Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
008559c0 by Moritz Muehlenhoff at 2024-12-04T10:07:26+01:00
bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/DSA/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -423,6 +423,7 @@ CVE-2024-53364 (A SQL injection vulnerability was found in
PHPGURUKUL Vehicle Pa
NOT-FOR-US: PHPGURUKUL Vehicle Parking Management System
CVE-2024-53259 (quic-go is an implementation of the QUIC protocol in Go. An
off-path a ...)
- golang-github-lucas-clemente-quic-go <unfixed>
+ [bookworm] - golang-github-lucas-clemente-quic-go <no-dsa> (Minor issue)
NOTE:
https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr
NOTE: https://github.com/quic-go/quic-go/pull/4729
NOTE:
https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50
(master)
@@ -874,18 +875,24 @@ CVE-2024-36620 (moby v25.0.0 - v26.0.2 is vulnerable to
NULL Pointer Dereference
NOTE: Introduced in
https://github.com/moby/moby/commit/2a6ff3c24fd790e5d42d2eabaf6acf06edfe6975
(v25.0.0-beta.1)
CVE-2024-36619 (FFmpeg n6.1.1 has a vulnerability in the WAVARC decoder of the
libavco ...)
- ffmpeg 7:7.1-3
+ [bookworm] - ffmpeg <not-affected> (Vulnerable decoder added in 6.0)
+ [bullseye] - ffmpeg <not-affected> (Vulnerable decoder added in 6.0)
NOTE:
https://github.com/ffmpeg/ffmpeg/commit/28c7094b25b689185155a6833caf2747b94774a4
(n7.1)
CVE-2024-36618 (FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the
libavforma ...)
- ffmpeg 7:7.0.1-3
+ [bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
NOTE:
https://github.com/ffmpeg/ffmpeg/commit/7a089ed8e049e3bfcb22de1250b86f2106060857
(n7.0)
CVE-2024-36617 (FFmpeg n6.1.1 has an integer overflow vulnerability in the
FFmpeg CAF ...)
- ffmpeg 7:7.0.1-3
NOTE:
https://github.com/ffmpeg/ffmpeg/commit/d973fcbcc2f944752ff10e6a76b0b2d9329937a7
(n7.0)
+ NOTE:
https://github.com/ffmpeg/ffmpeg/commit/f0e780370cc1c437d64f10d326b1d656ef490b5f
(n5.1.5)
CVE-2024-36616 (An integer overflow in the component
/libavformat/westwood_vqa.c of FF ...)
- ffmpeg 7:7.0.1-3
NOTE:
https://github.com/ffmpeg/ffmpeg/commit/86f73277bf014e2ce36dd2594f1e0fb8b3bd6661
(n7.0)
+ NOTE:
https://github.com/ffmpeg/ffmpeg/commit/a8beef67993aa267de87599007143d9f0ba67c23
(n5.1.5)
CVE-2024-36615 (FFmpeg n7.0 has a race condition vulnerability in the VP9
decoder. Thi ...)
- ffmpeg 7:7.1-3
+ [bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
NOTE:
https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61
(n7.1)
CVE-2024-36612 (Zulip from 8.0 to 8.3 contains a memory leak vulnerability in
the hand ...)
NOT-FOR-US: Zulip
@@ -900,16 +907,20 @@ CVE-2024-35371 (Ant-Media-Serverv2.8.2 is affected by
Improper Output Neutraliza
NOT-FOR-US: Ant-Media-Server
CVE-2024-35369 (In FFmpeg version n6.1.1, specifically within the
avcodec/speexdec.c m ...)
- ffmpeg 7:7.0.1-3
+ [bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
NOTE:
https://github.com/ffmpeg/ffmpeg/commit/0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c
(n7.0)
CVE-2024-35368 (FFmpeg n7.0 is affected by a Double Free via the
rkmpp_retrieve_frame ...)
- ffmpeg 7:7.1-3
+ [bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
NOTE:
https://github.com/ffmpeg/ffmpeg/commit/4513300989502090c4fd6560544dce399a8cd53c
(n7.1)
CVE-2024-35367 (FFmpeg n6.1.1 has an Out-of-bounds Read via
libavcodec/ppc/vp8dsp_alti ...)
- ffmpeg 7:7.0.1-3
+ [bookworm] - ffmpeg <postponed> (Pick up when fixed in 5.1.x)
NOTE:
https://github.com/ffmpeg/ffmpeg/commit/09e6840cf7a3ee07a73c3ae88a020bf27ca1a667
(n7.0)
CVE-2024-35366 (FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in
the par ...)
- ffmpeg 7:7.0.1-3
NOTE:
https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6
(n7.0)
+ NOTE:
https://github.com/ffmpeg/ffmpeg/commit/4db0eb4653efad967ddcf71f564fd2f1169bafcb
(n5.1.5)
CVE-2024-11992 (Absolute path traversal vulnerability in Quick.CMS, version
6.7, the e ...)
NOT-FOR-US: Quick.CMS
CVE-2024-11990 (A Cross-Site Scripting (XSS) vulnerability in SurgeMail v78c2
could al ...)
=====================================
data/DSA/list
=====================================
@@ -362,7 +362,7 @@
[bullseye] - libndp 1.6-1+deb11u1
[bookworm] - libndp 1.8-1+deb12u1
[15 Jun 2024] DSA-5712-1 ffmpeg - security update
- {CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795
CVE-2023-51798 CVE-2024-31585 CVE-2024-32230}
+ {CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795
CVE-2023-51798 CVE-2024-31585 CVE-2024-32230 CVE-2024-36617 CVE-2024-36616
CVE-2024-35366}
[bookworm] - ffmpeg 7:5.1.5-0+deb12u1
[15 Jun 2024] DSA-5711-1 thunderbird - security update
{CVE-2024-5688 CVE-2024-5690 CVE-2024-5691 CVE-2024-5693 CVE-2024-5696
CVE-2024-5700 CVE-2024-5702}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/008559c0f96e249ffd649e2a1f335f889f46f553
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/008559c0f96e249ffd649e2a1f335f889f46f553
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
