[Git][security-tracker-team/security-tracker][master] 5 commits: Triage ffmpeg CVE as postponed for Buster.

Markus Koschany (@apo) Sat, 20 Apr 2024 15:13:56 -0700


Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
910f13ec by Markus Koschany at 2024-04-21T00:04:52+02:00
Triage ffmpeg CVE as postponed for Buster.

We can wait until upstream fixes these issues in earlier releases.

- - - - -
dbf30577 by Markus Koschany at 2024-04-21T00:06:41+02:00
Add gunicorn to dla-needed.txt

- - - - -
6906ca1b by Markus Koschany at 2024-04-21T00:10:16+02:00
Add libmojolicious-perl to dla-needed.txt

- - - - -
c5c88137 by Markus Koschany at 2024-04-21T00:11:28+02:00
CVE-2024-28863,node-tar: buster is no-dsa

Minor issue

- - - - -
305978e5 by Markus Koschany at 2024-04-21T00:13:02+02:00
CVE-2024-3262,node-tar: buster is no-dsa

Minor issue

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -719,12 +719,14 @@ CVE-2024-31582 (FFmpeg version n6.1 was discovered to 
contain a heap buffer over
        - ffmpeg <unfixed>
        [bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
        [bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
+       [buster] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
        NOTE: Fixed by 
https://github.com/ffmpeg/ffmpeg/commit/99debe5f823f45a482e1dc08de35879aa9c74bd2
 (n7.0)
 CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper 
validation o ...)
        [experimental] - ffmpeg 7:7.0-1
        - ffmpeg <unfixed>
        [bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
        [bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
+       [buster] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
        NOTE: Fixed by 
https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196
 (n7.0)
 CVE-2024-31580 (PyTorch before v2.2.0 was discovered to contain a heap buffer 
overflow ...)
        - pytorch <unfixed>
@@ -734,6 +736,7 @@ CVE-2024-31578 (FFmpeg version n6.1.1 was discovered to 
contain a heap use-after
        - ffmpeg <unfixed>
        [bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
        [bullseye] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
+       [buster] - ffmpeg <postponed> (Pick up when fixed in 4.3.x)
        NOTE: Fixed by 
https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83c6fafee30270d69622ccad7
 (n7.0)
 CVE-2024-31463 (Ironic-image is an OpenStack Ironic deployment packaged and 
configured ...)
        TODO: check
@@ -5238,6 +5241,7 @@ CVE-2024-3262 (Information exposure vulnerability in RT 
software affecting versi
        - request-tracker4 <unfixed> (bug #1068452)
        [bookworm] - request-tracker4 <no-dsa> (Minor issue)
        [bullseye] - request-tracker4 <no-dsa> (Minor issue)
+       [buster] - request-tracker4 <no-dsa> (Minor issue)
        - request-tracker5 <unfixed> (bug #1068453)
        [bookworm] - request-tracker5 <no-dsa> (Minor issue)
        NOTE: 
https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a
@@ -9638,6 +9642,7 @@ CVE-2024-28863 (node-tar is a Tar for Node.js. node-tar 
prior to version 6.2.1 h
        - node-tar 6.1.13+~cs7.0.5-2
        [bookworm] - node-tar <no-dsa> (Minor issue)
        [bullseye] - node-tar <no-dsa> (Minor issue)
+       [buster] - node-tar <no-dsa> (Minor issue)
        NOTE: 
https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36
        NOTE: 
https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7
 (v6.2.1)
 CVE-2024-28756 (The SolarEdge mySolarEdge application before 2.20.1 for 
Android has a  ...)


=====================================
data/dla-needed.txt
=====================================
@@ -101,6 +101,9 @@ frr (tobi)
 glibc (Adrian Bunk)
   NOTE: 20240419: Added by coordinator (santiago)
 --
+gunicorn
+  NOTE: 20240421: Added by Front-Desk (apo)
+--
 h2o
   NOTE: 20231228: Added by Front-Desk (lamby)
 --
@@ -124,6 +127,9 @@ knot-resolver (Markus Koschany)
 less (Abhijith PA)
   NOTE: 20240418: Added by Front-Desk (apo)
 --
+libmojolicious-perl
+  NOTE: 20240421: Added by Front-Desk (apo)
+--
 libpgjava (Markus Koschany)
   NOTE: 20240308: Added by Front-Desk (opal)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7d5031c83601fd63aa508b0a09294f2cdfdeb1bb...305978e5b03877349498cdb27f60179f994a9eed

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7d5031c83601fd63aa508b0a09294f2cdfdeb1bb...305978e5b03877349498cdb27f60179f994a9eed
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 5 commits: Triage ffmpeg CVE as postponed for Buster.

Reply via email to