[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

Wed, 13 Mar 2024 02:00:02 -0700 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2a8f25ba by Moritz Mühlenhoff at 2024-03-13T09:58:16+01:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -583,6 +583,8 @@ CVE-2024-1487 (The Photos and Files Contest Gallery 
WordPress plugin before 21.3
        NOT-FOR-US: WordPress plugin
 CVE-2024-1441 (An off-by-one error flaw was found in the 
udevListInterfacesByStatus() ...)
        - libvirt <unfixed> (bug #1066058)
+       [bookworm] - libvirt <no-dsa> (Minor issue)
+       [bullseye] - libvirt <no-dsa> (Minor issue)
        NOTE: Introduced by: 
https://gitlab.com/libvirt/libvirt/-/commit/5a33366f5c0b18c93d161bd144f9f079de4ac8ca
 (v1.0.0-rc1)
        NOTE: Introduced by: 
https://gitlab.com/libvirt/libvirt/-/commit/d6064e2759a24e0802f363e3a810dc5a7d7ebb15
 (v5.10.0-rc1)
        NOTE: Fixed by: 
https://gitlab.com/libvirt/libvirt/-/commit/c664015fe3a7bf59db26686e9ed69af011c6ebb8
 (v10.1.0)
@@ -636,9 +638,13 @@ CVE-2024-2363 (** UNSUPPORTED WHEN ASSIGNED ** A 
vulnerability was found in AOL
        NOT-FOR-US: AOL AIM Triton
 CVE-2024-2314 (If kernel headers need to be extracted, bcc will attempt to 
load them  ...)
        - bpfcc <unfixed>
+       [bookworm] - bpfcc <no-dsa> (Minor issue)
+       [bullseye] - bpfcc <no-dsa> (Minor issue)
        NOTE: 
https://github.com/iovisor/bcc/commit/008ea09e891194c072f2a9305a3c872a241dc342
 CVE-2024-2313 (If kernel headers need to be extracted, bpftrace will attempt 
to load  ...)
        - bpftrace <unfixed>
+       [bookworm] - bpftrace <no-dsa> (Minor issue)
+       [bullseye] - bpftrace <no-dsa> (Minor issue)
        NOTE: 
https://github.com/bpftrace/bpftrace/commit/4be4b7191acb8218240e6b7178c30fa8c9b59998
 CVE-2024-2184 (Buffer overflow in identifier field of WSD probe request 
process of Sm ...)
        NOT-FOR-US: Small Office Multifunction Printers and Laser Printers 
(Canon)
@@ -1478,7 +1484,9 @@ CVE-2024-24785 (If errors returned from MarshalJSON 
methods contain user control
        - golang-1.22 1.22.1-1
        - golang-1.21 1.21.8-1
        - golang-1.19 <removed>
+       [bookworm] - golang-1.19 <no-dsa> (Minor issue)
        - golang-1.15 <removed>
+       [bullseye] - golang-1.15 <no-dsa> (Minor issue)
        - golang-1.11 <removed>
        [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        NOTE: https://github.com/golang/go/issues/65697
@@ -1488,7 +1496,9 @@ CVE-2024-24784 (The ParseAddressList function incorrectly 
handles comments (text
        - golang-1.22 1.22.1-1
        - golang-1.21 1.21.8-1
        - golang-1.19 <removed>
+       [bookworm] - golang-1.19 <no-dsa> (Minor issue)
        - golang-1.15 <removed>
+       [bullseye] - golang-1.15 <no-dsa> (Minor issue)
        - golang-1.11 <removed>
        [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        NOTE: https://github.com/golang/go/issues/65083
@@ -1498,7 +1508,9 @@ CVE-2024-24783 (Verifying a certificate chain which 
contains a certificate with
        - golang-1.22 1.22.1-1
        - golang-1.21 1.21.8-1
        - golang-1.19 <removed>
+       [bookworm] - golang-1.19 <no-dsa> (Minor issue)
        - golang-1.15 <removed>
+       [bullseye] - golang-1.15 <no-dsa> (Minor issue)
        - golang-1.11 <removed>
        [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        NOTE: https://github.com/golang/go/issues/65390
@@ -1516,7 +1528,9 @@ CVE-2023-45290 (When parsing a multipart form (either 
explicitly with Request.Pa
        - golang-1.22 1.22.1-1
        - golang-1.21 1.21.8-1
        - golang-1.19 <removed>
+       [bookworm] - golang-1.19 <no-dsa> (Minor issue)
        - golang-1.15 <removed>
+       [bullseye] - golang-1.15 <no-dsa> (Minor issue)
        - golang-1.11 <removed>
        [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        NOTE: https://github.com/golang/go/issues/65383
@@ -1526,7 +1540,9 @@ CVE-2023-45289 (When following an HTTP redirect to a 
domain which is not a subdo
        - golang-1.22 1.22.1-1
        - golang-1.21 1.21.8-1
        - golang-1.19 <removed>
+       [bookworm] - golang-1.19 <no-dsa> (Minor issue)
        - golang-1.15 <removed>
+       [bullseye] - golang-1.15 <no-dsa> (Minor issue)
        - golang-1.11 <removed>
        [buster] - golang-1.11 <postponed> (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
        NOTE: https://github.com/golang/go/issues/65065
@@ -7405,6 +7421,7 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS 
protocol (in RFC 4033, 4034, 4
        [bullseye] - knot-resolver <ignored> (Too intrusive to backport, if 
DNSSEC is used Bookworm can be used)
        [buster] - knot-resolver <ignored> (Too intrusive to backport)
        - pdns-recursor 4.9.3-1 (bug #1063852)
+       [bullseye] - pdns-recursor <ignored> (Too intrusive to backport, if 
DNSSEC is used Bookworm can be used)
        - unbound 1.19.1-1 (bug #1063845)
        - systemd 255.4-1
        [bookworm] - systemd <no-dsa> (DNSSEC is disabled by default in 
systemd-resolved; can be fixed via point release)
@@ -7445,6 +7462,7 @@ CVE-2023-50868 (The Closest Encloser Proof aspect of the 
DNS protocol (in RFC 51
        [bullseye] - knot-resolver <ignored> (Too intrusive to backport, if 
DNSSEC is used Bookworm can be used)
        [buster] - knot-resolver <ignored> (Too intrusive to backport, if 
DNSSEC is used Bookworm can be used)
        - pdns-recursor 4.9.3-1 (bug #1063852)
+       [bullseye] - pdns-recursor <ignored> (Too intrusive to backport, if 
DNSSEC is used Bookworm can be used)
        - unbound 1.19.1-1 (bug #1063845)
        - systemd 255.4-1
        [bookworm] - systemd <no-dsa> (DNSSEC is disabled by default in 
systemd-resolved; can be fixed via point release)
@@ -8985,6 +9003,8 @@ CVE-2024-24768 (1Panel is an open source Linux server 
operation and maintenance
        NOT-FOR-US: 1Panel
 CVE-2024-24762 (`python-multipart` is a streaming multipart parser for Python. 
When us ...)
        - python-multipart 0.0.9-1 (bug #1063538)
+       [bookworm] - python-multipart <no-dsa> (Minor issue)
+       [bullseye] - python-multipart <no-dsa> (Minor issue)
        NOTE: Original report at fastapi: 
https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389
        NOTE: But the fix is within python-multipart:
        NOTE: 
https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4
 (0.0.7)


=====================================
data/dsa-needed.txt
=====================================
@@ -22,8 +22,12 @@ dav1d
 --
 dnsdist (jmm)
 --
+dnsmasq
+--
 expat (carnil)
 --
+fontforge
+--
 frr
 --
 gpac/oldstable
@@ -85,6 +89,8 @@ ruby3.1/stable
 --
 ruby-nokogiri/oldstable
 --
+ruby-rack
+--
 ruby-rails-html-sanitizer
 --
 ruby-sinatra/oldstable



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a8f25ba580442788930760d6b1673e6712772b7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a8f25ba580442788930760d6b1673e6712772b7
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to