Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: 74696943 by Markus Koschany at 2024-04-21T23:11:59+02:00 CVE-2024-31497,filezilla: buster is no-dsa Minor issue. - - - - - 8bc9a7e7 by Markus Koschany at 2024-04-21T23:11:59+02:00 Add nghttp2 to dla-needed.txt - - - - - efec8650 by Markus Koschany at 2024-04-21T23:11:59+02:00 Add python-idna to dla-needed.txt - - - - - 51771358 by Markus Koschany at 2024-04-21T23:12:01+02:00 CVE-2024-3446,CVE-2024-3447,CVE-2024-3567,qemu: buster is no-dsa Minor issues. It is good practice not to run qemu directly as a privileged user. - - - - - 0e9b47d2 by Markus Koschany at 2024-04-21T23:12:01+02:00 Add tryton-server to dla-needed.txt and claim it - - - - - 7a3f0d28 by Markus Koschany at 2024-04-21T23:12:02+02:00 CVE-2024-31047,openexr: buster is no-dsa Minor issue - - - - - 76475ee7 by Markus Koschany at 2024-04-21T23:12:03+02:00 CVE-2024-32462,flatpak: buster is ignored We have previously marked sandbox escape issues as ignored because they were either intrusive to backport or could be easily mitigated. Although the fix for CVE-2024-32462 seems straightforward, the whole application should be upgraded to the version in Bullseye in my opinion. Since we approach the end of the Buster LTS cycle I am going to mark CVE-2024-32462 as ignored too. - - - - - 76d860ac by Markus Koschany at 2024-04-21T23:12:03+02:00 Add astropy to dla-needed.txt - - - - - d913e443 by Markus Koschany at 2024-04-21T23:12:03+02:00 Add php7.3 to dla-needed.txt and claim it - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -428,6 +428,7 @@ CVE-2024-32466 (Tolgee is an open-source localization platform. For the `/v2/pro CVE-2024-32462 (Flatpak is a system for building, distributing, and running sandboxed ...) {DSA-5666-1} - flatpak 1.14.6-1 + [buster] - flatpak <ignored> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/04/18/5 NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj NOTE: Fixed by: https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 (1.15.8) @@ -2113,6 +2114,7 @@ CVE-2024-31497 (In PuTTY 0.68 through 0.80 before 0.81, biased ECDSA nonce gener - filezilla 3.67.0-1 [bookworm] - filezilla <no-dsa> (Minor issue) [bullseye] - filezilla <no-dsa> (Minor issue) + [buster] - filezilla <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/04/15/6 NOTE: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html CVE-2024-3804 (A vulnerability, which was classified as critical, has been found in V ...) @@ -3149,6 +3151,7 @@ CVE-2024-3567 (A flaw was found in QEMU. An assertion failure was present in the - qemu <unfixed> (bug #1068822) [bookworm] - qemu <no-dsa> (Minor issue) [bullseye] - qemu <no-dsa> (Minor issue) + [buster] - qemu <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274339 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2273 CVE-2024-3566 (A command inject vulnerability allows an attacker to perform command i ...) @@ -3572,6 +3575,7 @@ CVE-2024-3447 - qemu <unfixed> (bug #1068821) [bookworm] - qemu <no-dsa> (Minor issue) [bullseye] - qemu <no-dsa> (Minor issue) + [buster] - qemu <no-dsa> (Minor issue) NOTE: https://patchew.org/QEMU/20240404085549.16987-1-phi...@linaro.org/ NOTE: https://patchew.org/QEMU/20240409145524.27913-1-phi...@linaro.org/ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 @@ -3735,6 +3739,7 @@ CVE-2024-3446 (A double free vulnerability was found in QEMU virtio devices (vir - qemu <unfixed> (bug #1068820) [bookworm] - qemu <no-dsa> (Minor issue) [bullseye] - qemu <no-dsa> (Minor issue) + [buster] - qemu <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274211 NOTE: https://patchew.org/QEMU/20240409105537.18308-1-phi...@linaro.org/ CVE-2024-3281 (A vulnerability was discovered in the firmware builds after 8.0.2.3267 ...) @@ -4499,6 +4504,7 @@ CVE-2024-31047 (An issue in Academy Software Foundation openexr v.3.2.3 and befo - openexr <unfixed> (bug #1068939) [bookworm] - openexr <no-dsa> (Minor issue) [bullseye] - openexr <no-dsa> (Minor issue) + [buster] - openexr <no-dsa> (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1680 NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1681 NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/openexr/commit/7aa89e1d09b09d9f5dbb96976ee083a331ab9d71 ===================================== data/dla-needed.txt ===================================== @@ -33,6 +33,9 @@ ansible (debian) apache2 NOTE: 20240418: Added by Front-Desk (apo) -- +astropy + NOTE: 20240421: Added by Front-Desk (apo) +-- atril NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240121: Decide whether it makes sense to disable comic feature or use libarchive instead. @@ -178,6 +181,9 @@ mediawiki (guilhem) netty NOTE: 20240419: Added by Front-Desk (apo) -- +nghttp2 + NOTE: 20240421: Added by Front-Desk (apo) +-- nodejs (guilhem) NOTE: 20240406: Added by Front-Desk (lamby) -- @@ -226,6 +232,9 @@ pdns-recursor NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240319: Upload postponed due to #1067124 (dleidert) -- +php7.3 (Markus Koschany) + NOTE: 20240421: Added by Front-Desk (apo) +-- putty (rouca) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240104: massive code change against bullseye. May be better to backport bullseye (rouca) @@ -240,6 +249,9 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- +python-idna + NOTE: 20240421: Added by Front-Desk (apo) +-- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) @@ -315,6 +327,11 @@ tinymce trafficserver NOTE: 20240421: Added by Front-Desk (apo) -- +tryton-server (Markus Koschany) + NOTE: 20240421: Added by Front-Desk (apo) + NOTE: 20240421: Fix causes regressions in tryton client. Waiting for that + NOTE: 20240421: being resolved upstream. +-- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6e1b35d1311021d380f3eefbf2371b353cc12e9...d913e443f2cc5a6dc94abb9a1d99a773d90951d5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6e1b35d1311021d380f3eefbf2371b353cc12e9...d913e443f2cc5a6dc94abb9a1d99a773d90951d5 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits