bullseye triage

Moritz Muehlenhoff (@jmm) Mon, 29 Jan 2024 01:06:56 -0800


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
4b58d06b by Moritz Muehlenhoff at 2024-01-29T09:59:40+01:00
bookworm/bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -72,18 +72,24 @@ CVE-2024-23506 (Exposure of Sensitive Information to an 
Unauthorized Actor vulne
        NOT-FOR-US: WordPress plugin
 CVE-2024-22862 (Integer overflow vulnerability in FFmpeg before n6.1, allows 
remote at ...)
        - ffmpeg 7:6.1-1
+       [bookworm] - ffmpeg <not-affected> (jpegxl support added in 6.1)
+       [bullseye] - ffmpeg <not-affected> (jpegxl support added in 6.1)
+       [buster] - ffmpeg <not-affected> (jpegxl support added in 6.1)
        NOTE: 
https://github.com/FFmpeg/FFmpeg/commit/ca09d8a0dcd82e3128e62463231296aaf63ae6f7
 (n6.1)
        NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62113
-       TODO: check details for older versions
 CVE-2024-22861 (Integer overflow vulnerability in FFmpeg before n6.1, allows 
attackers ...)
        - ffmpeg 7:6.1-1
+       [bookworm] - ffmpeg <not-affected> (osq support added in 6.1)
+       [bullseye] - ffmpeg <not-affected> (osq support added in 6.1)
+       [buster] - ffmpeg <not-affected> (osq support added in 6.1)
        NOTE: 
https://github.com/FFmpeg/FFmpeg/commit/87b8c1081959e45ffdcbabb3d53ac9882ef2b5ce
 (n6.1)
-       TODO: check details for older versions
 CVE-2024-22860 (Integer overflow vulnerability in FFmpeg before n6.1, allows 
remote at ...)
        - ffmpeg 7:6.1-1
+       [bookworm] - ffmpeg <not-affected> (jpegxl support added in 6.1)
+       [bullseye] - ffmpeg <not-affected> (jpegxl support added in 6.1)
+       [buster] - ffmpeg <not-affected> (jpegxl support added in 6.1)
        NOTE: 
https://github.com/FFmpeg/FFmpeg/commit/d2e8974699a9e35cc1a926bf74a972300d629cd5
 (n6.1)
        NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61991
-       TODO: check details for older versions
 CVE-2024-22283 (Improper Neutralization of Special Elements used in an SQL 
Command ('S ...)
        NOT-FOR-US: WordPress plugin
 CVE-2024-22147 (Improper Neutralization of Special Elements used in an SQL 
Command ('S ...)
@@ -115,6 +121,8 @@ CVE-2023-6470
 CVE-2023-52389 (UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer 
overflow a ...)
        [experimental] - poco 1.13.0-1
        - poco <unfixed>
+       [bookworm] - poco <no-dsa> (Minor issue)
+       [bullseye] - poco <no-dsa> (Minor issue)
        NOTE: https://pocoproject.org/blog/?p=1226
        NOTE: https://github.com/pocoproject/poco/issues/4320
        NOTE: 
https://github.com/pocoproject/poco/commit/62f875dfe1298041289f926a6a1a39cb765b13ee
@@ -133,7 +141,8 @@ CVE-2024-0444 [GStreamer-SA-2024-0001: AV1 codec parser 
potential buffer overflo
        NOTE: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5970
        NOTE: Fixed by: 
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/394d5066f8a7b728df02fe9084e955b2f7d7f6fe
 (1.22.9)
 CVE-2023-46045 [buffer overflow via a crafted config6a file]
-       - graphviz 2.42.2-8
+       - graphviz 2.42.2-8 (unimportant)
+       NOTE: Crosses no security boundary, config files are under local control
        NOTE: https://gitlab.com/graphviz/graphviz/-/issues/2441
        NOTE: Introduced by: 
https://gitlab.com/graphviz/graphviz/-/commit/cf95714837f06f684929b54659523c2c9b1fc19f
 (2.38.0)
        NOTE: Fixed by: 
