Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 6bf6ebf2 by Moritz Muehlenhoff at 2024-11-05T17:31:24+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -406,6 +406,7 @@ CVE-2024-10310 (The Element Pack Elementor Addons (Header Footer, Template Libra NOT-FOR-US: WordPress plugin CVE-2024-51774 (qBittorrent before 5.0.1 proceeds with use of https URLs even after ce ...) - qbittorrent 5.0.1-1 + [bookworm] - qbittorrent <no-dsa> (Minor issue) NOTE: https://sharpsec.run/rce-vulnerability-in-qbittorrent/ CVE-2024-7456 (A SQL injection vulnerability exists in the `/api/v1/external-users` r ...) NOT-FOR-US: lunary-ai/lunary @@ -903,8 +904,11 @@ CVE-2024-8185 (Vault Community and Vault Enterprise (\u201cVault\u201d) clusters NOT-FOR-US: HashiCorp Vault CVE-2024-7883 (When using Arm Cortex-M Security Extensions (CMSE), Secure stack cont ...) - llvm-toolchain-14 <unfixed> + [bookworm] - llvm-toolchain-14 <ignored> (Minor issue) - llvm-toolchain-15 <removed> + [bookworm] - llvm-toolchain-15 <ignored> (Minor issue) - llvm-toolchain-16 <unfixed> + [bookworm] - llvm-toolchain-16 <ignored> (Minor issue) - llvm-toolchain-17 <unfixed> - llvm-toolchain-18 <unfixed> NOTE: https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability @@ -1564,6 +1568,7 @@ CVE-2024-22066 (There is a privilege escalation vulnerability in ZTE ZXR10 ZSR V NOT-FOR-US: ZTE CVE-2024-10491 (A vulnerability has been identified in the Express response.linksfunct ...) - node-express <unfixed> + [bookworm] - node-express <no-dsa> (Minor issue) NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-10491 NOTE: check details, affects only <=3.21.4, so possibly fixed in 4.1.1~dfsg-1 onwards CVE-2024-10474 (Focus was incorrectly allowing internal links to utilize the app schem ...) @@ -2297,6 +2302,7 @@ CVE-2024-10413 (A vulnerability, which was classified as critical, has been foun NOT-FOR-US: SourceCodester CVE-2024-50602 (An issue was discovered in libexpat before 2.6.4. There is a crash wit ...) - expat 2.6.3-2 (bug #1086134) + [bookworm] - expat <no-dsa> (Minor issue) NOTE: https://github.com/libexpat/libexpat/pull/915 CVE-2024-10412 (A vulnerability was found in Poco-z Guns-Medical 1.0. It has been decl ...) NOT-FOR-US: Poco-z Guns-Medical @@ -6787,6 +6793,7 @@ CVE-2024-49193 (Zendesk before 2024-07-02 allows remote attackers to read ticket NOT-FOR-US: Zendesk CVE-2024-6519 (A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI H ...) - qemu <unfixed> (bug #1085299) + [bookworm] - qemu <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2292089 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-24-1382/ CVE-2024-9860 (The Bridge Core plugin for WordPress is vulnerable to unauthorized mod ...) @@ -94492,10 +94499,8 @@ CVE-2023-46478 (An issue in minCal v.1.0.0 allows a remote attacker to execute a CVE-2023-46451 (Best Courier Management System v1.0 is vulnerable to Cross Site Script ...) NOT-FOR-US: Best Courier Management System CVE-2023-46361 (Artifex Software jbig2dec v0.20 was discovered to contain a SEGV vulne ...) - - jbig2dec <unfixed> (bug #1055387) - [bookworm] - jbig2dec <no-dsa> (Minor issue) - [bullseye] - jbig2dec <no-dsa> (Minor issue) - [buster] - jbig2dec <no-dsa> (Minor issue) + - jbig2dec <unfixed> (bug #1055387; unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/jbig2dec-SEGV/jbig2dec-SEGV.md NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707308 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=705041 @@ -127929,8 +127934,8 @@ CVE-2023-28430 (OneSignal is an email, sms, push notification, and in-app messag CVE-2023-28429 (Pimcore is an open source data and experience management platform. Ver ...) NOT-FOR-US: Pimcore CVE-2023-28428 (PDFio is a C library for reading and writing PDF files. In versions 1. ...) - - ippsample <unfixed> (bug #1034155) - [bookworm] - ippsample <no-dsa> (Minor issue) + - ippsample <unfixed> (bug #1034155; unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/michaelrsweet/pdfio/commit/97d4955666779dc5b0665e15dd951a5c12426a31 (v1.1.1) NOTE: https://github.com/michaelrsweet/pdfio/security/advisories/GHSA-68x8-9phf-j7jf CVE-2023-28427 (matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for Jav ...) @@ -322400,6 +322405,7 @@ CVE-2020-23885 CVE-2020-23884 (A buffer overflow in Nomacs v3.15.0 allows attackers to cause a denial ...) - qt6-base <not-affected> (Fixed before initial upload to the archive) - qtimageformats-opensource-src 5.15.15-3 (bug #1014124) + [bookworm] - qtimageformats-opensource-src <no-dsa> (Minor issue) NOTE: Originally reported/assigned to nomac, but actual issue is in Qt: NOTE: https://github.com/nomacs/nomacs/issues/516 NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/303313 ===================================== data/dsa-needed.txt ===================================== @@ -19,6 +19,8 @@ frr -- ghostscript (carnil) -- +guix (jmm) +-- libarchive (carnil) -- libreswan @@ -28,6 +30,8 @@ linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more 6.1.y versions -- +mpg123 +-- nss (jmm) -- opennds View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bf6ebf280380604d7456d0c8135b56045cc4691 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6bf6ebf280380604d7456d0c8135b56045cc4691 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits