Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
33486817 by Moritz Muehlenhoff at 2024-12-01T17:56:29+01:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -357,10 +357,10 @@ CVE-2023-52922 (In the Linux kernel, the following
vulnerability has been resolv
CVE-2024-53860 (sp-php-email-handler is a PHP package for handling contact
form submis ...)
NOT-FOR-US: sp-php-email-handler
CVE-2024-53859 (go-gh is a Go module for interacting with the `gh` utility and
the Git ...)
- - golang-github-cli-go-gh-v2 <unfixed>
+ - golang-github-cli-go-gh-v2 <unfixed> (bug #1088815)
NOTE:
https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh
CVE-2024-53858 (The gh cli is GitHub\u2019s official command line tool. A
security vul ...)
- - gh <unfixed>
+ - gh <unfixed> (bug #1088808)
NOTE: https://github.com/cli/cli/security/advisories/GHSA-jwcm-9g39-pmcw
CVE-2024-53260 (Autolab is a course management service that enables
auto-graded progra ...)
NOT-FOR-US: Autolab
@@ -603,13 +603,14 @@ CVE-2024-53975 (Accessing a non-secure HTTP site that
uses a non-existent port m
CVE-2024-53844 (E.D.D.I (Enhanced Dialog Driven Interface) is a middleware to
connect ...)
NOT-FOR-US: E.D.D.I (Enhanced Dialog Driven Interface)
CVE-2024-53620 (A cross-site scripting (XSS) vulnerability in the Article
module of SP ...)
- - spip <undetermined>
+ - spip <unfixed> (bug #1088801)
+ [bookworm] - spip <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://grimthereaperteam.medium.com/ec1e8714c02e
TODO: check, maybe fixed in 4.3.4, if so identify fix
CVE-2024-53619 (An authenticated arbitrary file upload vulnerability in the
Documents ...)
- - spip <undetermined>
+ - spip <unfixed> (bug #1088800)
+ [bookworm] - spip <postponed> (Minor issue, revisit when fixed upstream)
NOTE:
https://grimthereaperteam.medium.com/spip-4-3-3-malicious-file-upload-xss-in-pdf-526c03bb1776
- TODO: check
CVE-2024-53555 (A CSV injection vulnerability in Taiga v6.8.1 allows attackers
to exec ...)
NOT-FOR-US: Taiga
CVE-2024-53365 (A stored cross-site scripting (XSS) vulnerability was
identified in PH ...)
@@ -716,7 +717,7 @@ CVE-2024-11669 (An issue was discovered in GitLab CE/EE
affecting all versions f
CVE-2024-11668 (An issue has been discovered in GitLab CE/EE affecting all
versions fr ...)
- gitlab <not-affected> (Vulnerable code introduced later)
CVE-2024-11407 (There exists a denial of service through Data corruption in
gRPC-C++ - ...)
- - grpc <unfixed>
+ - grpc <unfixed> (bug #1088806)
NOTE:
https://github.com/grpc/grpc/commit/e9046b2bbebc0cb7f5dc42008f807f6c7e98e791
(v1.68.0-pre1)
CVE-2024-11192 (The Spotify Play Button for WordPress plugin for WordPress is
vulnerab ...)
NOT-FOR-US: WordPress plugin
@@ -983,7 +984,7 @@ CVE-2024-6393 (The Photo Gallery, Sliders, Proofing and
WordPress plugin befor
CVE-2024-53930 (WikiDocs before 1.0.65 allows stored XSS by authenticated
users via da ...)
NOT-FOR-US: WikiDocs
CVE-2024-53916 (In OpenStack Neutron through 25.0.0,
neutron/extensions/tagging.py can ...)
- - neutron <unfixed>
+ - neutron <unfixed> (bug #1088802)
[bookworm] - neutron <postponed> (Minor issue, revisit when fixed
upstream)
[bullseye] - neutron <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://review.opendev.org/c/openstack/neutron/+/935883
@@ -2180,11 +2181,11 @@ CVE-2024-52769 (An arbitrary file upload vulnerability
in the component /admin/f
CVE-2024-52765 (H3C GR-1800AX MiniGRW1B0V100R007 is vulnerable to remote code
executio ...)
NOT-FOR-US: H3C GR-1800AX MiniGRW1B0V100R007
CVE-2024-52763 (A cross-site scripting (XSS) vulnerability in the component
/graph_all ...)
- - ganglia-web <unfixed>
+ - ganglia-web <unfixed> (bug #1088799)
[bookworm] - ganglia-web <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/ganglia/ganglia-web/issues/382
CVE-2024-52762 (A cross-site scripting (XSS) vulnerability in the component
/master/he ...)
- - ganglia-web <unfixed>
+ - ganglia-web <unfixed> (bug #1088799)
[bookworm] - ganglia-web <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/ganglia/ganglia-web/issues/382
CVE-2024-52757 (D-LINK DI-8003 v16.07.16A1 was discovered to contain a buffer
overflow ...)