https://gitlab.com/graphviz/graphviz/-/commit/361f274ca901c3c476697a6404662d95f4dd43cb
@@ -707,6 +716,8 @@ CVE-2024-23897 (Jenkins 2.441 and earlier, LTS 2.426.2 and 
earlier does not disa
        - jenkins <removed>
 CVE-2024-XXXX [RUSTSEC-2024-0006]
        - rust-shlex 1.3.0-1
+       [bookworm] - rust-shlex <no-dsa> (Minor issue)
+       [bullseye] - rust-shlex <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0006.html
        NOTE: 
https://github.com/comex/rust-shlex/security/advisories/GHSA-r7qv-8r2h-pg27
 CVE-2024-23638 (Squid is a caching proxy for the Web. Due to an expired 
pointer refere ...)
@@ -53765,10 +53776,10 @@ CVE-2023-27044
 CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses 
e-mail ad ...)
        - python3.12 <unfixed> (bug #1059299)
        - python3.11 <unfixed> (bug #1059298)
-       [bookworm] - python3.11 <no-dsa> (Minor issue)
+       [bookworm] - python3.11 <postponed> (Minor issue, wait until upstream 
has decided whether to backport to older branches)
        - python3.10 <unfixed>
        - python3.9 <removed>
-       [bullseye] - python3.9 <no-dsa> (Minor issue)
+       [bullseye] - python3.9 <postponed> (Minor issue, wait until upstream 
has decided whether to backport to older branches)
        - python3.7 <removed>
        [buster] - python3.7 <postponed> (Minor issue)
        - python2.7 <removed>
@@ -53946,6 +53957,7 @@ CVE-2023-26965 (loadImage() in tools/tiffcrop.c in 
LibTIFF through 4.5.0 has a h
        NOTE: 
https://gitlab.com/libtiff/libtiff/-/commit/ec8ef90c1f573c9eb1f17d6a056aa0015f184acf
 (v4.5.1rc1)
 CVE-2023-26964 (An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream 
stacking occ ...)
        - rust-h2 0.3.13-2 (bug #1034723)
+       [bookworm] - rust-h2 <no-dsa> (Minor issue)
        [buster] - rust-h2 <no-dsa> (Minor issue)
        NOTE: https://github.com/hyperium/hyper/issues/2877
        NOTE: 
https://github.com/hyperium/h2/commit/5bc8e72e5fcbd8ae2d3d9bc78a1c0ef0040bcc39 
(v0.3.17)
@@ -105290,14 +105302,20 @@ CVE-2022-36766
        RESERVED
 CVE-2022-36765 (EDK2 is susceptible to a vulnerability in the CreateHob() 
function, al ...)
        - edk2 2023.11-5 (bug #1060408)
+       [bookworm] - edk2 <no-dsa> (Minor issue)
+       [bullseye] - edk2 <no-dsa> (Minor issue)
        NOTE: 
https://github.com/tianocore/edk2/security/advisories/GHSA-ch4w-v7m3-g8wx
        NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=4166
 CVE-2022-36764 (EDK2 is susceptible to a vulnerability in the 
Tcg2MeasurePeImage() fun ...)
        - edk2 2023.11-5 (bug #1060408)
+       [bookworm] - edk2 <no-dsa> (Minor issue)
+       [bullseye] - edk2 <no-dsa> (Minor issue)
        NOTE: 
https://github.com/tianocore/edk2/security/advisories/GHSA-4hcq-p8q8-hj8j
        NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=4118
 CVE-2022-36763 (EDK2 is susceptible to a vulnerability in the 
Tcg2MeasureGptTable() fu ...)
        - edk2 2023.11-5 (bug #1060408)
+       [bookworm] - edk2 <no-dsa> (Minor issue)
+       [bullseye] - edk2 <no-dsa> (Minor issue)
        NOTE: 
https://github.com/tianocore/edk2/security/advisories/GHSA-xvv8-66cq-prwr
        NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=4117
 CVE-2022-36762



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b58d06b2a012cb4b09e2829a775e1b51337af69

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b58d06b2a012cb4b09e2829a775e1b51337af69
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Reply via email to