bookworm triage

Moritz Muehlenhoff (@jmm) Thu, 24 Aug 2023 01:58:58 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
295a6867 by Moritz Muehlenhoff at 2023-08-24T10:58:32+02:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -113,6 +113,7 @@ CVE-2023-4041 (Buffer Copy without Checking Size of Input 
('Classic Buffer Overf
 CVE-2023-41105 (An issue was discovered in Python 3.11 through 3.11.4. If a 
path conta ...)
        - python3.12 <unfixed>
        - python3.11 <unfixed>
+       [bookworm] - python3.11 <no-dsa> (Minor issue)
        - python3.10 <not-affected> (Vulnerable code introduced in 3.11.y)
        - python3.9 <not-affected> (Vulnerable code introduced in 3.11.y)
        - python3.7 <not-affected> (Vulnerable code introduced in 3.11.y)
@@ -238,6 +239,8 @@ CVE-2022-48571 (memcached 1.6.7 allows a Denial of Service 
via multi-packet uplo
        NOTE: Fixed by: 
https://github.com/memcached/memcached/commit/6b319c8c7a29e9c353dec83dc92f01905f6c8966
 (1.6.8)
 CVE-2022-48570 (Crypto++ through 8.4 contains a timing side channel in ECDSA 
signature ...)
        - libcrypto++ <unfixed>
+       [bookworm] - libcrypto++ <no-dsa> (Minor issue)
+       [bullseye] - libcrypto++ <no-dsa> (Minor issue)
        NOTE: https://github.com/weidai11/cryptopp/issues/992
        NOTE: This issue exists because the CVE-2019-14318 fix was 
intentionally removed for
        NOTE: functionality reasons.
@@ -308,6 +311,7 @@ CVE-2023-XXXX [RUSTSEC-2023-0053: rustls-webpki: CPU denial 
of service in certif
        NOTE: https://github.com/briansmith/webpki/issues/69
 CVE-2023-XXXX [RUSTSEC-2023-0052 webpki: CPU denial of service in certificate 
path building]
        - rust-webpki <unfixed> (bug #1050299)
+       [bookworm] - rust-webpki <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
        NOTE: https://github.com/briansmith/webpki/issues/69
 CVE-2023-32184
@@ -18260,6 +18264,7 @@ CVE-2023-29453
        RESERVED
 CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> 
Geograph ...)
        - zabbix <unfixed>
+       [bookworm] - zabbix <no-dsa> (Minor issue)
        [bullseye] - zabbix <not-affected> (vulnerable code introduced later)
        [buster] - zabbix <not-affected> (vulnerable code introduced later)
        NOTE: https://support.zabbix.com/browse/ZBX-22981
@@ -40763,6 +40768,8 @@ CVE-2022-48175 (Rukovoditel v3.2.1 was discovered to 
contain a remote code execu
        NOT-FOR-US: Rukovoditel
 CVE-2022-48174 (There is a stack overflow vulnerability in ash.c:6030 in 
busybox befor ...)
        - busybox <unfixed>
+       [bookworm] - busybox <no-dsa> (Minor issue)
+       [bullseye] - busybox <no-dsa> (Minor issue)
        NOTE: https://bugs.busybox.net/show_bug.cgi?id=15216
        NOTE: 
https://git.busybox.net/busybox/commit/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209
 CVE-2022-48173
@@ -59580,6 +59587,8 @@ CVE-2022-43359 (Gifdec commit 
1dcbae19363597314f6623010cc80abad4e47f7c was disco
        NOT-FOR-US: Gifdec
 CVE-2022-43358 (Stack overflow vulnerability in ast_selectors.cpp: in function 
Sass::C ...)
        - libsass <unfixed>
+       [bookworm] - libsass <no-dsa> (Minor issue)
+       [bullseye] - libsass <no-dsa> (Minor issue)
        NOTE: https://github.com/sass/libsass/issues/3178
 CVE-2022-43357 (Stack overflow vulnerability in ast_selectors.cpp in function 
Sass::Co ...)
        TODO: check
@@ -131765,7 +131774,7 @@ CVE-2021-43400 (An issue was discovered in 
gatt-database.c in BlueZ 5.61. A use-
 CVE-2021-43399 (The Yubico YubiHSM YubiHSM2 library 2021.08, included in the 
yubihsm-s ...)
        NOT-FOR-US: yubihsm-shell
 CVE-2021-43398 (Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing 
leakage in ...)
-       - libcrypto++ <unfixed> (unimportant; bug #1000227)
+       NOTE: Disputed Crypto++ issue, also see #1000227
        NOTE: https://github.com/weidai11/cryptopp/issues/1080
        NOTE: As per upstream believed to be the expected behaviour:
        NOTE: 
https://github.com/weidai11/cryptopp/issues/1080#issuecomment-996492222


=====================================
data/dsa-needed.txt
=====================================
@@ -78,6 +78,8 @@ samba/oldstable
 --
 tiff
 --
+trafficserver
+--
 wpewebkit/oldstable
 --
 xrdp/oldstable



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/295a6867d32df986c03bec7bc8fd879a51f5e641

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/295a6867d32df986c03bec7bc8fd879a51f5e641
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Reply via email to