[Git][security-tracker-team/security-tracker][master] triage older issues

Moritz Muehlenhoff (@jmm) Sat, 16 Nov 2024 11:20:53 -0800


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
e53d3556 by Moritz Muehlenhoff at 2024-11-16T20:19:51+01:00
triage older issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -16187,6 +16187,7 @@ CVE-2024-8897 (Under certain conditions, an attacker 
with the ability to redirec
        NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-45/#CVE-2024-8897
 CVE-2024-8796 (Under the default configuration, Devise-Two-Factor versions >= 
2.2.0 & ...)
        - ruby-devise-two-factor <unfixed> (bug #1082382)
+       [bookworm] - ruby-devise-two-factor <ignored> (Minor issue)
        NOTE: 
https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-qjxf-mc72-wjr2
 CVE-2024-8767 (Sensitive data disclosure and manipulation due to unnecessary 
privileg ...)
        NOT-FOR-US: Acronis
@@ -57667,12 +57668,12 @@ CVE-2024-33665 (angular-translate through 2.19.1 
allows XSS via a crafted key th
        NOT-FOR-US: angular-translate
 CVE-2024-33664 (python-jose through 3.3.0 allows attackers to cause a denial 
of servic ...)
        - python-jose <removed> (bug #1070375)
-       [bookworm] - python-jose <no-dsa> (Minor issue)
+       [bookworm] - python-jose <ignored> (Minor issue)
        NOTE: https://github.com/mpdavis/python-jose/issues/344
        NOTE: https://github.com/mpdavis/python-jose/pull/345
 CVE-2024-33663 (python-jose through 3.3.0 has algorithm confusion with OpenSSH 
ECDSA k ...)
        - python-jose <removed> (bug #1070375)
-       [bookworm] - python-jose <no-dsa> (Minor issue)
+       [bookworm] - python-jose <ignored> (Minor issue)
        NOTE: https://github.com/mpdavis/python-jose/issues/346
 CVE-2024-33661 (Portainer before 2.20.0 allows redirects when the target is 
not index. ...)
        NOT-FOR-US: Portainer
@@ -70521,9 +70522,12 @@ CVE-2024-23523 (Exposure of Sensitive Information to 
an Unauthorized Actor vulne
 CVE-2024-23298 (A logic issue was addressed with improved state management.)
        NOT-FOR-US: Apple
 CVE-2024-22513 (djangorestframework-simplejwt version 5.3.1 and before is 
vulnerable t ...)
-       - python-djangorestframework-simplejwt <unfixed> (bug #1067641)
-       [bookworm] - python-djangorestframework-simplejwt <no-dsa> (Minor issue)
+       - python-djangorestframework-simplejwt <unfixed> (unimportant; bug 
#1067641)
        NOTE: https://github.com/dmdhrumilmistry/CVEs/tree/main/CVE-2024-22513
+       NOTE: 
https://github.com/jazzband/djangorestframework-simplejwt/issues/805
+       NOTE: 
https://github.com/jazzband/djangorestframework-simplejwt/issues/779
+       NOTE: 
https://github.com/jazzband/djangorestframework-simplejwt/issues/779
+       NOTE: Questionable CVE: This is an insecure interface, not a 
vulnerability per se
 CVE-2024-22259 (Applications that use UriComponentsBuilder in Spring 
Frameworkto parse ...)
        - libspring-java <unfixed> (unimportant)
        NOTE: https://spring.io/security/cve-2024-22259
@@ -96559,7 +96563,7 @@ CVE-2023-47117 (Label Studio is an open source data 
labeling tool. In all curren
 CVE-2023-46446 (An issue in AsyncSSH before 2.14.1 allows attackers to control 
the rem ...)
        {DLA-3899-1}
        - python-asyncssh 2.15.0-1 (bug #1055999)
-       [bookworm] - python-asyncssh <no-dsa> (Minor issue)
+       [bookworm] - python-asyncssh <ignored> (Minor issue)
        [buster] - python-asyncssh <no-dsa> (Minor issue)
        NOTE: 
https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm
        NOTE: 
https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e
 (v2.14.1)
@@ -178417,7 +178421,7 @@ CVE-2022-3168
        REJECTED
 CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x 
through 2.1 ...)
        - openvswitch <unfixed> (bug #1021740)
-       [bookworm] - openvswitch <no-dsa> (Minor issue)
+       [bookworm] - openvswitch <postponed> (Minor issue, revisit when fixed 
upstream)
        [bullseye] - openvswitch <no-dsa> (Minor issue)
        [buster] - openvswitch <no-dsa> (Minor issue)
        NOTE: https://arxiv.org/abs/2011.09107



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e53d3556dcd81217b1aa2e7c69e203ceab4ae0e3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e53d3556dcd81217b1aa2e7c69e203ceab4ae0e3
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] triage older issues

Reply via email to