Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
525ce4c4 by Moritz Muehlenhoff at 2024-11-12T14:22:10+01:00
bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -16,19 +16,25 @@ CVE-2024-52533 (gio/gsocks4aproxy.c in GNOME GLib before
2.82.1 has an off-by-on
TODO: check if has impact on embedded copy in src:gobject-introspection
CVE-2024-52532 (GNOME libsoup before 3.6.1 has an infinite loop, and memory
consumptio ...)
- libsoup3 <unfixed>
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed>
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/391
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/410
NOTE:
https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c
CVE-2024-52531 (GNOME libsoup before 3.6.1 allows a buffer overflow in
applications th ...)
- libsoup3 <unfixed>
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed>
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407
NOTE:
https://gitlab.gnome.org/GNOME/libsoup/-/commit/3c54033634ae537b52582900a7ba432c52ae8174
NOTE:
https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283
CVE-2024-52530 (GNOME libsoup before 3.6.0 allows HTTP request smuggling in
some confi ...)
- libsoup3 3.5.2-1
+ [bookworm] - libsoup3 <no-dsa> (Minor issue)
- libsoup2.4 <unfixed>
+ [bookworm] - libsoup2.4 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
NOTE: Fixed by:
https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b
(3.5.2)
CVE-2024-52288 (libosdp is an implementation of IEC 60839-11-5 OSDP (Open
Supervised D ...)
@@ -229,18 +235,25 @@ CVE-2024-10179 (The Slickstream: Engagement and
Conversions plugin for WordPress
TODO: check
CVE-2024-49395 (In mutt and neomutt, PGP encryption does not use the
--hidden-recipien ...)
- mutt <unfixed>
+ [bookworm] - mutt <no-dsa> (Minor issue)
- neomutt <unfixed>
+ [bookworm] - neomutt <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325332
CVE-2024-49394 (In mutt and neomutt the In-Reply-To email header field is not
protecte ...)
- mutt <unfixed>
+ [bookworm] - mutt <no-dsa> (Minor issue)
- neomutt <unfixed>
+ [bookworm] - neomutt <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325330
CVE-2024-49393 (In neomutt and mutt, the To and Cc email headers are not
validated by ...)
- mutt <unfixed>
+ [bookworm] - mutt <no-dsa> (Minor issue)
- neomutt <unfixed>
+ [bookworm] - neomutt <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325317
CVE-2024-11079 (A flaw was found in Ansible-Core. This vulnerability allows
attackers ...)
- ansible-core <unfixed>
+ [bookworm] - ansible-core <no-dsa> (Minor issue)
- ansible 5.4.0-1
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in
experimental/5.4.0-1 in sid
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325171
@@ -1542,6 +1555,7 @@ CVE-2024-10027 (The WP Booking Calendar WordPress plugin
before 10.6.3 does not
NOT-FOR-US: WordPress plugin
CVE-2024-9902 (A flaw was found in Ansible. The ansible-core `user` module can
allow ...)
- ansible-core 2.18.0-1 (bug #1086883)
+ [bookworm] - ansible-core <no-dsa> (Minor issue)
- ansible 5.4.0-1
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in
experimental/5.4.0-1 in sid
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2318271
@@ -1563,11 +1577,13 @@ CVE-2024-51757 (happy-dom is a JavaScript
implementation of a web browser withou
NOT-FOR-US: happy-dom
CVE-2024-51755 (Twig is a template language for PHP. In a sandbox, an attacker
can acc ...)
- php-twig 3.14.2-1 (bug #1086884)
+ [bookworm] - php-twig <no-dsa> (Minor issue)
- twig <removed>
NOTE:
https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh
NOTE: Fixed by:
https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21
(v3.14.1)
CVE-2024-51754 (Twig is a template language for PHP. In a sandbox, an attacker
can cal ...)
- php-twig 3.14.2-1 (bug #1086884)
+ [bookworm] - php-twig <no-dsa> (Minor issue)
- twig <removed>
NOTE:
https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
NOTE: Fixed by:
https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73
(v3.14.1)
@@ -4432,6 +4448,7 @@ CVE-2024-10214 (Mattermost versions 9.11.X <= 9.11.1,
9.5.x <= 9.5.9 icorrectly
- mattermost-server <itp> (bug #823556)
CVE-2024-45802 (Squid is an open source caching proxy for the Web supporting
HTTP, HTT ...)
- squid 6.12-1
+ [bookworm] - squid <no-dsa> (Minor issue)
NOTE:
https://github.com/squid-cache/squid/security/advisories/GHSA-f975-v7qw-q7hj
NOTE: Not a code fix, this merely disables ESI by default (and thus in
the Debian build)
NOTE: Upstream disabled ESI support in default builds already in 6.10
but Debian builds
@@ -5432,6 +5449,7 @@ CVE-2024-44812 (SQL Injection vulnerability in Online
Complaint Site v.1.0 allow
NOT-FOR-US: Online Complaint Site
CVE-2024-44331 (Incorrect Access Control in GStreamer RTSP server 1.25.0 in
gst-rtsp-s ...)
- gst-rtsp-server1.0 1.24.9-1
+ [bookworm] - gst-rtsp-server1.0 <no-dsa> (Minor issue)
NOTE: https://gstreamer.freedesktop.org/security/sa-2024-0004.html
NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/3731
NOTE: Introduced by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/16bc937ed95c85c9d02a314a3b065eebc575a97c
(gst-rtsp-server-1.18.0)
=====================================
data/dsa-needed.txt
=====================================
@@ -35,6 +35,8 @@ smarty3
--
smarty4
--
+wordpress
+--
xen
--
zabbix
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/525ce4c49a90726d9881473425e45584d68fbe69
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/525ce4c49a90726d9881473425e45584d68fbe69
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