@@ -5828,7 +5829,7 @@ CVE-2024-52531 (GNOME libsoup before 3.6.1 allows a
buffer overflow in applicati
CVE-2024-52530 (GNOME libsoup before 3.6.0 allows HTTP request smuggling in
some confi ...)
- libsoup3 3.5.2-1
[bookworm] - libsoup3 <no-dsa> (Minor issue)
- - libsoup2.4 <unfixed>
+ - libsoup2.4 <unfixed> (bug #1088812)
[bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b
(3.5.2)
@@ -5839,10 +5840,10 @@ CVE-2024-52286 (Stirling-PDF is a locally hosted web
application that allows you
CVE-2024-51992 (Orchid is a @laravel package that allows for rapid application
develop ...)
NOT-FOR-US: Orchid laravel package
CVE-2024-51748 (Kanboard is project management software that focuses on the
Kanban met ...)
- - kanboard <unfixed>
+ - kanboard <unfixed> (bug #1088798)
NOTE:
https://github.com/kanboard/kanboard/security/advisories/GHSA-jvff-x577-j95p
CVE-2024-51747 (Kanboard is project management software that focuses on the
Kanban met ...)
- - kanboard <unfixed>
+ - kanboard <unfixed> (bug #1088798)
NOTE:
https://github.com/kanboard/kanboard/security/advisories/GHSA-78pf-vg56-5p8v
CVE-2024-51490 (Ampache is a web based audio/video streaming application and
file mana ...)
- ampache <removed>
@@ -9667,7 +9668,7 @@ CVE-2024-25566 (An Open-Redirect vulnerability exists in
PingAM where well-craft
CVE-2024-22066 (There is a privilege escalation vulnerability in ZTE ZXR10 ZSR
V2 inte ...)
NOT-FOR-US: ZTE
CVE-2024-10491 (A vulnerability has been identified in the Express
response.linksfunct ...)
- - node-express <unfixed>
+ - node-express <unfixed> (bug #1088807)
[bookworm] - node-express <no-dsa> (Minor issue)
[bullseye] - node-express <postponed> (Minor issue, no public patch)
NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-10491
@@ -10323,12 +10324,12 @@ CVE-2024-50623 (In Cleo Harmony before 5.8.0.21,
VLTrader before 5.8.0.21, and L
CVE-2024-50616 (Ironman PowerShell Universal 5.x before 5.0.12 allows an
authenticated ...)
NOT-FOR-US: Ironman PowerShell Universal
CVE-2024-50615 (TinyXML2 through 10.0.0 has a reachable assertion for
UINT_MAX/digit, ...)
- - tinyxml2 <unfixed>
+ - tinyxml2 <unfixed> (bug #1088814)
[bookworm] - tinyxml2 <postponed> (Minor issue, revisit when fixed
upstream)
[bullseye] - tinyxml2 <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/leethomason/tinyxml2/issues/997
CVE-2024-50614 (TinyXML2 through 10.0.0 has a reachable assertion for
UINT_MAX/16, tha ...)
- - tinyxml2 <unfixed>
+ - tinyxml2 <unfixed> (bug #1088813)
[bookworm] - tinyxml2 <postponed> (Minor issue, revisit when fixed
upstream)
[bullseye] - tinyxml2 <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://github.com/leethomason/tinyxml2/issues/996
@@ -22278,12 +22279,12 @@ CVE-2024-8604 (A vulnerability classified as
problematic has been found in Sourc
CVE-2024-8601 (This vulnerability exists in TechExcel Back Office Software
versions p ...)
NOT-FOR-US: TechExcel Back Office Software
CVE-2024-8373 (Improper sanitization of the value of the [srcset] attribute in
<sourc ...)
- - angular.js <unfixed>
+ - angular.js <unfixed> (bug #1088805)
[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed
upstream)
[bullseye] - angular.js <postponed> (Minor issue)
NOTE:
https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b
CVE-2024-8372 (Improper sanitization of the value of the '[srcset]' attribute
in Angu ...)
- - angular.js <unfixed>
+ - angular.js <unfixed> (bug #1088804)
[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed
upstream)
[bullseye] - angular.js <postponed> (Minor issue)
NOTE:
https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017
@@ -83726,7 +83727,7 @@ CVE-2024-23322 (Envoy is a high-performance
edge/middle/service proxy. Envoy wil
CVE-2024-21624 (nonebot2 is a cross-platform Python asynchronous chatbot
framework wri ...)
NOT-FOR-US: nonebot2
CVE-2024-21490 (This affects versions of the package angular from 1.3.0. A
regular exp ...)
- - angular.js <unfixed>
+ - angular.js <unfixed> (bug #1088803)
[bookworm] - angular.js <postponed> (Minor issue, revisit when fixed
upstream)
[bullseye] - angular.js <no-dsa> (Minor issue)
[buster] - angular.js <postponed> (Fix along with the next DLA)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3348681786c745c4077de59e4e22e6ef22997b1a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3348681786c745c4077de59e4e22e6ef22997b1a
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
