Adrian Bunk pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ab1af125 by Adrian Bunk at 2024-04-11T13:52:29+03:00
Revert "Tinymce is not affected in buster, removing from dla-needed."
This reverts commit 21503da906963c312a371bf78d64f3c95b8ec67a.
<not-affected> annotations were without justification.
Also add a link to upstream CVE-2023-48219 fix.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -24635,17 +24635,14 @@ CVE-2024-0222 (Use after free in ANGLE in Google
Chrome prior to 120.0.6099.199
[buster] - chromium <end-of-life> (see DSA 5046)
CVE-2024-21911 (TinyMCE versions before 5.6.0 are affected by a stored
cross-site scri ...)
- tinymce <removed>
- [buster] - tinymce <not-affected> (Vulnerable code not present)
NOTE:
https://github.com/tinymce/tinymce/security/advisories/GHSA-w7jx-j77m-wp65
CVE-2024-21910 (TinyMCE versions before 5.10.0 are affected by a cross-site
scripting ...)
- tinymce <removed>
- [buster] - tinymce <not-affected> (Vulnerable code not present)
NOTE:
https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39
CVE-2024-21909 (PeterO.Cbor versions 4.0.0 through 4.5.0 are vulnerable to a
denial of ...)
NOT-FOR-US: PeterO.Cbor
CVE-2024-21908 (TinyMCE versions before 5.9.0 are affected by a stored
cross-site scri ...)
- tinymce <removed>
- [buster] - tinymce <not-affected> (Vulnerable code not present)
NOTE:
https://github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wg
CVE-2024-21907 (Newtonsoft.Json before version 13.0.1 is affected by a
mishandling of ...)
NOT-FOR-US: Newtonsoft.Json
@@ -33298,7 +33295,7 @@ CVE-2023-4602 (The Namaste! LMS plugin for WordPress is
vulnerable to Reflected
NOT-FOR-US: WordPress plugin
CVE-2023-48219 (TinyMCE is an open source rich text editor. A mutation
cross-site scri ...)
- tinymce <removed>
- [buster] - tinymce <not-affected> (Vulnerable code not present)
+ NOTE:
https://github.com/tinymce/tinymce/commit/751e35f1419a6a060ded397dda1b2945bacaa711
CVE-2023-48089 (xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution
(RCE) via / ...)
NOT-FOR-US: XXL-Job
CVE-2023-48088 (xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting
(XSS) via /x ...)
=====================================
data/dla-needed.txt
=====================================
@@ -275,9 +275,11 @@ tiff (Thorsten Alteholz)
NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated.
(roberto)
--
tinymce
- NOTE: 20240404: Added by Front-Desk (lamby)
- NOTE: 20240404: May be v. difficult to backport and/or not even vulnerable.
(lamby)
- NOTE: 20240404: Check Ola's commit message in 21503da906. (lamby)
+ NOTE: 20231123: Added by Front-Desk (ola)
+ NOTE: 20231216: Someone with more XSS experience needed to assess the
+ NOTE: 20231216: severity of CVE-2023-48219. Also not clear to me that
+ NOTE: 20231216: upstream's patch is backportable, as the code has changed a
+ NOTE: 20231216: lot. (spwhitton)
--
tzdata (Emilio)
NOTE: 20240327: Added by pochu
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab1af1251027036c394e2320ad98cf7370b953ee
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab1af1251027036c394e2320ad98cf7370b953ee
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
