Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
99ac018c by Emilio Pozuelo Monfort at 2024-11-01T11:15:08+01:00
Mark CVE-2024-49761/ruby2.7 as n/a
- - - - -
e0b14e00 by Emilio Pozuelo Monfort at 2024-11-01T11:15:29+01:00
lts: add libheif
- - - - -
b204babb by Emilio Pozuelo Monfort at 2024-11-01T11:15:31+01:00
lts: Mark CVE-2024-0126 as no-dsa on bullseye
- - - - -
36e746c1 by Emilio Pozuelo Monfort at 2024-11-01T11:15:31+01:00
lts: Mark dbeacon issue as postponed
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1289,7 +1289,7 @@ CVE-2024-49761 (REXML is an XML toolkit for Ruby. The
REXML gem before 3.3.9 has
- ruby3.3 <unfixed>
- ruby3.2 <unfixed>
- ruby3.1 <unfixed>
- - ruby2.7 <removed>
+ - ruby2.7 <not-affected> (Vulnerable code introduced later)
NOTE:
https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m
NOTE:
https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
(v3.3.9)
NOTE:
https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/
@@ -2044,7 +2044,9 @@ CVE-2024-0126 (NVIDIA GPU Display Driver for Windows and
Linux contains a vulner
[bullseye] - nvidia-graphics-drivers <ignored> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #1085969)
- nvidia-graphics-drivers-legacy-390xx <unfixed> (bug #1085970)
+ [bullseye] - nvidia-graphics-drivers-legacy-390xx <no-dsa> (Non-free
not supported)
- nvidia-graphics-drivers-tesla-418 <unfixed> (bug #1085971)
+ [bullseye] - nvidia-graphics-drivers-tesla-418 <no-dsa> (Non-free not
supported)
- nvidia-graphics-drivers-tesla-450 450.248.02-4 (bug #1085972)
NOTE: 450.248.02-4 turned the package into a metapackage to aid
switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1085973)
@@ -2052,6 +2054,7 @@ CVE-2024-0126 (NVIDIA GPU Display Driver for Windows and
Linux contains a vulner
NOTE: 460.106.00-3 turned the package into a metapackage to aid
switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-470 <unfixed> (bug #1085974)
[bookworm] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not
supported)
+ [bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not
supported)
- nvidia-graphics-drivers-tesla 525.147.05-6 (bug #1085975)
NOTE: 525.147.05-6 turned the package into a metapackage to aid
switching to nvidia-graphics-drivers
- nvidia-open-gpu-kernel-modules <unfixed> (bug #1085976)
@@ -4091,6 +4094,7 @@ CVE-2024-10195 (A vulnerability was found in Tecno 4G
Portable WiFi TR118 V008-2
CVE-2024-XXXX [XSS Vulnerability in matrix.pl]
- dbeacon 0.4.0-3 (bug #1031542)
[bookworm] - dbeacon <no-dsa> (Minor issue)
+ [bullseye] - dbeacon <postponed> (Minor issue)
CVE-2024-49631 (Improper Neutralization of Input During Web Page Generation
(XSS or 'C ...)
NOT-FOR-US: WordPress plugin
CVE-2024-49630 (Improper Neutralization of Input During Web Page Generation
(XSS or 'C ...)
@@ -87177,7 +87181,6 @@ CVE-2023-49463 (libheif v1.17.5 was discovered to
contain a segmentation violati
CVE-2023-49462 (libheif v1.17.5 was discovered to contain a segmentation
violation via ...)
{DSA-5796-1}
- libheif 1.17.6-1 (bug #1059151)
- [bullseye] - libheif <no-dsa> (Minor issue)
[buster] - libheif <not-affected> (Vulnerable code not present)
NOTE: https://github.com/strukturag/libheif/issues/1043
NOTE:
https://github.com/strukturag/libheif/commit/730a9d80bea3434f75c79e721878cc67f3889969
(v1.17.6)
@@ -122420,7 +122423,6 @@ CVE-2023-29660
CVE-2023-29659 (A Segmentation fault caused by a floating point exception
exists in li ...)
{DSA-5796-1}
- libheif 1.16.2-1 (bug #1035607)
- [bullseye] - libheif <no-dsa> (Minor issue)
[buster] - libheif <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libheif/issues/794
NOTE:
https://github.com/strukturag/libheif/commit/e05e15b57a38ec411cb9acb38512a1c36ff62991
(v1.15.2)
@@ -132744,7 +132746,6 @@ CVE-2023-22293 (Improper access control in the
Intel(R) Thunderbolt(TM) DCH driv
NOT-FOR-US: Intel
CVE-2023-0996 (There is a vulnerability in the strided image data parsing code
in the ...)
- libheif 1.15.1-1 (bug #1032101)
- [bullseye] - libheif <no-dsa> (Minor issue)
[buster] - libheif <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libheif/pull/759
NOTE:
https://govtech-csg.github.io/security-advisories/2023/02/24/CVE-2023-0996.html
=====================================
data/dla-needed.txt
=====================================
@@ -91,6 +91,9 @@ libarchive (Adrian Bunk)
NOTE: 20241031: Added by Front-Desk (pochu)
NOTE: 20241031: look at no-dsa issues as well (pochu)
--
+libheif
+ NOTE: 20241101: Added by Front-Desk (pochu)
+--
linux (Ben Hutchings)
NOTE: 20230111: Perma-added, Linux package specifically delegated to bwh
(LTS Team)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f093cd36b1fefe22b9b551d315aad9d917c4543c...36e746c1dbebce123821f7a61e18d9fa9576d7cd
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f093cd36b1fefe22b9b551d315aad9d917c4543c...36e746c1dbebce123821f7a61e18d9fa9576d7cd
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
