Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
756240f9 by Moritz Muehlenhoff at 2023-10-26T14:14:21+02:00
bullseye/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -331,6 +331,8 @@ CVE-2023-5758 (When opening a page in reader mode, the
redirect URL could have c
NOTE: https://www.mozilla.org/security/advisories/mfsa2023-48/
CVE-2023-5752 (When installing a package from a Mercurial VCS URL (ie "pip
install ...)
- python-pip 23.3+dfsg-1
+ [bookworm] - python-pip <no-dsa> (Minor issue)
+ [bullseye] - python-pip <no-dsa> (Minor issue)
NOTE: https://github.com/pypa/pip/pull/12306
NOTE:
https://mail.python.org/archives/list/security-annou...@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/
CVE-2023-5311 (The WP EXtra plugin for WordPress is vulnerable to unauthorized
modifi ...)
@@ -705,8 +707,9 @@ CVE-2023-46332 (WebAssembly wabt 1.0.33 contains an
Out-of-Bound Memory Write in
- wabt <unfixed>
NOTE: https://github.com/WebAssembly/wabt/issues/2311
CVE-2023-46331 (WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in
DataSegm ...)
- - wabt <unfixed>
+ - wabt <unfixed> (unimportant)
NOTE: https://github.com/WebAssembly/wabt/issues/2310
+ NOTE: Crash in CLI tool, no security impact
CVE-2023-46127 (Frappe is a full-stack web application framework that uses
Python and ...)
NOT-FOR-US: Frappe Framework
CVE-2023-46122 (sbt is a build tool for Scala, Java, and others. Given a
specially cra ...)
@@ -895,6 +898,8 @@ CVE-2023-38275 (IBM Cognos Dashboards on Cloud Pak for Data
4.7.0 exposes sensit
CVE-2023-5349 [memory leak]
{DLA-3625-1}
- ruby-rmagick 5.3.0-1
+ [bookworm] - ruby-rmagick <no-dsa> (Minor issue)
+ [bullseye] - ruby-rmagick <no-dsa> (Minor issue)
NOTE: https://github.com/rmagick/rmagick/pull/1406
NOTE:
https://github.com/rmagick/rmagick/commit/fec7a7e639ae565386f7615155dbcf49b957b64a
(RMagick_5-3-0)
CVE-2023-5684 (A vulnerability was found in Beijing Baichuo Smart S85F
Management Pla ...)
@@ -1201,6 +1206,8 @@ CVE-2023-4021 (The Modern Events Calendar lite plugin for
WordPress is vulnerabl
NOT-FOR-US: WordPress plugin
CVE-2023-46277 (please (aka pleaser) through 0.5.4 allows privilege escalation
through ...)
- rust-pleaser <unfixed> (bug #1054289)
+ [bookworm] - rust-pleaser <no-dsa> (Minor issue)
+ [bullseye] - rust-pleaser <no-dsa> (Minor issue)
NOTE: https://gitlab.com/edneville/please/-/issues/13
NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0066.html
CVE-2023-46267
@@ -4780,6 +4787,8 @@ CVE-2023-43739 (The 'bookisbn' parameter of the cart.php
resource does not vali
NOT-FOR-US: Online Book Store Project
CVE-2023-43665 [Denial-of-service possibility in django.utils.text.Truncator]
- python-django 3:4.2.6-1 (bug #1053475)
+ [bookworm] - python-django <postponed> (Minor issue, fix along in
future update)
+ [bullseye] - python-django <postponed> (Minor issue, fix along in
future update)
NOTE: https://www.openwall.com/lists/oss-security/2023/10/04/6
NOTE:
https://www.djangoproject.com/weblog/2023/oct/04/security-releases/
NOTE:
https://github.com/django/django/commit/17b51094d778b421bb2b3aae0c270894b050455d
(main)
@@ -5512,6 +5521,8 @@ CVE-2023-5157 (A vulnerability was found in MariaDB. An
OpenVAS port scan on por
- galera-4 26.4.13-1
[bullseye] - galera-4 <no-dsa> (Minor issue; can be fixed via point
release)
- galera-3 <unfixed> (bug #1053476)
+ [bookworm] - galera-3 <no-dsa> (Minor issue)
+ [bullseye] - galera-3 <no-dsa> (Minor issue)
NOTE: https://jira.mariadb.org/browse/MDEV-25068
CVE-2023-5115 [malicious role archive can cause ansible-galaxy to overwrite
arbitrary files]
- ansible-core 2.14.11-1 (bug #1053693)
@@ -28611,12 +28622,16 @@ CVE-2023-29409 (Extremely large RSA keys in
certificate chains can cause a clien
NOTE: https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI
CVE-2023-29408 (The TIFF decoder does not place a limit on the size of
compressed tile ...)
- golang-golang-x-image <unfixed> (bug #1043159)
+ [bookworm] - golang-golang-x-image <no-dsa> (Minor issue)
+ [bullseye] - golang-golang-x-image <no-dsa> (Minor issue)
[buster] - golang-golang-x-image <no-dsa> (Limited support, minor
issue, DoS)
NOTE: https://go.dev/issue/61582
NOTE: https://go.dev/cl/514897
NOTE:
https://github.com/golang/image/commit/cb227cd2c919b27c6206fe0c1041a8bcc677949d
(v0.10.0)
CVE-2023-29407 (A maliciously-crafted image can cause excessive CPU
consumption in dec ...)
- golang-golang-x-image <unfixed> (bug #1043159)
+ [bookworm] - golang-golang-x-image <no-dsa> (Minor issue)
+ [bullseye] - golang-golang-x-image <no-dsa> (Minor issue)
[buster] - golang-golang-x-image <no-dsa> (Limited support, minor
issue, DoS)
NOTE: https://go.dev/issue/61581
NOTE: https://go.dev/cl/514897
=====================================
data/dsa-needed.txt
=====================================
@@ -21,6 +21,8 @@ chromium (dilinger, jmm)
--
cinder/oldstable
--
+fastdds
+--
gpac/oldstable (jmm)
--
jetty9
@@ -35,6 +37,8 @@ linux (carnil)
nbconvert/oldstable
Guilhem Moulin proposed an update ready for review
--
+nghttp2
+--
nodejs
maintainer proposed to follow the upstream 18.x LTS branch
--
@@ -87,6 +91,8 @@ salt/oldstable
--
samba/oldstable
--
+squid
+--
thunderbird (jmm)
--
tiff (aron)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/756240f92d28fdc125109985e6e5193aec95aee5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/756240f92d28fdc125109985e6e5193aec95aee5
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
