Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker
Commits: ab1af125 by Adrian Bunk at 2024-04-11T13:52:29+03:00 Revert "Tinymce is not affected in buster, removing from dla-needed." This reverts commit 21503da906963c312a371bf78d64f3c95b8ec67a. <not-affected> annotations were without justification. Also add a link to upstream CVE-2023-48219 fix. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -24635,17 +24635,14 @@ CVE-2024-0222 (Use after free in ANGLE in Google Chrome prior to 120.0.6099.199 [buster] - chromium <end-of-life> (see DSA 5046) CVE-2024-21911 (TinyMCE versions before 5.6.0 are affected by a stored cross-site scri ...) - tinymce <removed> - [buster] - tinymce <not-affected> (Vulnerable code not present) NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-w7jx-j77m-wp65 CVE-2024-21910 (TinyMCE versions before 5.10.0 are affected by a cross-site scripting ...) - tinymce <removed> - [buster] - tinymce <not-affected> (Vulnerable code not present) NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39 CVE-2024-21909 (PeterO.Cbor versions 4.0.0 through 4.5.0 are vulnerable to a denial of ...) NOT-FOR-US: PeterO.Cbor CVE-2024-21908 (TinyMCE versions before 5.9.0 are affected by a stored cross-site scri ...) - tinymce <removed> - [buster] - tinymce <not-affected> (Vulnerable code not present) NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wg CVE-2024-21907 (Newtonsoft.Json before version 13.0.1 is affected by a mishandling of ...) NOT-FOR-US: Newtonsoft.Json @@ -33298,7 +33295,7 @@ CVE-2023-4602 (The Namaste! LMS plugin for WordPress is vulnerable to Reflected NOT-FOR-US: WordPress plugin CVE-2023-48219 (TinyMCE is an open source rich text editor. A mutation cross-site scri ...) - tinymce <removed> - [buster] - tinymce <not-affected> (Vulnerable code not present) + NOTE: https://github.com/tinymce/tinymce/commit/751e35f1419a6a060ded397dda1b2945bacaa711 CVE-2023-48089 (xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via / ...) NOT-FOR-US: XXL-Job CVE-2023-48088 (xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /x ...) ===================================== data/dla-needed.txt ===================================== @@ -275,9 +275,11 @@ tiff (Thorsten Alteholz) NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) -- tinymce - NOTE: 20240404: Added by Front-Desk (lamby) - NOTE: 20240404: May be v. difficult to backport and/or not even vulnerable. (lamby) - NOTE: 20240404: Check Ola's commit message in 21503da906. (lamby) + NOTE: 20231123: Added by Front-Desk (ola) + NOTE: 20231216: Someone with more XSS experience needed to assess the + NOTE: 20231216: severity of CVE-2023-48219. Also not clear to me that + NOTE: 20231216: upstream's patch is backportable, as the code has changed a + NOTE: 20231216: lot. (spwhitton) -- tzdata (Emilio) NOTE: 20240327: Added by pochu View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab1af1251027036c394e2320ad98cf7370b953ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab1af1251027036c394e2320ad98cf7370b953ee You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits