Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
17c65d8a by Salvatore Bonaccorso at 2024-12-28T21:14:42+01:00
Track specifically CVE-2024-48910 and CVE-2024-47875 for cacti
This happens as to support the LTS team to address the embeded copy
issue of node-dompurify in cacti.
Note that CVE-2024-45801 is explicitly not listed. The CVE assignment is
veriy specific assigned for the bypass of the depth checking added to
DOMPurify and happens if CVE-2024-47875 is incompletely fixed. If the
patching is done correct, then CVE-2024-47875 is addressed without
opening up CVE-2024-45801.
The tracking is more a workaround. The embeded versions are not
necessarily fixed but the binary packages start to depend on
node-dompurify and link to purify.js in cacti/1.2.26+ds1-1 (in a
unstable upload) and cacti/1.2.24+ds1-1+deb12u2 in bookworm. This allows
though to get the CVE on the radar for cacti in bullseye and fixed
there.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -16321,10 +16321,14 @@ CVE-2024-49685 (Cross-Site Request Forgery (CSRF)
vulnerability in Smash Balloon
CVE-2024-49674 (Cross-Site Request Forgery (CSRF) vulnerability in Lukas Huser
EKC Tou ...)
NOT-FOR-US: WordPress plugin
CVE-2024-48910 (DOMPurify is a DOM-only, super-fast, uber-tolerant XSS
sanitizer for H ...)
+ - cacti 1.2.26+ds1-1
+ [bookworm] - cacti 1.2.24+ds1-1+deb12u2
- node-dompurify 3.0.9+dfsg+~3.0.5-1
[bookworm] - node-dompurify 2.4.1+dfsg+~2.4.0-2+deb12u1
NOTE:
https://github.com/cure53/DOMPurify/security/advisories/GHSA-p3vf-v8qc-cwcr
NOTE:
https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc
(2.4.2)
+ NOTE: Mark cacti/1.2.26+ds1-1 which is the version starting to depend
on node-dompurify
+ NOTE: and link purify.js instead of using the upstream version.
CVE-2024-48360 (Qualitor v8.24 was discovered to contain a Server-Side Request
Forgery ...)
NOT-FOR-US: Qualitor
CVE-2024-48359 (Qualitor v8.24 was discovered to contain a remote code
execution (RCE) ...)
@@ -22394,6 +22398,8 @@ CVE-2024-47877 (Extract is aA Go library to extract
archives in zip, tar.gz or t
NOT-FOR-US: codeclysm/extract Go library
CVE-2024-47875 (DOMPurify is a DOM-only, super-fast, uber-tolerant XSS
sanitizer for H ...)
{DSA-5790-1}
+ - cacti 1.2.26+ds1-1
+ [bookworm] - cacti 1.2.24+ds1-1+deb12u2
- node-dompurify 3.1.6+dfsg+~3.0.5-1 (bug #1084983)
NOTE:
https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf
NOTE:
https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f
(2.5.1)
@@ -22401,6 +22407,8 @@ CVE-2024-47875 (DOMPurify is a DOM-only, super-fast,
uber-tolerant XSS sanitizer
NOTE:
https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a
(3.1.1)
NOTE: When fixing the issue be aware that the fixing commit would
introduce CVE-2024-45801
NOTE: when only cherry-picking commits.
+ NOTE: Mark cacti/1.2.26+ds1-1 which is the version starting to depend
on node-dompurify
+ NOTE: and link purify.js instead of using the upstream version.
CVE-2024-47830 (Plane is an open-source project management tool. Plane uses
the ** wil ...)
NOT-FOR-US: Plane
CVE-2024-47509 (An Allocation of Resources Without Limits or
Throttlingvulnerability i ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17c65d8aae1b7358a4d9ff313782a8cbfe532844
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17c65d8aae1b7358a4d9ff313782a8cbfe532844
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
