Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: 7cadf7f5 by Markus Koschany at 2024-03-04T13:06:38+01:00 CVE-2024-22201,jetty9: link to fixing commits for 9.x branch - - - - - 488675e6 by Markus Koschany at 2024-03-04T13:06:38+01:00 Add jetty9 to dla-needed.txt - - - - - dda9149f by Markus Koschany at 2024-03-04T13:06:38+01:00 Add libuv1 to dla-needed.txt - - - - - 10cd94f3 by Markus Koschany at 2024-03-04T13:06:38+01:00 Add yard to dla-needed.txt - - - - - f7c91a4b by Markus Koschany at 2024-03-04T13:06:39+01:00 CVE-2024-21742,apache-mime4j: buster is no-dsa Minor issue - - - - - eb5598a8 by Markus Koschany at 2024-03-04T13:06:41+01:00 CVE-2023-49100,arm-trusted-firmware: buster is no-dsa Minor issue - - - - - bf920f98 by Markus Koschany at 2024-03-04T13:06:42+01:00 CVE-2024-25629,c-ares: buster is no-dsa Minor issue - - - - - 25af6d89 by Markus Koschany at 2024-03-04T13:06:43+01:00 CVE-2024-24258,CVE-2024-24259,freeglut: buster is no-dsa Minor issue - - - - - 372269cb by Markus Koschany at 2024-03-04T13:06:44+01:00 Triage krb5 memory leaks as no-dsa for buster Minor issues. - - - - - 7b0caec9 by Markus Koschany at 2024-03-04T13:06:46+01:00 CVE-2022-48624,less: buster is no-dsa Minor issue. Can be fixed when more important issues arise. - - - - - 32b6a875 by Markus Koschany at 2024-03-04T13:06:46+01:00 Add libcommons-compress-java to dla-needed.txt - - - - - afd34344 by Markus Koschany at 2024-03-04T13:06:47+01:00 CVE-2023-45918,ncurses: buster is no-dsa Minor NULL pointer dereference bug. - - - - - 23a5576e by Markus Koschany at 2024-03-04T13:06:48+01:00 CVE-2024-27088,node-es5-ext: buster is no-dsa Minor issue - - - - - 1c70cc2b by Markus Koschany at 2024-03-04T13:06:48+01:00 Add nvidia-graphics-drivers to dla-needed.txt - - - - - 59de8769 by Markus Koschany at 2024-03-04T13:06:49+01:00 Add php-phpseclib to dla-needed.txt - - - - - e4f2317e by Markus Koschany at 2024-03-04T13:06:49+01:00 Add phpseclib to dla-needed.txt - - - - - 86daa2d7 by Markus Koschany at 2024-03-04T13:06:50+01:00 CVE-2024-1433,plasma-workspace: buster is no-dsa Minor issue - - - - - 4b93f9ea by Markus Koschany at 2024-03-04T13:06:51+01:00 CVE-2024-26130,python-cryptography: buster is no-dsa Minor issue - - - - - 294142c4 by Markus Koschany at 2024-03-04T13:06:52+01:00 CVE-2024-1892,python-scrapy: buster is no-dsa Minor issue - - - - - 8e6542f2 by Markus Koschany at 2024-03-04T13:06:54+01:00 CVE-2023-50868,CVE-2023-50387,systemd: buster is no-dsa DNSSEC is disabled by default and an experimental feature. - - - - - ab2db50c by Markus Koschany at 2024-03-04T13:06:55+01:00 CVE-2024-25262,texlive-bin: buster is no-dsa Minor issue - - - - - f7b7db95 by Markus Koschany at 2024-03-04T13:06:55+01:00 Add cpio to dla-needed.txt - - - - - e38cce11 by Markus Koschany at 2024-03-04T13:06:55+01:00 Add dnsmasq to dla-needed.txt - - - - - 336ad067 by Markus Koschany at 2024-03-04T13:06:56+01:00 CVE-2024-24246,qpdf: buster is not-affected The vulnerable code was introduced later, creating a PDF from an input source that contains JSON. https://github.com/qpdf/qpdf/commit/4fe2e06b4787ffb639f965ac840b51018308ec07#diff-8e435b97a9914d4318cc5829a9400e1e49c5b9bc16799de9aef9ef04c4b3f5c0 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -872,6 +872,7 @@ CVE-2024-24818 (EspoCRM is an Open Source Customer Relationship Management softw NOT-FOR-US: EspoCRM CVE-2024-24246 (Heap Buffer Overflow vulnerability in qpdf 11.9.0 allows attackers to ...) - qpdf 11.9.0-1 + [buster] - qpdf <not-affected> (Vulnerable code was introduced later) NOTE: https://github.com/qpdf/qpdf/issues/1123 NOTE: https://github.com/qpdf/qpdf/commit/cb0f390cc1f98a8e82b27259f8f3cd5f162992eb (v11.9.0) CVE-2024-24110 (SQL Injection vulnerability in crmeb_java before v1.3.4 allows attacke ...) @@ -1843,6 +1844,7 @@ CVE-2024-1892 (Parts of the Scrapy API were found to be vulnerable to a ReDoS at - python-scrapy 2.11.1-1 (bug #1065111) [bookworm] - python-scrapy <no-dsa> (Minor issue) [bullseye] - python-scrapy <no-dsa> (Minor issue) + [buster] - python-scrapy <no-dsa> (Minor issue) NOTE: https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b/ NOTE: https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5 (2.11.1) CVE-2024-1866 @@ -2068,6 +2070,7 @@ CVE-2024-21742 (Improper input validation allows for header injection in MIME4J - apache-mime4j 0.8.10-1 (bug #1064966) [bookworm] - apache-mime4j <no-dsa> (Minor issue) [bullseye] - apache-mime4j <no-dsa> (Minor issue) + [buster] - apache-mime4j <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/02/27/5 NOTE: https://github.com/apache/james-mime4j/commit/9dec5df2a588fed8027839815daefa79ee66efd1 (apache-mime4j-project-0.8.10) NOTE: https://github.com/apache/james-mime4j/pull/91 @@ -2384,6 +2387,7 @@ CVE-2024-27088 (es5-ext contains ECMAScript 5 extensions. Passing functions with - node-es5-ext <unfixed> (bug #1064933) [bookworm] - node-es5-ext <no-dsa> (Minor issue) [bullseye] - node-es5-ext <no-dsa> (Minor issue) + [buster] - node-es5-ext <no-dsa> (Minor issue) NOTE: https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h NOTE: https://github.com/medikoo/es5-ext/issues/201 NOTE: https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2 (v1.10.63) @@ -2406,16 +2410,19 @@ CVE-2024-26462 (Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerabilit - krb5 <unfixed> (bug #1064965) [bookworm] - krb5 <no-dsa> (Minor issue) [bullseye] - krb5 <no-dsa> (Minor issue) + [buster] - krb5 <no-dsa> (Minor issue) NOTE: https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md CVE-2024-26461 (Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in / ...) - krb5 <unfixed> (bug #1064965) [bookworm] - krb5 <no-dsa> (Minor issue) [bullseye] - krb5 <no-dsa> (Minor issue) + [buster] - krb5 <no-dsa> (Minor issue) NOTE: https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md CVE-2024-26458 (Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/r ...) - krb5 <unfixed> (bug #1064965) [bookworm] - krb5 <no-dsa> (Minor issue) [bullseye] - krb5 <no-dsa> (Minor issue) + [buster] - krb5 <no-dsa> (Minor issue) NOTE: https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md CVE-2024-26455 (fluent-bit 2.2.2 contains a Use-After-Free vulnerability in /fluent-bi ...) NOT-FOR-US: Fluent Bit @@ -2520,6 +2527,7 @@ CVE-2024-22201 (Jetty is a Java based web server and servlet engine. An HTTP/2 S - jetty9 <unfixed> (bug #1064923) NOTE: https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98 NOTE: https://github.com/jetty/jetty.project/issues/11256 + NOTE: 9.x branch fixed by https://github.com/jetty/jetty.project/commit/86586df0a8a4d9c6b5af9a621ad1adf1b494d39b CVE-2024-21836 (A heap-based buffer overflow vulnerability exists in the GGUF library ...) NOT-FOR-US: llama.cpp CVE-2024-21825 (A heap-based buffer overflow vulnerability exists in the GGUF library ...) @@ -2765,6 +2773,7 @@ CVE-2024-25629 (c-ares is a C library for asynchronous DNS requests. `ares__read - c-ares 1.27.0-1 [bookworm] - c-ares <no-dsa> (Minor issue) [bullseye] - c-ares <no-dsa> (Minor issue) + [buster] - c-ares <no-dsa> (Minor issue) NOTE: https://github.com/c-ares/c-ares/security/advisories/GHSA-mg26-v6qh-x48q NOTE: https://github.com/c-ares/c-ares/commit/a804c04ddc8245fc8adf0e92368709639125e183 (cares-1_27_0) CVE-2024-23320 (Improper Input Validation vulnerability in Apache DolphinScheduler. An ...) @@ -3257,6 +3266,7 @@ CVE-2024-26130 (cryptography is a package designed to expose cryptographic primi - python-cryptography <unfixed> (bug #1064778) [bookworm] - python-cryptography <no-dsa> (Minor issue) [bullseye] - python-cryptography <no-dsa> (Minor issue) + [buster] - python-cryptography <no-dsa> (Minor issue) NOTE: https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4 NOTE: https://github.com/pyca/cryptography/pull/10423 NOTE: Fixed by: https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 (main) @@ -3354,6 +3364,7 @@ CVE-2023-49100 (Trusted Firmware-A (TF-A) before 2.10 has a potential read out-o - arm-trusted-firmware 2.10.0+dfsg-1 [bookworm] - arm-trusted-firmware <no-dsa> (Minor issue) [bullseye] - arm-trusted-firmware <no-dsa> (Minor issue) + [buster] - arm-trusted-firmware <no-dsa> (Minor issue) NOTE: https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/commit/?id=a7eff3477dcf3624c74f5217419b1a27b7ebd2aa CVE-2023-47795 (Stored cross-site scripting (XSS) vulnerability in the Document and Me ...) NOT-FOR-US: Liferay @@ -3633,6 +3644,7 @@ CVE-2024-25262 (texlive-bin commit c515e was discovered to contain heap buffer o - texlive-bin 2023.20230311.66589-9 (bug #1064517) [bookworm] - texlive-bin <no-dsa> (Minor issue) [bullseye] - texlive-bin <no-dsa> (Minor issue) + [buster] - texlive-bin <no-dsa> (Minor issue) NOTE: https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/ChangeLog?revision=69605&view=co NOTE: https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912 NOTE: https://github.com/TeX-Live/texlive-source/pull/63 @@ -4177,6 +4189,7 @@ CVE-2022-48624 (close_altfile in filename.c in less before 606 omits shell_quote - less <unfixed> (bug #1064293) [bookworm] - less <no-dsa> (Minor issue) [bullseye] - less <no-dsa> (Minor issue) + [buster] - less <no-dsa> (Minor issue) NOTE: https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144 (v606) CVE-2020-36774 (plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x b ...) - glade 3.38.2-1 @@ -4355,6 +4368,7 @@ CVE-2023-45918 (ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr i - ncurses 6.4+20230625-1 [bookworm] - ncurses <no-dsa> (Minor issue) [bullseye] - ncurses <no-dsa> (Minor issue) + [buster] - ncurses <no-dsa> (Minor issue) NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2023-06/msg00005.html NOTE: https://invisible-island.net/ncurses/NEWS.html#index-t20230615 NOTE: Fixed in ncurses-6.4-20230615 patchlevel @@ -5380,6 +5394,7 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4 - systemd 255.4-1 [bookworm] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release) [bullseye] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release) + [buster] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release) NOTE: https://kb.isc.org/docs/cve-2023-50387 NOTE: https://gitlab.isc.org/isc-projects/bind9/-/commit/c12608ca934c0433d280e65fe6c631013e200cfe (v9.16.48) NOTE: https://gitlab.isc.org/isc-projects/bind9/-/commit/751b7cc4750ede6d8c5232751d60aad8ad84aa67 (v9.16.48) @@ -5418,6 +5433,7 @@ CVE-2023-50868 (The Closest Encloser Proof aspect of the DNS protocol (in RFC 51 - systemd 255.4-1 [bookworm] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release) [bullseye] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release) + [buster] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release) NOTE: https://kb.isc.org/docs/cve-2023-50868 NOTE: https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2024q1/017430.html NOTE: https://www.knot-resolver.cz/2024-02-13-knot-resolver-5.7.1.html @@ -5723,6 +5739,7 @@ CVE-2024-1433 (A vulnerability, which was classified as problematic, was found i - plasma-workspace <unfixed> (bug #1064063) [bookworm] - plasma-workspace <no-dsa> (Minor issue) [bullseye] - plasma-workspace <no-dsa> (Minor issue) + [buster] - plasma-workspace <no-dsa> (Minor issue) NOTE: https://github.com/KDE/plasma-workspace/commit/6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01 CVE-2023-52429 (dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6 ...) - linux <unfixed> @@ -6986,6 +7003,7 @@ CVE-2024-24259 (freeglut through 3.4.0 was discovered to contain a memory leak v - freeglut <unfixed> (bug #1063801) [bookworm] - freeglut <no-dsa> (Minor issue) [bullseye] - freeglut <no-dsa> (Minor issue) + [buster] - freeglut <no-dsa> (Minor issue) NOTE: https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_2.md NOTE: https://github.com/freeglut/freeglut/pull/155 NOTE: Fixed by: https://github.com/freeglut/freeglut/commit/9ad320c1ad1a25558998ddfe47674511567fec57 @@ -6993,6 +7011,7 @@ CVE-2024-24258 (freeglut 3.4.0 was discovered to contain a memory leak via the m - freeglut <unfixed> (bug #1063801) [bookworm] - freeglut <no-dsa> (Minor issue) [bullseye] - freeglut <no-dsa> (Minor issue) + [buster] - freeglut <no-dsa> (Minor issue) NOTE: https://github.com/yinluming13579/mupdf_defects/blob/main/mupdf_detect_1.md NOTE: https://github.com/freeglut/freeglut/pull/155 NOTE: Fixed by: https://github.com/freeglut/freeglut/commit/9ad320c1ad1a25558998ddfe47674511567fec57 ===================================== data/dla-needed.txt ===================================== @@ -63,6 +63,9 @@ cinder composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) -- +cpio + NOTE: 20240303: Added by Front-Desk (apo) +-- curl NOTE: 20231229: Added by Front-Desk (lamby) NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) @@ -72,6 +75,9 @@ dask.distributed (guilhem) NOTE: 20231228: Added by Front-Desk (lamby) NOTE: 20231228: CVE-2021-42343 fixed in bullseye via DSA or point release. (lamby) -- +dnsmasq + NOTE: 20240303: Added by Front-Desk (apo) +-- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) @@ -130,9 +136,15 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- +jetty9 + NOTE: 20240303: Added by Front-Desk (apo) +-- knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- +libcommons-compress-java (Markus Koschany) + NOTE: 20240303: Added by Front-Desk (apo) +-- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to @@ -162,6 +174,9 @@ libstb NOTE: 20221119: and in the past CVE fixes have caused regressions. NOTE: 20221119: Wait for upstream merge of fixes (and fixing in unstable). (bunk) -- +libuv1 + NOTE: 20240303: Added by Front-Desk (apo) +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- @@ -202,6 +217,21 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- +nvidia-graphics-drivers + NOTE: 20240303: Added by Front-Desk (apo) + NOTE: 20240303: Do we still support the NVIDIA drivers? Can we upgrade to a new upstream release? + NOTE: 20240303: Maybe it's time to mark them EOL? +-- +nvidia-graphics-drivers-legacy-390xx + NOTE: 20240303: Added by Front-Desk (apo) + NOTE: 20240303: See comment for nvidia-graphics-drivers. +-- +php-phpseclib + NOTE: 20240303: Added by Front-Desk (apo) +-- +phpseclib + NOTE: 20240303: Added by Front-Desk (apo) +-- putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) @@ -294,6 +324,9 @@ varnish (Abhijith PA) NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- +yard + NOTE: 20240303: Added by Front-Desk (apo) +-- zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c30dda8b322d2d70ad80b9389a76ab0759f147ab...336ad06773fa61bbfdd0ca3f2784a5d48ac5ff34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c30dda8b322d2d70ad80b9389a76ab0759f147ab...336ad06773fa61bbfdd0ca3f2784a5d48ac5ff34 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
