Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 50881314 by Moritz Muehlenhoff at 2024-02-09T13:51:00+01:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -588,6 +588,8 @@ CVE-2024-1283 (Heap buffer overflow in Skia in Google Chrome prior to 121.0.6167 [buster] - chromium <end-of-life> (see DSA 5046) CVE-2024-24680 (An issue was discovered in Django 3.2 before 3.2.24, 4.2 before 4.2.10 ...) - python-django 3:4.2.10-1 + [bookworm] - python-django <postponed> (Minor issue, fix along in future update) + [bullseye] - python-django <postponed> (Minor issue, fix along in future update) NOTE: https://www.openwall.com/lists/oss-security/2024/02/06/2 NOTE: https://www.djangoproject.com/weblog/2024/feb/06/security-releases/ NOTE: https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9 (main) @@ -937,11 +939,13 @@ CVE-2024-24262 (media-server v1.0.0 was discovered to contain a Use-After-Free ( CVE-2024-24260 (media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) v ...) NOT-FOR-US: media-server CVE-2024-24259 (mupdf v1.23.9 was discovered to contain a memory leak via the menuEntr ...) - - mupdf <unfixed> + - mupdf <unfixed> (unimportant) + NOTE: Memory leak in CLI tool, no security impact NOTE: https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_2.md TODO: check report upstream CVE-2024-24258 (mupdf v1.23.9 was discovered to contain a memory leak via the menuEntr ...) - - mupdf <unfixed> + - mupdf <unfixed> (unimportant) + NOTE: Memory leak in CLI tool, no security impact NOTE: https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_1.md TODO: check report upstream CVE-2024-23109 (An improper neutralization of special elements used in an os command ( ...) @@ -1028,6 +1032,8 @@ CVE-2024-23196 (A race condition was found in the Linux kernel's sound/hda devi NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=8148 CVE-2024-22667 (Vim before 9.0.2142 has a stack-based buffer overflow because did_set_ ...) - vim 2:9.0.2189-1 + [bookworm] - vim <no-dsa> (Minor issue) + [bullseye] - vim <no-dsa> (Minor issue) NOTE: https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47 (v9.0.2142) NOTE: https://gist.githubusercontent.com/henices/2467e7f22dcc2aa97a2453e197b55a0c/raw/7b54bccc9a129c604fb139266f4497ab7aaa94c7/gistfile1.txt CVE-2024-22386 (A race condition was found in the Linux kernel's drm/exynos device dri ...) @@ -1496,6 +1502,8 @@ CVE-2024-24561 (Vyper is a pythonic Smart Contract Language for the ethereum vir NOT-FOR-US: Vyper CVE-2024-24557 (Moby is an open-source project created by Docker to enable software co ...) - docker.io <unfixed> + [bookworm] - docker.io <no-dsa> (Minor issue) + [bullseye] - docker.io <no-dsa> (Minor issue) NOTE: https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae NOTE: https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc CVE-2024-24062 (springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) vi ...) @@ -1845,6 +1853,8 @@ CVE-2023-2439 (The UserPro plugin for WordPress is vulnerable to Stored Cross-Si NOT-FOR-US: WordPress plugin CVE-2024-1062 [a heap overflow leading to denail-of-servce while writing a value larger than 256 chars (in log_entry_attr)] - 389-ds-base <unfixed> + [bookworm] - 389-ds-base <no-dsa> (Minor issue) + [bullseye] - 389-ds-base <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2261879 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256711 NOTE: https://github.com/389ds/389-ds-base/issues/5647 @@ -4085,6 +4095,7 @@ CVE-2023-48339 (In jpg driver, there is a possible missing permission check. Thi NOT-FOR-US: Unisoc CVE-2021-4435 (An untrusted search path vulnerability was found in Yarn. When a victi ...) - node-yarnpkg 1.22.19+~cs24.27.18-1 + [bullseye] - node-yarnpkg <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2262284 NOTE: Fixed by: https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1 (v1.22.12) TODO: check, too few details in RHBZ#2262284 @@ -18468,10 +18479,8 @@ CVE-2023-42323 (Cross Site Request Forgery (CSRF) vulnerability in DouHaocms v.3 CVE-2023-36263 (Prestashop opartlimitquantity 1.4.5 and before is vulnerable to SQL In ...) NOT-FOR-US: PrestaShop module CVE-2023-31794 (MuPDF v1.21.1 was discovered to contain an infinite recursion in the c ...) - - mupdf 1.22.1+ds1-1 - [bookworm] - mupdf <no-dsa> (Minor issue) - [bullseye] - mupdf <no-dsa> (Minor issue) - [buster] - mupdf <no-dsa> (Minor issue) + - mupdf 1.22.1+ds1-1 (unimportant) + NOTE: Hang in enduser tool, no security impact NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706506 NOTE: Fixed by: https://git.ghostscript.com/?p=mupdf.git;a=commit;h=c0015401693b58e2deb5d75c39f27bc1216e47c6 (1.22.0-rc1) CVE-2019-25155 (DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-targe ...) ===================================== data/dsa-needed.txt ===================================== @@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- cacti -- +composer +-- cryptojs -- dnsdist (jmm) @@ -26,6 +28,8 @@ gtkwave -- h2o (jmm) -- +libgit2 (jmm) +-- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- @@ -38,6 +42,8 @@ nbconvert/oldstable -- opennds/stable -- +openvswitch +-- php-cas/oldstable -- php-dompdf-svg-lib/stable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5088131400fb7dbfd9fa202f3ea3d6b0838be9a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5088131400fb7dbfd9fa202f3ea3d6b0838be9a2 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits