bullseye triage

Moritz Muehlenhoff (@jmm) Fri, 05 Apr 2024 07:00:01 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
a4f5e667 by Moritz Muehlenhoff at 2024-04-05T15:59:05+02:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -88,12 +88,14 @@ CVE-2024-30263 (macro-pdfviewer is a PDF Viewer Macro for 
XWiki using Mozilla pd
        NOT-FOR-US: PDF Viewer Macro for XWiki
 CVE-2024-30261 (Undici is an HTTP/1.1 client, written from scratch for 
Node.js. An att ...)
        - node-undici 5.28.4+dfsg1+~cs23.12.11-1
+       [bookworm] - node-undici <no-dsa> (Minor issue)
        NOTE: 
https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672
        NOTE: 
https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055
 (v5.28.4)
        NOTE: 
https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3
 (v6.11.1)
        NOTE: https://hackerone.com/reports/2377760
 CVE-2024-30260 (Undici is an HTTP/1.1 client, written from scratch for 
Node.js. Undici ...)
        - node-undici 5.28.4+dfsg1+~cs23.12.11-1
+       [bookworm] - node-undici <no-dsa> (Minor issue)
        NOTE: 
https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7
        NOTE: 
https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f
 (v5.28.4)
        NOTE: 
https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75
 (v6.11.1)
@@ -446,7 +448,9 @@ CVE-2023-45288 (An attacker may cause an HTTP/2 endpoint to 
read arbitrary amoun
        - golang-1.22 1.22.2-1
        - golang-1.21 1.21.9-1
        - golang-1.19 <removed>
+       [bookworm] - golang-1.19 <no-dsa> (Minor issue)
        - golang-1.15 <removed>
+       [bullseye] - golang-1.15 <no-dsa> (Minor issue)
        - golang-1.11 <removed>
        - golang-golang-x-net 1:0.23.0+dfsg-1
        NOTE: https://github.com/golang/go/issues/65051
@@ -1920,6 +1924,7 @@ CVE-2024-XXXX [mediawiki: XSS in edit summary parser]
 CVE-2024-XXXX [mediawiki:  Denial of service vector via GET request to 
Special:MovePage on pages with thousands of subpages]
        - mediawiki 1:1.39.7-1
        [bookworm] - mediawiki 1:1.39.7-1~deb12u1
+       [bullseye] - mediawiki 1:1.35.13-1+deb11u2
        NOTE: 
https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/V3WXEPXV2DU6WTVEKK4XHW4QXD5OFKD7/
        NOTE: https://phabricator.wikimedia.org/T357760
        NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1015423
@@ -3269,11 +3274,12 @@ CVE-2023-46046 (An issue in MiniZinc before 2.8.0 
allows a NULL pointer derefere
        NOTE: 
https://github.com/MiniZinc/libminizinc/commit/afe67acc20898e4308044b54c4acf7a08df544f0
 (2.8.0)
        NOTE: Negligible security impact, crash in CLI tool
 CVE-2023-45935 (Qt 6 through 6.6 was discovered to contain a NULL pointer 
dereference  ...)
-       - qt6-base <unfixed>
-       - qtbase-opensource-src <unfixed>
-       - qtbase-opensource-src-gles <unfixed>
+       - qt6-base <unfixed> (unimportant)
+       - qtbase-opensource-src <unfixed> (unimportant)
+       - qtbase-opensource-src-gles <unfixed> (unimportant)
        NOTE: https://bugreports.qt.io/browse/QTBUG-115599
        NOTE: 
https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=df77d8939d1c04aa18833fe1e141bb71af1f8e04
 (v6.5.3)
+       NOTE: No security impact
 CVE-2023-45931 (Mesa 23.0.4 was discovered to contain a NULL pointer 
dereference in ch ...)
        - mesa <unfixed> (unimportant)
        NOTE: https://gitlab.freedesktop.org/mesa/mesa/-/issues/9859
@@ -4056,6 +4062,8 @@ CVE-2024-30161 (In Qt before 6.5.6 and 6.6.x before 
6.6.3, the wasm component ma
        TODO: check details
 CVE-2024-30156 (Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 
6.0.13 L ...)
        - varnish <unfixed>
+       [bookworm] - varnish <ignored> (Minor issue, too intrusive to backport)
+       [bullseye] - varnish <ignored> (Minor issue, too intrusive to backport)
        NOTE: https://varnish-cache.org/security/VSV00014.html
        NOTE: 
https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#cve-2024-30156
        NOTE: 
https://github.com/varnishcache/varnish-cache/commit/c0201724f0280894ec714fe76fc26ba9831f0551
 (varnish-7.5.0)
@@ -5198,6 +5206,7 @@ CVE-2023-6597 (An issue was found in the CPython 
`tempfile.TemporaryDirectory` c
        - python3.11 3.11.8-1
        - python3.10 <unfixed>
        - python3.9 <removed>
+       [bullseye] - python3.9 <no-dsa> (Minor issue)
        - python3.7 <removed>
        - python2.7 <not-affected> (tempfile.TemporaryDirectory added in 3.2)
        NOTE: https://github.com/python/cpython/pull/99930
@@ -7324,6 +7333,7 @@ CVE-2023-28746 (Information exposure through 
microarchitectural state after tran
        [buster] - intel-microcode <postponed> (Decide after exposure on 
unstable for update)
        - linux 6.7.9-2
        - xen <unfixed>
+       [bookworm] - xen <postponed> (Minor issue, fix along in next DSA)
        [bullseye] - xen <end-of-life> (EOLed in Bullseye)
        [buster] - xen <end-of-life> (DSA 4677-1)
        NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00898.html
@@ -37802,6 +37812,8 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of 
service (server resource
        - dnsdist 1.8.2-2
        [buster] - dnsdist <not-affected> (HTTP/2 support was added later)
        - varnish <unfixed> (bug #1056156)
+       [bookworm] - varnish <ignored> (Minor issue, too intrusive to backport)
+       [bullseye] - varnish <ignored> (Minor issue, too intrusive to backport)
        NOTE: Tomcat: 
https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49
 (10.1.14)
        NOTE: Tomcat: 
https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a
 (9.0.81)
        NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, 
using that as the fixed version


=====================================
data/dsa-needed.txt
=====================================
@@ -88,8 +88,6 @@ salt/oldstable
 --
 squid
 --
-varnish
---
 webkit2gtk (berto)
 --
 wpa



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4f5e6679564093912e4b6505c181a4c5aa6b261

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4f5e6679564093912e4b6505c181a4c5aa6b261
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Reply via email to