[Git][security-tracker-team/security-tracker][master] 4 commits: wordpress: Triage 2024 CVE for bullseye

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7cc72079 by Markus Koschany at 2024-10-02T21:03:09+02:00
wordpress: Triage 2024 CVE for bullseye

Wordpress in bullseye is not affected. The vulnerable code was introduced in
later versions.

- - - - -
8ea67110 by Markus Koschany at 2024-10-02T21:03:11+02:00
CVE-2023-5692,wordpress: bullseye is ignored

Minor issue. Bullseye is affected but the worst case is the exposing of a
custom slug.

- - - - -
c8739aa1 by Markus Koschany at 2024-10-02T21:03:11+02:00
Remove wordpress from dla-needed.txt

After a closer inspection, I found that the latest security release for the
5.7.x branch only fixes a security vulnerability when Wordpress is hosted on a
Windows server. Apparently no CVE has been assigned so far. In Debian terms
this would be an "unimportant" issue anyway.

All other open CVE have been triaged individually.

There is nothing to do at the moment.

- - - - -
b484203b by Markus Koschany at 2024-10-02T21:04:09+02:00
Reclaim ffmpeg in dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -22092,6 +22092,7 @@ CVE-2024-6308 (A vulnerability was found in 
itsourcecode Simple Online Hotel Res
        NOT-FOR-US: itsourcecode Simple Online Hotel Reservation System
 CVE-2024-6307 (WordPress Core is vulnerable to Stored Cross-Site Scripting via 
the HT ...)
        - wordpress 6.5.5+dfsg1-1 (bug #1074486)
+       [bullseye] - wordpress <not-affected> (The vulnerable code was 
introduced later)
        NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
        NOTE: https://core.trac.wordpress.org/changeset/58473
        NOTE: https://core.trac.wordpress.org/changeset/58472
@@ -22200,6 +22201,7 @@ CVE-2024-32111 (Improper Limitation of a Pathname to a 
Restricted Directory ('Pa
        NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
 CVE-2024-31111 (Improper Neutralization of Input During Web Page Generation 
(XSS or 'C ...)
        - wordpress 6.5.5+dfsg1-1 (bug #1074486)
+       [bullseye] - wordpress <not-affected> (The vulnerable code was 
introduced later)
        NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
 CVE-2024-28832 (Stored XSS in the Crash Report page in Checkmk before versions 
2.3.0p7 ...)
        - check-mk <removed>
@@ -47063,6 +47065,7 @@ CVE-2024-3832 (Object corruption in V8 in Google Chrome 
prior to 124.0.6367.60 a
        [buster] - chromium <end-of-life> (see DSA 5046)
 CVE-2024-4439 (WordPress Core is vulnerable to Stored Cross-Site Scripting via 
user d ...)
        - wordpress 6.5.2+dfsg1-1 (bug #1069091)
+       [bullseye] - wordpress <not-affected> (The vulnerable code was 
introduced later)
        NOTE: 
https://wpscan.com/blog/unauthenticated-stored-xss-fixed-in-wordpress-core/
        NOTE: 
https://wordpress.org/news/2024/04/wordpress-6-5-2-maintenance-and-security-release/
        NOTE: 
https://core.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=57950%40%2F&new=57950%40%2F&sfp_email=&sfph_mail=#file3
@@ -50482,6 +50485,7 @@ CVE-2023-6522 (Incorrect Use of Privileged APIs 
vulnerability in ExtremePacs Ext
        NOT-FOR-US: ExtremePacs Extreme XDS
 CVE-2023-5692 (WordPress Core is vulnerable to Sensitive Information Exposure 
in vers ...)
        - wordpress 6.5+dfsg1-1
+       [bullseye] - wordpress <ignored> (Minor issue)
        NOTE: https://core.trac.wordpress.org/changeset/57645
 CVE-2023-49965 (SpaceX Starlink Wi-Fi router Gen 2 before 2023.48.0 allows XSS 
via the ...)
        NOT-FOR-US: SpaceX Starlink Wi-Fi router


=====================================
data/dla-needed.txt
=====================================
@@ -82,7 +82,7 @@ exim4 (Markus Koschany)
   NOTE: 20240815: Consider fixing older postponed CVEs as well 
(Beuc/front-desk)
   NOTE: 20240923: Currently testing the update. (apo)
 --
-ffmpeg
+ffmpeg (Markus Koschany)
   NOTE: 20240815: Added by Front-Desk (Beuc)
   NOTE: 20240815: Upgrade to 4.3.8 (same approach as DSA-5748-1) 
(Beuc/front-desk)
   NOTE: 20240911: Update prepared in git and tested, waiting for CI pipeline
@@ -250,9 +250,6 @@ upx-ucl
 webkit2gtk
   NOTE: 20240926: Added by Front-Desk (lamby)
 --
-wordpress (apo)
-  NOTE: 20240922: Added by Front-Desk (apo)
---
 zabbix (tobi)
   NOTE: 20240126: Added by oldstable Security Team (jmm)
   NOTE: 20240815: sync fixes from bookworm and buster



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e5bca2c14e9b0dd85c6394f89cc905c18af083a...b484203b63cf8b2abc3d3e7504b81cc83868d94a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e5bca2c14e9b0dd85c6394f89cc905c18af083a...b484203b63cf8b2abc3d3e7504b81cc83868d94a
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits