Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 756240f9 by Moritz Muehlenhoff at 2023-10-26T14:14:21+02:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -331,6 +331,8 @@ CVE-2023-5758 (When opening a page in reader mode, the redirect URL could have c NOTE: https://www.mozilla.org/security/advisories/mfsa2023-48/ CVE-2023-5752 (When installing a package from a Mercurial VCS URL (ie "pip install ...) - python-pip 23.3+dfsg-1 + [bookworm] - python-pip <no-dsa> (Minor issue) + [bullseye] - python-pip <no-dsa> (Minor issue) NOTE: https://github.com/pypa/pip/pull/12306 NOTE: https://mail.python.org/archives/list/security-annou...@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/ CVE-2023-5311 (The WP EXtra plugin for WordPress is vulnerable to unauthorized modifi ...) @@ -705,8 +707,9 @@ CVE-2023-46332 (WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write in - wabt <unfixed> NOTE: https://github.com/WebAssembly/wabt/issues/2311 CVE-2023-46331 (WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in DataSegm ...) - - wabt <unfixed> + - wabt <unfixed> (unimportant) NOTE: https://github.com/WebAssembly/wabt/issues/2310 + NOTE: Crash in CLI tool, no security impact CVE-2023-46127 (Frappe is a full-stack web application framework that uses Python and ...) NOT-FOR-US: Frappe Framework CVE-2023-46122 (sbt is a build tool for Scala, Java, and others. Given a specially cra ...) @@ -895,6 +898,8 @@ CVE-2023-38275 (IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensit CVE-2023-5349 [memory leak] {DLA-3625-1} - ruby-rmagick 5.3.0-1 + [bookworm] - ruby-rmagick <no-dsa> (Minor issue) + [bullseye] - ruby-rmagick <no-dsa> (Minor issue) NOTE: https://github.com/rmagick/rmagick/pull/1406 NOTE: https://github.com/rmagick/rmagick/commit/fec7a7e639ae565386f7615155dbcf49b957b64a (RMagick_5-3-0) CVE-2023-5684 (A vulnerability was found in Beijing Baichuo Smart S85F Management Pla ...) @@ -1201,6 +1206,8 @@ CVE-2023-4021 (The Modern Events Calendar lite plugin for WordPress is vulnerabl NOT-FOR-US: WordPress plugin CVE-2023-46277 (please (aka pleaser) through 0.5.4 allows privilege escalation through ...) - rust-pleaser <unfixed> (bug #1054289) + [bookworm] - rust-pleaser <no-dsa> (Minor issue) + [bullseye] - rust-pleaser <no-dsa> (Minor issue) NOTE: https://gitlab.com/edneville/please/-/issues/13 NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0066.html CVE-2023-46267 @@ -4780,6 +4787,8 @@ CVE-2023-43739 (The 'bookisbn' parameter of the cart.php resource does not vali NOT-FOR-US: Online Book Store Project CVE-2023-43665 [Denial-of-service possibility in django.utils.text.Truncator] - python-django 3:4.2.6-1 (bug #1053475) + [bookworm] - python-django <postponed> (Minor issue, fix along in future update) + [bullseye] - python-django <postponed> (Minor issue, fix along in future update) NOTE: https://www.openwall.com/lists/oss-security/2023/10/04/6 NOTE: https://www.djangoproject.com/weblog/2023/oct/04/security-releases/ NOTE: https://github.com/django/django/commit/17b51094d778b421bb2b3aae0c270894b050455d (main) @@ -5512,6 +5521,8 @@ CVE-2023-5157 (A vulnerability was found in MariaDB. An OpenVAS port scan on por - galera-4 26.4.13-1 [bullseye] - galera-4 <no-dsa> (Minor issue; can be fixed via point release) - galera-3 <unfixed> (bug #1053476) + [bookworm] - galera-3 <no-dsa> (Minor issue) + [bullseye] - galera-3 <no-dsa> (Minor issue) NOTE: https://jira.mariadb.org/browse/MDEV-25068 CVE-2023-5115 [malicious role archive can cause ansible-galaxy to overwrite arbitrary files] - ansible-core 2.14.11-1 (bug #1053693) @@ -28611,12 +28622,16 @@ CVE-2023-29409 (Extremely large RSA keys in certificate chains can cause a clien NOTE: https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI CVE-2023-29408 (The TIFF decoder does not place a limit on the size of compressed tile ...) - golang-golang-x-image <unfixed> (bug #1043159) + [bookworm] - golang-golang-x-image <no-dsa> (Minor issue) + [bullseye] - golang-golang-x-image <no-dsa> (Minor issue) [buster] - golang-golang-x-image <no-dsa> (Limited support, minor issue, DoS) NOTE: https://go.dev/issue/61582 NOTE: https://go.dev/cl/514897 NOTE: https://github.com/golang/image/commit/cb227cd2c919b27c6206fe0c1041a8bcc677949d (v0.10.0) CVE-2023-29407 (A maliciously-crafted image can cause excessive CPU consumption in dec ...) - golang-golang-x-image <unfixed> (bug #1043159) + [bookworm] - golang-golang-x-image <no-dsa> (Minor issue) + [bullseye] - golang-golang-x-image <no-dsa> (Minor issue) [buster] - golang-golang-x-image <no-dsa> (Limited support, minor issue, DoS) NOTE: https://go.dev/issue/61581 NOTE: https://go.dev/cl/514897 ===================================== data/dsa-needed.txt ===================================== @@ -21,6 +21,8 @@ chromium (dilinger, jmm) -- cinder/oldstable -- +fastdds +-- gpac/oldstable (jmm) -- jetty9 @@ -35,6 +37,8 @@ linux (carnil) nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- +nghttp2 +-- nodejs maintainer proposed to follow the upstream 18.x LTS branch -- @@ -87,6 +91,8 @@ salt/oldstable -- samba/oldstable -- +squid +-- thunderbird (jmm) -- tiff (aron) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/756240f92d28fdc125109985e6e5193aec95aee5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/756240f92d28fdc125109985e6e5193aec95aee5 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits