Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a44abfbd by Moritz Muehlenhoff at 2024-11-20T21:10:49+01:00
triage older issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3451,25 +3451,19 @@ CVE-2024-10314 (In Helix Core versions prior to 2024.2,
an unauthenticated remot
CVE-2024-10179 (The Slickstream: Engagement and Conversions plugin for
WordPress is vu ...)
NOT-FOR-US: WordPress plugin
CVE-2024-49395 (In mutt and neomutt, PGP encryption does not use the
--hidden-recipien ...)
- - mutt <unfixed>
- [bookworm] - mutt <no-dsa> (Minor issue)
- [bullseye] - mutt <postponed> (Minor issue; upstream won't fix)
- - neomutt <unfixed>
- [bookworm] - neomutt <no-dsa> (Minor issue)
- [bullseye] - neomutt <postponed> (Minor issue, infoleak)
+ - mutt <unfixed> (unimportant)
+ - neomutt <unfixed> (unimportant)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325332
NOTE: https://gitlab.com/muttmua/mutt/-/issues/490
NOTE: Mutt project does not plan to address CVE-2024-49393,
CVE-2024-49394, CVE-2024-49395
NOTE: cf. https://gitlab.com/muttmua/mutt/-/issues/490#note_2209448655
. Issues with documented
NOTE: through http://mutt.org/doc/manual/#crypt-protected-headers-read
NOTE: https://github.com/neomutt/neomutt/issues/4234
+ NOTE: These are longstanding limitations of PGP-encrypted mail and
rather enhancements
+ NOTE: than actual vulnerabilities
CVE-2024-49394 (In mutt and neomutt the In-Reply-To email header field is not
protecte ...)
- - mutt <unfixed>
- [bookworm] - mutt <no-dsa> (Minor issue)
- [bullseye] - mutt <postponed> (Minor issue; upstream won't fix)
- - neomutt 20241002+dfsg-1
- [bookworm] - neomutt <no-dsa> (Minor issue)
- [bullseye] - neomutt <postponed> (Minor issue)
+ - mutt <unfixed> (unimportant)
+ - neomutt 20241002+dfsg-1 (unimportant)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325330
NOTE: https://gitlab.com/muttmua/mutt/-/issues/490
NOTE: Mutt project does not plan to address CVE-2024-49393,
CVE-2024-49394, CVE-2024-49395
@@ -3478,13 +3472,11 @@ CVE-2024-49394 (In mutt and neomutt the In-Reply-To
email header field is not pr
NOTE: https://github.com/neomutt/neomutt/issues/4226
NOTE: Protected since:
https://github.com/neomutt/neomutt/commit/13cfc6f98322eafdc30ecc4c15999d401950a1d9
(20241002)
NOTE: Reading protected value since:
https://github.com/neomutt/neomutt/commit/ec02b141983c70ae7ebee0cdfba59e90a825f0cc
(20241002)
+ NOTE: These are longstanding limitations of PGP-encrypted mail and
rather enhancements
+ NOTE: than actual vulnerabilities
CVE-2024-49393 (In neomutt and mutt, the To and Cc email headers are not
validated by ...)
- - mutt <unfixed>
- [bookworm] - mutt <no-dsa> (Minor issue)
- [bullseye] - mutt <postponed> (Minor issue; upstream won't fix)
- - neomutt 20241002+dfsg-1
- [bookworm] - neomutt <no-dsa> (Minor issue)
- [bullseye] - neomutt <postponed> (Minor issue)
+ - mutt <unfixed> (unimportant)
+ - neomutt 20241002+dfsg-1 (unimportant)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325317
NOTE: https://gitlab.com/muttmua/mutt/-/issues/490
NOTE: Mutt project does not plan to address CVE-2024-49393,
CVE-2024-49394, CVE-2024-49395
@@ -49882,13 +49874,13 @@ CVE-2024-36050 (Nix through 2.22.1 mishandles certain
usage of hash caches, whic
NOTE: https://github.com/NixOS/ofborg/issues/68#issuecomment-2082789441
CVE-2024-36048 (QAbstractOAuth in Qt Network Authorization in Qt before
5.15.17, 6.x b ...)
- qtnetworkauth-everywhere-src 5.15.13-3 (bug #1071974)
- [bookworm] - qtnetworkauth-everywhere-src <no-dsa> (Minor issue)
+ [bookworm] - qtnetworkauth-everywhere-src <ignored> (Minor issue)
[bullseye] - qtnetworkauth-everywhere-src <no-dsa> (Minor issue)
[buster] - qtnetworkauth-everywhere-src <postponed> (Minor issue)
- - qt6-networkauth <unfixed> (bug #1071973)
- [bookworm] - qt6-networkauth <no-dsa> (Minor issue)
- NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317
- NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560368
+ - qt6-networkauth 6.7.2-2 (bug #1071973)
+ [bookworm] - qt6-networkauth <ignored> (Minor issue)
+ NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317
(security fix)
+ NOTE: https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560368
(followup/finetuning)
CVE-2024-28064 (Kiteworks Totemomail 7.x and 8.x before 8.3.0 allows
/responsiveUI/Env ...)
NOT-FOR-US: Kiteworks Totemomail
CVE-2024-28063 (Kiteworks Totemomail through 7.0.0 allows
/responsiveUI/EnvelopeOpenSe ...)
@@ -95496,7 +95488,7 @@ CVE-2023-6070 (A server-side request forgery
vulnerability in ESM prior to versi
CVE-2023-49091 (Cosmos provides users the ability self-host a home server by
acting as ...)
NOT-FOR-US: Cosmos
CVE-2023-49090 (CarrierWave is a solution for file uploads for Rails, Sinatra
and othe ...)
- - ruby-carrierwave <unfixed> (bug #1068150)
+ - ruby-carrierwave 3.0.7-1 (bug #1068150)
[bookworm] - ruby-carrierwave <no-dsa> (Minor issue)
[buster] - ruby-carrierwave <postponed> (Minor issue)
NOTE:
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj
@@ -177195,7 +177187,7 @@ CVE-2020-36604 (hoek before 8.5.1 and 9.x before
9.0.3 allows prototype poisonin
NOTE: Fixed by:
https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90
(v9.0.3)
CVE-2022-3276 (Command injection is possible in the puppetlabs-mysql module
prior to ...)
- puppet-module-puppetlabs-mysql 15.0.0-1 (bug #1027154)
- [bookworm] - puppet-module-puppetlabs-mysql <no-dsa> (Minor issue)
+ [bookworm] - puppet-module-puppetlabs-mysql <ignored> (Minor issue)
[bullseye] - puppet-module-puppetlabs-mysql <no-dsa> (Minor issue)
[buster] - puppet-module-puppetlabs-mysql <no-dsa> (Minor issue)
NOTE: https://puppet.com/security/cve/CVE-2022-3276
@@ -518563,7 +518555,7 @@ CVE-2017-1000048 (the web framework using ljharb's qs
module older than v6.3.2,
NOT-FOR-US: ljharb
CVE-2017-1000047 (rbenv (all current versions) is vulnerable to Directory
Traversal in t ...)
- rbenv <unfixed> (bug #869702)
- [bookworm] - rbenv <no-dsa> (Minor issue)
+ [bookworm] - rbenv <ignored> (Minor issue)
[bullseye] - rbenv <no-dsa> (Minor issue)
[buster] - rbenv <no-dsa> (Minor issue)
[stretch] - rbenv <no-dsa> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a44abfbd742bc216a56297da42fa766a73c1b2e5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a44abfbd742bc216a56297da42fa766a73c1b2e5
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
