava <no-dsa> (Minor issue)
+ [bullseye] - dnsjava <no-dsa> (Minor issue)
NOTE:
https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw
- NOTE:
https://github.com/dnsjava/dnsjava/commit/bc51df1c455e6c9fb7cbd42fcb6d62d16047818d
(v3.6.0)
+ NOTE:
https://github.com/dnsjava/dnsjava/commit/2073a0cdea2c560465f7ac0cc56f202e6fc39705
(v3.6.0)
CVE-2024-23321 (For RocketMQ versions 5.2.0 and below, under certain
conditions, there ...)
NOT-FOR-US: Apache RocketMQ
CVE-2024-21552 (All versions of `SuperAGI` are vulnerable to Arbitrary Code
Execution ...)
@@ -5775,6 +5777,8 @@ CVE-2024-32229 (FFmpeg 7.0 contains a
heap-buffer-overflow at libavfilter/vf_til
NOTE:
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=a528a54ee119dcba47e7c9e30d3a56206fbad416
CVE-2024-32228 (FFmpeg 7.0 is vulnerable to Buffer Overflow. There is a SEGV
at libavc ...)
- ffmpeg <unfixed>
+ [bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
+ [bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
NOTE: https://trac.ffmpeg.org/ticket/10951
NOTE:
https://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=459648761f5412acdc3317d5bac982ceaa257584
CVE-2024-2819 (Incorrect Default Permissions, Improper Preservation of
Permissions vu ...)
@@ -6192,6 +6196,8 @@ CVE-2024-38518 (BigBlueButton is an open-source virtual
classroom designed to he
NOT-FOR-US: BigBlueButton
CVE-2019-25211 (parseWildcardRules in Gin-Gonic CORS middleware before 1.6.0
mishandle ...)
- golang-github-gin-contrib-cors <unfixed> (bug #1075962)
+ [bookworm] - golang-github-gin-contrib-cors <no-dsa> (Minor issue)
+ [bullseye] - golang-github-gin-contrib-cors <no-dsa> (Minor issue)
NOTE: https://github.com/gin-contrib/cors/pull/57
NOTE: https://github.com/gin-contrib/cors/pull/106
NOTE:
https://github.com/gin-contrib/cors/commit/27b723a473efd80d5a498fa9f5933c80204c850d
(v1.6.0)
@@ -6852,6 +6858,8 @@ CVE-2024-21739 (Geehy APM32F103CCT6, APM32F103RCT6,
APM32F103RCT7, and APM32F103
NOT-FOR-US: Geehy
CVE-2024-21520 (Versions of the package djangorestframework before 3.15.2 are
vulnerab ...)
- djangorestframework 3.15.2-1
+ [bookworm] - djangorestframework <no-dsa> (Minor issue)
+ [bullseye] - djangorestframework <no-dsa> (Minor issue)
NOTE: https://github.com/encode/django-rest-framework/pull/9435
NOTE:
https://github.com/encode/django-rest-framework/commit/3b41f0124194430da957b119712978fa2266b642
(3.15.2)
CVE-2024-6308 (A vulnerability was found in itsourcecode Simple Online Hotel
Reservat ...)
@@ -10186,6 +10194,8 @@ CVE-2024-0103 (NVIDIA Triton Inference Server for Linux
contains a vulnerability
NOT-FOR-US: NVIDIA
CVE-2024-0102
- nvidia-cuda-toolkit <unfixed> (bug #1076164)
+ [bookworm] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
+ [bullseye] - nvidia-cuda-toolkit <no-dsa> (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5548
CVE-2024-0099 (NVIDIA vGPU software for Linux contains a vulnerability in the
Virtual ...)
NOT-FOR-US: NVIDIA
=====================================
data/DSA/list
=====================================
@@ -49,7 +49,7 @@
[bullseye] - libvpx 1.9.0-1+deb11u3
[bookworm] - libvpx 1.12.0-1+deb12u3
[26 Jun 2024] DSA-5721-1 ffmpeg - security update
- {CVE-2022-48434 CVE-2023-50010 CVE-2023-51793 CVE-2023-51794
CVE-2023-51798}
+ {CVE-2022-48434 CVE-2023-50010 CVE-2023-51793 CVE-2023-51794
CVE-2023-51798 CVE-2024-32230}
[bullseye] - ffmpeg 7:4.3.7-0+deb11u1
[25 Jun 2024] DSA-5720-1 chromium - security update
{CVE-2024-6290 CVE-2024-6291 CVE-2024-6292 CVE-2024-6293}
@@ -82,7 +82,7 @@
[bullseye] - libndp 1.6-1+deb11u1
[bookworm] - libndp 1.8-1+deb12u1
[15 Jun 2024] DSA-5712-1 ffmpeg - security update
- {CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795
CVE-2023-51798 CVE-2024-31585}
+ {CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795
CVE-2023-51798 CVE-2024-31585 CVE-2024-32230}
[bookworm] - ffmpeg 7:5.1.5-0+deb12u1
[15 Jun 2024] DSA-5711-1 thunderbird - security update
{CVE-2024-5688 CVE-2024-5690 CVE-2024-5691 CVE-2024-5693 CVE-2024-5696
CVE-2024-5700 CVE-2024-5702}
=====================================
data/dsa-needed.txt
=====================================
@@ -52,6 +52,12 @@ nodejs (aron)
nova
Maintainer prepared updates for review
--
+openjdk-11/oldstable (jmm)
+ version in sid needs update first
+--
+openjdk-17 (jmm)
+ version in sid needs update first
+--
opennds/stable
pinged maintainer, but no reply yet. should most probably be bumped to 10.x
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/523d1e51aa6923fe8c32f12fa08368ba67673d82
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/523d1e51aa6923fe8c32f12fa08368ba67673d82
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
