Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: cf0f6dee by Moritz Muehlenhoff at 2024-05-23T16:59:55+02:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -2673,6 +2673,8 @@ CVE-2024-24293 (A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0 NOT-FOR-US: @bit/loader CVE-2024-1968 (In scrapy/scrapy, an issue was identified where the Authorization head ...) - python-scrapy 2.11.2-1 + [bookworm] - python-scrapy <no-dsa> (Minor issue) + [bullseye] - python-scrapy <no-dsa> (Minor issue) NOTE: https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-4qqq-9vqf-3h3f NOTE: https://github.com/scrapy/scrapy/commit/f8d6c456e0669ea5344e93fe9206bd1ffebc2008 (2.11.2) @@ -5379,6 +5381,7 @@ CVE-2024-20256 (A vulnerability in the web-based management interface of Cisco A NOT-FOR-US: Cisco CVE-2023-7258 (A denial of service exists in Gvisor Sandbox where a bug in reference ...) - golang-gvisor-gvisor <unfixed> + [bookworm] - golang-gvisor-gvisor <no-dsa> (Minor issue) NOTE: https://github.com/google/gvisor/commit/6a112c60a257dadac59962e0bc9e9b5aee70b5b6 CVE-2023-6324 (ThroughTek Kalay SDK uses a predictable PSK value in the DTLS session ...) NOT-FOR-US: ThroughTek Kalay SDK @@ -11557,6 +11560,8 @@ CVE-2023-52647 (In the Linux kernel, the following vulnerability has been resolv NOTE: https://git.kernel.org/linus/eb2f932100288dbb881eadfed02e1459c6b9504c (6.9-rc1) CVE-2024-4340 (Passing a heavily nested list to sqlparse.parse() leads to a Denial of ...) - sqlparse 0.5.0-1 (bug #1070148) + [bookworm] - sqlparse <no-dsa> (Minor issue) + [bullseye] - sqlparse <no-dsa> (Minor issue) [buster] - sqlparse <postponed> (Minor issue) NOTE: Fixed by: https://github.com/andialbrecht/sqlparse/commit/b4a39d9850969b4e1d6940d32094ee0b42a2cf03 (0.5.0) NOTE: https://github.com/advisories/GHSA-2m57-hf25-phgg @@ -11679,6 +11684,8 @@ CVE-2023-36268 (An issue in The Document Foundation Libreoffice v.7.4.7 allows a NOTE: Resource overload in desktop app, no security impact CVE-2024-29040 - tpm2-tss 4.1.0-1 (bug #1070140) + [bookworm] - tpm2-tss <no-dsa> (Minor issue) + [bullseye] - tpm2-tss <no-dsa> (Minor issue) NOTE: https://github.com/tpm2-software/tpm2-tss/commit/710cd0b6adf3a063f34a8e92da46df7a107d9a99 (4.1.0) CVE-2024-29039 - tpm2-tools 5.7-1 (bug #1070139) @@ -12515,10 +12522,14 @@ CVE-2024-33665 (angular-translate through 2.19.1 allows XSS via a crafted key th NOT-FOR-US: angular-translate CVE-2024-33664 (python-jose through 3.3.0 allows attackers to cause a denial of servic ...) - python-jose <unfixed> (bug #1070375) + [bookworm] - python-jose <no-dsa> (Minor issue) + [bullseye] - python-jose <no-dsa> (Minor issue) NOTE: https://github.com/mpdavis/python-jose/issues/344 NOTE: https://github.com/mpdavis/python-jose/pull/345 CVE-2024-33663 (python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA k ...) - python-jose <unfixed> (bug #1070375) + [bookworm] - python-jose <no-dsa> (Minor issue) + [bullseye] - python-jose <no-dsa> (Minor issue) NOTE: https://github.com/mpdavis/python-jose/issues/346 CVE-2024-33661 (Portainer before 2.20.0 allows redirects when the target is not index. ...) NOT-FOR-US: Portainer @@ -12544,6 +12555,8 @@ CVE-2024-32404 (Server-Side Template Injection (SSTI) vulnerability in inducer r NOT-FOR-US: inducer relate CVE-2024-31755 (cJSON v1.7.17 was discovered to contain a segmentation violation, whic ...) - cjson <unfixed> + [bookworm] - cjson <no-dsa> (Minor issue) + [bullseye] - cjson <no-dsa> (Minor issue) [buster] - cjson <postponed> (Sefault only; can be piggy-backed with future DLAs) NOTE: https://github.com/DaveGamble/cJSON/issues/839 NOTE: https://github.com/DaveGamble/cJSON/pull/840 @@ -13675,6 +13688,8 @@ CVE-2024-21846 (An unauthenticated attacker can reset the board and stop transmi NOT-FOR-US: Electrolink CVE-2024-1681 (corydolphin/flask-cors is vulnerable to log injection when the log lev ...) - python-flask-cors 4.0.1-1 (bug #1069764) + [bookworm] - python-flask-cors <no-dsa> (Minor issue) + [bullseye] - python-flask-cors <no-dsa> (Minor issue) [buster] - python-flask-cors <postponed> (Minor issue) NOTE: https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644 NOTE: https://github.com/corydolphin/flask-cors/issues/349 @@ -15160,6 +15175,7 @@ CVE-2024-21097 (Vulnerability in the PeopleSoft Enterprise PeopleTools product o CVE-2024-21096 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.37-1 (bug #1069189) - mariadb 1:10.11.8-1 + [bookworm] - mariadb <no-dsa> (Minor issue) - mariadb-10.5 <removed> [bullseye] - mariadb-10.5 <no-dsa> (Minor issue) - mariadb-10.3 <removed> ===================================== data/dsa-needed.txt ===================================== @@ -51,6 +51,8 @@ pillow (jmm) -- pymatgen/stable -- +python-aiohttp +-- python-asyncssh -- python-pymysql @@ -60,6 +62,8 @@ redmine/stable (jmm) ring/oldstable might make sense to rebase to current version -- +roundcube +-- ruby2.7/oldstable Utkarsh Gupta offered help in preparing updates -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf0f6dee6f4edb8be372e0a991b378a6ce7fe97a -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf0f6dee6f4edb8be372e0a991b378a6ce7fe97a You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits