Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
50881314 by Moritz Muehlenhoff at 2024-02-09T13:51:00+01:00
bookworm/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -588,6 +588,8 @@ CVE-2024-1283 (Heap buffer overflow in Skia in Google
Chrome prior to 121.0.6167
[buster] - chromium <end-of-life> (see DSA 5046)
CVE-2024-24680 (An issue was discovered in Django 3.2 before 3.2.24, 4.2
before 4.2.10 ...)
- python-django 3:4.2.10-1
+ [bookworm] - python-django <postponed> (Minor issue, fix along in
future update)
+ [bullseye] - python-django <postponed> (Minor issue, fix along in
future update)
NOTE: https://www.openwall.com/lists/oss-security/2024/02/06/2
NOTE:
https://www.djangoproject.com/weblog/2024/feb/06/security-releases/
NOTE:
https://github.com/django/django/commit/55519d6cf8998fe4c8f5c8abffc2b10a7c3d14e9
(main)
@@ -937,11 +939,13 @@ CVE-2024-24262 (media-server v1.0.0 was discovered to
contain a Use-After-Free (
CVE-2024-24260 (media-server v1.0.0 was discovered to contain a Use-After-Free
(UAF) v ...)
NOT-FOR-US: media-server
CVE-2024-24259 (mupdf v1.23.9 was discovered to contain a memory leak via the
menuEntr ...)
- - mupdf <unfixed>
+ - mupdf <unfixed> (unimportant)
+ NOTE: Memory leak in CLI tool, no security impact
NOTE:
https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_2.md
TODO: check report upstream
CVE-2024-24258 (mupdf v1.23.9 was discovered to contain a memory leak via the
menuEntr ...)
- - mupdf <unfixed>
+ - mupdf <unfixed> (unimportant)
+ NOTE: Memory leak in CLI tool, no security impact
NOTE:
https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_1.md
TODO: check report upstream
CVE-2024-23109 (An improper neutralization of special elements used in an os
command ( ...)
@@ -1028,6 +1032,8 @@ CVE-2024-23196 (A race condition was found in the Linux
kernel's sound/hda devi
NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=8148
CVE-2024-22667 (Vim before 9.0.2142 has a stack-based buffer overflow because
did_set_ ...)
- vim 2:9.0.2189-1
+ [bookworm] - vim <no-dsa> (Minor issue)
+ [bullseye] - vim <no-dsa> (Minor issue)
NOTE:
https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47
(v9.0.2142)
NOTE:
https://gist.githubusercontent.com/henices/2467e7f22dcc2aa97a2453e197b55a0c/raw/7b54bccc9a129c604fb139266f4497ab7aaa94c7/gistfile1.txt
CVE-2024-22386 (A race condition was found in the Linux kernel's drm/exynos
device dri ...)
@@ -1496,6 +1502,8 @@ CVE-2024-24561 (Vyper is a pythonic Smart Contract
Language for the ethereum vir
NOT-FOR-US: Vyper
CVE-2024-24557 (Moby is an open-source project created by Docker to enable
software co ...)
- docker.io <unfixed>
+ [bookworm] - docker.io <no-dsa> (Minor issue)
+ [bullseye] - docker.io <no-dsa> (Minor issue)
NOTE:
https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae
NOTE:
https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc
CVE-2024-24062 (springboot-manager v1.6 is vulnerable to Cross Site Scripting
(XSS) vi ...)
@@ -1845,6 +1853,8 @@ CVE-2023-2439 (The UserPro plugin for WordPress is
vulnerable to Stored Cross-Si
NOT-FOR-US: WordPress plugin
CVE-2024-1062 [a heap overflow leading to denail-of-servce while writing a
value larger than 256 chars (in log_entry_attr)]
- 389-ds-base <unfixed>
+ [bookworm] - 389-ds-base <no-dsa> (Minor issue)
+ [bullseye] - 389-ds-base <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2261879
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256711
NOTE: https://github.com/389ds/389-ds-base/issues/5647
@@ -4085,6 +4095,7 @@ CVE-2023-48339 (In jpg driver, there is a possible
missing permission check. Thi
NOT-FOR-US: Unisoc
CVE-2021-4435 (An untrusted search path vulnerability was found in Yarn. When
a victi ...)
- node-yarnpkg 1.22.19+~cs24.27.18-1
+ [bullseye] - node-yarnpkg <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2262284
NOTE: Fixed by:
https://github.com/yarnpkg/yarn/commit/67fcce88935e45092ffa2674c08053f1ef5268a1
(v1.22.12)
TODO: check, too few details in RHBZ#2262284
@@ -18468,10 +18479,8 @@ CVE-2023-42323 (Cross Site Request Forgery (CSRF)
vulnerability in DouHaocms v.3
CVE-2023-36263 (Prestashop opartlimitquantity 1.4.5 and before is vulnerable
to SQL In ...)
NOT-FOR-US: PrestaShop module
CVE-2023-31794 (MuPDF v1.21.1 was discovered to contain an infinite recursion
in the c ...)
- - mupdf 1.22.1+ds1-1
- [bookworm] - mupdf <no-dsa> (Minor issue)
- [bullseye] - mupdf <no-dsa> (Minor issue)
- [buster] - mupdf <no-dsa> (Minor issue)
+ - mupdf 1.22.1+ds1-1 (unimportant)
+ NOTE: Hang in enduser tool, no security impact
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706506
NOTE: Fixed by:
https://git.ghostscript.com/?p=mupdf.git;a=commit;h=c0015401693b58e2deb5d75c39f27bc1216e47c6
(1.22.0-rc1)
CVE-2019-25155 (DOMPurify before 1.0.11 allows reverse tabnabbing in
demos/hooks-targe ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the
name of the source pa
--
cacti
--
+composer
+--
cryptojs
--
dnsdist (jmm)
@@ -26,6 +28,8 @@ gtkwave
--
h2o (jmm)
--
+libgit2 (jmm)
+--
libreswan (jmm)
Maintainer prepared bookworm-security update, but needs work on
bullseye-security backports
--
@@ -38,6 +42,8 @@ nbconvert/oldstable
--
opennds/stable
--
+openvswitch
+--
php-cas/oldstable
--
php-dompdf-svg-lib/stable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5088131400fb7dbfd9fa202f3ea3d6b0838be9a2
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5088131400fb7dbfd9fa202f3ea3d6b0838be9a2
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
