Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
bd6ce902 by Moritz Muehlenhoff at 2024-01-26T14:42:49+01:00
bookworm/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -111,6 +111,8 @@ CVE-2023-48126 (An issue in Luxe Beauty Clinic mini-app on
Line v13.6.1 allows a
NOT-FOR-US: Luxe Beauty Clinic mini-app on Line
CVE-2024-0914
- opencryptoki <unfixed>
+ [bookworm] - opencryptoki <no-dsa> (Minor issue)
+ [bullseye] - opencryptoki <no-dsa> (Minor issue)
NOTE: https://github.com/opencryptoki/opencryptoki/issues/731
NOTE: https://github.com/opencryptoki/opencryptoki/pull/737
NOTE:
https://github.com/opencryptoki/opencryptoki/commit/2ea019ee2b09f15724d808382d53baca03403288
@@ -227,11 +229,15 @@ CVE-2023-5675
NOT-FOR-US: Quarkus
CVE-2023-52356 (A segment fault (SEGV) flaw was found in libtiff that could be
trigger ...)
- tiff <unfixed> (bug #1061524)
+ [bookworm] - tiff <no-dsa> (Minor issue)
+ [bullseye] - tiff <no-dsa> (Minor issue)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/622
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/546
NOTE:
https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a
CVE-2023-52355 (An out-of-memory flaw was found in libtiff that could be
triggered by ...)
- tiff <unfixed>
+ [bookworm] - tiff <no-dsa> (Minor issue)
+ [bullseye] - tiff <no-dsa> (Minor issue)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/621
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/553
NOTE:
https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4
@@ -275,9 +281,12 @@ CVE-2024-23641 (SvelteKit is a web development kit. In
SvelteKit 2, sending a GE
NOT-FOR-US: SvelteKit
CVE-2024-22725 (Orthanc versions before 1.12.2 are affected by a reflected
cross-site ...)
- orthanc 1.12.2+dfsg-1
+ [bookworm] - orthanc <no-dsa> (Minor issue)
+ [bullseye] - orthanc <no-dsa> (Minor issue)
NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/505416b269a0
CVE-2024-22720 (Kanboard 1.2.34 is vulnerable to Html Injection in the group
managemen ...)
- kanboard <unfixed>
+ [bookworm] - kanboard <no-dsa> (Minor issue)
NOTE:
https://cupc4k3.medium.com/html-injection-vulnerability-in-kanboard-group-management-d9fe5154bb1b
CVE-2024-22651 (There is a command injection vulnerability in the ssdpcgi_main
functio ...)
NOT-FOR-US: D-Link
@@ -316,22 +325,33 @@ CVE-2023-52039 (An issue discovered in TOTOLINK X6000R
v9.4.0cu.852_B20230719 al
CVE-2023-52038 (An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719
allows a ...)
NOT-FOR-US: TOTOLINK
CVE-2023-51890 (An infinite loop issue discovered in Mathtex 1.05 and before
allows a ...)
- - mathtex <unfixed> (bug #1061520)
+ - mathtex <unfixed> (bug #1061520; unimportant)
+ NOTE: Hang in CLI tool, no security impact
NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
CVE-2023-51889 (Stack Overflow vulnerability in the validate() function in
Mathtex v.1 ...)
- mathtex <unfixed> (bug #1061520)
+ [bookworm] - mathtex <no-dsa> (Minor issue)
+ [bullseye] - mathtex <no-dsa> (Minor issue)
NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
CVE-2023-51888 (Buffer Overflow vulnerability in the nomath() function in
Mathtex v.1. ...)
- mathtex <unfixed> (bug #1061520)
+ [bookworm] - mathtex <no-dsa> (Minor issue)
+ [bullseye] - mathtex <no-dsa> (Minor issue)
NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
CVE-2023-51887 (Command Injection vulnerability in Mathtex v.1.05 and before
allows a ...)
- mathtex <unfixed> (bug #1061520)
+ [bookworm] - mathtex <no-dsa> (Minor issue)
+ [bullseye] - mathtex <no-dsa> (Minor issue)
NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
CVE-2023-51886 (Buffer Overflow vulnerability in the main() function in
Mathtex 1.05 a ...)
- mathtex <unfixed> (bug #1061520)
+ [bookworm] - mathtex <no-dsa> (Minor issue)
+ [bullseye] - mathtex <no-dsa> (Minor issue)
NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
CVE-2023-51885 (Buffer Overflow vulnerability in Mathtex v.1.05 and before
allows a re ...)
