bookworm triage

Moritz Muehlenhoff (@jmm) Sun, 16 Jul 2023 06:16:02 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
cb137028 by Moritz Muehlenhoff at 2023-07-16T15:15:09+02:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -96,11 +96,13 @@ CVE-2023-38325 (The cryptography package before 41.0.2 for 
Python mishandles SSH
        NOTE: Fixed by: 
https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3
 (main)
        NOTE: Fixed by: 
https://github.com/pyca/cryptography/commit/e190ef190525999d1f599cf8c3aef5cb7f3a8bc4
 (41.0.2)
 CVE-2023-38253 (An out-of-bounds read flaw was found in w3m, in the 
growbuf_to_Str fun ...)
-       - w3m <unfixed>
+       - w3m <unfixed> (unimportant)
        NOTE: https://github.com/tats/w3m/issues/271
+       NOTE: Crash in CLI tool, no security impact
 CVE-2023-38252 (An out-of-bounds read flaw was found in w3m, in the 
Strnew_size functi ...)
-       - w3m <unfixed>
+       - w3m <unfixed> (unimportant)
        NOTE: https://github.com/tats/w3m/issues/270
+       NOTE: Crash in CLI tool, no security impact
 CVE-2023-37474 (Copyparty is a portable file server. Versions prior to 1.8.2 
are subje ...)
        NOT-FOR-US: copyparty
 CVE-2023-37473 (zenstruck/collections is a set of helpers for 
iterating/paginating/fil ...)
@@ -619,22 +621,27 @@ CVE-2023-3023 (The WP EasyCart plugin for WordPress is 
vulnerable to time-based
        NOT-FOR-US: WP EasyCart plugin for WordPress
 CVE-2023-3019 [e1000e: heap use-after-free in e1000e_write_packet_to_guest()]
        - qemu <unfixed> (bug #1041102)
+       [bookworm] - qemu <no-dsa> (Minor issue)
+       [bullseye] - qemu <no-dsa> (Minor issue)
        NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59243
        NOTE: Proposed upstream patch: 
https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html
 CVE-2023-3011 (The ARMember plugin for WordPress is vulnerable to Cross-Site 
Request  ...)
        NOT-FOR-US: ARMember plugin for WordPress
 CVE-2023-37767 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to 
contain a seg ...)
        - gpac <unfixed>
+       [bullseye] - gpac <ignored> (Minor issue)
        [buster] - gpac <end-of-life> (EOL in buster LTS)
        NOTE: https://github.com/gpac/gpac/issues/2514
        NOTE: 
https://github.com/gpac/gpac/commit/d414df635c773b21bbb3a9fbf17b101b1e8ea345
 CVE-2023-37766 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to 
contain a seg ...)
        - gpac <unfixed>
+       [bullseye] - gpac <ignored> (Minor issue)
        [buster] - gpac <end-of-life> (EOL in buster LTS)
        NOTE: https://github.com/gpac/gpac/issues/2516
        NOTE: 
https://github.com/gpac/gpac/commit/a64c60ef0983be6db8ab1e4a663e0ce83ff7bf2c
 CVE-2023-37765 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to 
contain a seg ...)
        - gpac <unfixed>
+       [bullseye] - gpac <ignored> (Minor issue)
        [buster] - gpac <end-of-life> (EOL in buster LTS)
        NOTE: https://github.com/gpac/gpac/issues/2515
        NOTE: 
https://github.com/gpac/gpac/commit/36e1b9900ff638576cb88636bbbe2116ed06dfdc
@@ -789,6 +796,7 @@ CVE-2023-36825 (Decidim is a participatory democracy 
framework, written in Ruby
        NOT-FOR-US: Decidim
 CVE-2023-36824 (Redis is an in-memory database that persists on disk. In Redit 
7.0 pri ...)
        - redis 5:7.0.12-1 (bug #1040879)
+       [bookworm] - redis <no-dsa> (Minor issue)
        [bullseye] - redis <not-affected> (Vulnerable code introduced later)
        [buster] - redis <not-affected> (Vulnerable code introduced later)
        NOTE: 
https://github.com/redis/redis/security/advisories/GHSA-4cfx-h9gq-xpx3


=====================================
data/dsa-needed.txt
=====================================
@@ -18,8 +18,13 @@ cjose
 --
 cinder/oldstable
 --
+frr
+  maintainer proposed to update to 8.4.4 for bookworm-stable, which might be a 
good idea
+--
 iperf3 (aron)
 --
+kanboard (jmm)
+--
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v5.10.y and 6.1.y versions
@@ -71,6 +76,10 @@ salt/oldstable
 --
 samba/oldstable
 --
+sox
+  all issues unfixed upstream
+  for CVE-2023-34432, rest can be ignored
+--
 wpewebkit
 --
 xrdp/oldstable



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb13702815ca326ed196f2d6df6a2e05d6539618

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cb13702815ca326ed196f2d6df6a2e05d6539618
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Reply via email to