bullseye triage

Moritz Muehlenhoff (@jmm) Thu, 21 Dec 2023 02:09:34 -0800


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
433acc83 by Moritz Muehlenhoff at 2023-12-21T11:08:54+01:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -57,6 +57,8 @@ CVE-2023-7018 (Deserialization of Untrusted Data in GitHub 
repository huggingfac
        NOT-FOR-US: Transformers
 CVE-2023-7008 [Unsigned name response in signed zone is not refused when 
DNSSEC=yes]
        - systemd <unfixed>
+       [bookworm] - systemd <no-dsa> (Minor issue)
+       [bullseye] - systemd <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2222672
 CVE-2023-6912 (Lack of protection against brute force attacks in M-Files 
Server befor ...)
        NOT-FOR-US: M-Files Server
@@ -299,6 +301,8 @@ CVE-2023-49489 (Reflective Cross Site Scripting (XSS) 
vulnerability in KodeExplo
        NOT-FOR-US: kalcaddle KodExplorer
 CVE-2023-49006 (Cross Site Request Forgery (CSRF) vulnerability in Phpsysinfo 
version  ...)
        - phpsysinfo 3.4.3-1
+       [bookworm] - phpsysinfo <no-dsa> (Minor issue)
+       [bullseye] - phpsysinfo <no-dsa> (Minor issue)
        NOTE: https://huntr.com/bounties/ca6d669f-fd82-4188-aae2-69e08740d982/
        NOTE: 
https://github.com/phpsysinfo/phpsysinfo/commit/4f2cee505e4f2e9b369a321063ff2c5e0c34ba45
 (v3.4.3)
 CVE-2023-46804 (An attacker sending specially crafted data packets to the 
Mobile Devic ...)
@@ -679,6 +683,8 @@ CVE-2023-32230 (An improper handling of a malformed API 
request to an API server
 CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, 
found in O ...)
        - dropbear <unfixed> (bug #1059001)
        - erlang 1:25.3.2.8+dfsg-1 (bug #1059002)
+       [bookworm] - erlang <no-dsa> (Minor issue)
+       [bullseye] - erlang <no-dsa> (Minor issue)
        - golang-go.crypto <unfixed> (bug #1059003)
        - jsch <not-affected> (ChaCha20-Poly1305 support introduced in 0.1.61; 
*-EtM support introduced in 0.1.58)
        - libssh <unfixed> (bug #1059004)
@@ -12113,6 +12119,8 @@ CVE-2023-39960 (Nextcloud Server provides data storage 
for Nextcloud, an open so
        - nextcloud-server <itp> (bug #941708)
 CVE-2023-38000 (Auth. Stored (contributor+) Cross-Site Scripting (XSS) 
vulnerability i ...)
        - wordpress 6.3.2+dfsg1-1
+       [bookworm] - wordpress <no-dsa> (Minor issue)
+       [bullseye] - wordpress <not-affected> (Vulnerable code was introduced 
in 5.9)
        [buster] - wordpress <not-affected> (Vulnerable code was introduced in 
5.9)
        NOTE: 
https://wordpress.org/documentation/wordpress-version/version-6-3-2/
        NOTE: 
https://plugins.trac.wordpress.org/changeset/2978318/gutenberg/trunk/build/block-library/blocks/post-navigation-link.php
@@ -14953,7 +14961,9 @@ CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read 
Information Disclosure Vu
        NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
 CVE-2023-XXXX [AV1 codec parser buffer overflow]
        - gst-plugins-bad1.0 1.22.8-1
-       - gst-plugins-bad0.10 <removed>
+       [bullseye] - gst-plugins-bad1.0 <not-affected> (Vulnerable code not 
present)
+       [buster] - gst-plugins-bad1.0 <not-affected> (Vulnerable code not 
present)
+       - gst-plugins-bad0.10 <not-affected> (Vulnerable code not present)
        NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0011.html
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5823
        NOTE: Fixed by: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/890d59e97e291fe848147ebf4d5884bcec1101c9
@@ -241920,6 +241930,8 @@ CVE-2020-21427 (Buffer Overflow vulnerability in 
function LoadPixelDataRLE8 in P
        NOTE: Probably fixed with r1832 and r1836 from 
http://svn.code.sf.net/p/freeimage/svn/FreeImage/
 CVE-2020-21426 (Buffer Overflow vulnerability in function C_IStream::read in 
PluginEXR ...)
        - freeimage <unfixed> (bug #1051736)
+       [bookworm] - freeimage <postponed> (Revisit when patches are available)
+       [bullseye] - freeimage <postponed> (Revisit when patches are available)
        [buster] - freeimage <postponed> (Revisit from patches are available)
        NOTE: https://sourceforge.net/p/freeimage/bugs/300/
        NOTE: it looks like the issue is in openexr. No relevant patches in 
freeimage are detected


=====================================
data/dsa-needed.txt
=====================================
@@ -29,6 +29,8 @@ frr
 --
 gpac/oldstable
 --
+gst-plugins-bad1.0 (jmm)
+--
 h2o (jmm)
 --
 haproxy (carnil)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/433acc839e19a08e047c7fbfaa981de0620fc332

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/433acc839e19a08e047c7fbfaa981de0620fc332
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Reply via email to