- mathtex <unfixed> (bug #1061520)
+ [bookworm] - mathtex <no-dsa> (Minor issue)
+ [bullseye] - mathtex <no-dsa> (Minor issue)
NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
CVE-2023-51702 (Since version 5.2.0, when using deferrable mode with the path
of a Kub ...)
- airflow <itp> (bug #819700)
@@ -775,9 +795,11 @@ CVE-2024-23675 (In Splunk Enterprise versions below 9.0.8
and 9.1.3, Splunk app
CVE-2024-23345 (Nautobot is a Network Source of Truth and Network Automation
Platform ...)
NOT-FOR-US: Nautobot
CVE-2024-23342 (The `ecdsa` PyPI package is a pure Python implementation of
ECC (Ellip ...)
- - python-ecdsa <unfixed>
+ - python-ecdsa <unfixed> (unimportant)
NOTE:
https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp
NOTE: https://minerva.crocs.fi.muni.cz/
+ NOTE: Side channel attacks not covered by their security policy:
+ NOTE: https://github.com/tlsfuzzer/python-ecdsa/blob/master/SECURITY.md
CVE-2024-23340 (@hono/node-server is an adapter that allows users to run Hono
applicat ...)
NOT-FOR-US: Hono
CVE-2024-23339 (hoolock is a suite of lightweight utilities designed to
maintain a sma ...)
@@ -927,6 +949,8 @@ CVE-2024-23750 (MetaGPT through 0.6.4 allows the QaEngineer
role to execute arbi
NOT-FOR-US: MetaGPTLlamaIndex
CVE-2024-23744 (An issue was discovered in Mbed TLS 3.5.1. There is persistent
handsha ...)
- mbedtls <unfixed>
+ [bookworm] - mbedtls <no-dsa> (Minor issue)
+ [bullseye] - mbedtls <no-dsa> (Minor issue)
NOTE: https://github.com/Mbed-TLS/mbedtls/issues/8694
NOTE: https://github.com/Mbed-TLS/mbedtls/pull/8595
CVE-2024-22113 (Open redirect vulnerability in Access analysis CGI An-Analyzer
release ...)
@@ -953,6 +977,8 @@ CVE-2023-52354 (chasquid before 1.13 allows SMTP smuggling
because LF-terminated
NOTE: https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24
CVE-2023-52353 (An issue was discovered in Mbed TLS through 3.5.1. In
mbedtls_ssl_sess ...)
- mbedtls <unfixed>
+ [bookworm] - mbedtls <no-dsa> (Minor issue)
+ [bullseye] - mbedtls <no-dsa> (Minor issue)
NOTE: https://github.com/Mbed-TLS/mbedtls/issues/8654
CVE-2023-47352 (Technicolor TC8715D devices have predictable default WPA2
security pas ...)
NOT-FOR-US: Technicolor
@@ -1286,6 +1312,7 @@ CVE-2023-32337 (IBM Maximo Spatial Asset Management 8.10
is vulnerable to server
NOT-FOR-US: IBM
CVE-2024-0690 [possible information leak in tasks that ignore ANSIBLE_NO_LOG
configuration]
- ansible-core <unfixed> (bug #1061156)
+ [bookworm] - ansible-core <no-dsa> (Minor issue)
- ansible 5.4.0-1
[bullseye] - ansible <no-dsa> (Minor issue)
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in
experimental/5.4.0-1 in sid
@@ -61510,6 +61537,8 @@ CVE-2023-0438 (Cross-Site Request Forgery (CSRF) in
GitHub repository modoboa/mo
NOT-FOR-US: Modoboa
CVE-2023-0437 (When calling bson_utf8_validateon some inputs a loop with an
exit cond ...)
- mongo-c-driver 1.25.0-1
+ [bookworm] - mongo-c-driver <no-dsa> (Minor issue)
+ [bullseye] - mongo-c-driver <no-dsa> (Minor issue)
[buster] - mongo-c-driver <ignored> (Minor issue)
NOTE: https://jira.mongodb.org/browse/CDRIVER-4747
CVE-2023-0436 (The affected versions of MongoDB Atlas Kubernetes Operator may
print s ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -37,6 +37,7 @@ nbconvert/oldstable
Guilhem Moulin proposed an update ready for review
--
openjdk-17 (jmm)
+ latest release needs backport of jtreg7 for bookworm
--
php-cas/oldstable
--
@@ -89,6 +90,8 @@ squid (apo)
--
varnish
--
+zabbix
+--
zbar (carnil)
Prepared update but needs some additional testing before the release
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd6ce902fa291fdf1f91df60c2c26ba72b8c2722
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd6ce902fa291fdf1f91df60c2c26ba72b8c2722
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
