Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
faaaaf44 by Moritz Muehlenhoff at 2025-01-13T19:55:02+01:00
bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1178,10 +1178,10 @@ CVE-2024-51737 (RediSearch is a Redis module that
provides querying, secondary i
CVE-2024-51480 (RedisTimeSeries is a time-series database (TSDB) module for
Redis, by ...)
NOT-FOR-US: RedisTimeSeries Redis module
CVE-2024-51442 (Command Injection in Minidlna version v1.3.3 and before allows
an atta ...)
- - minidlna <unfixed>
- [bullseye] - minidlna <postponed> (Minor issue, revisit when fixed
upstream)
+ - minidlna <unfixed> (unimportant)
NOTE: https://sourceforge.net/p/minidlna/bugs/364/
NOTE: https://github.com/mselbrede/CVE-2024-51442
+ NOTE: Doesn't cross any security boundary, non issue
CVE-2024-45345
REJECTED
CVE-2024-45344
@@ -5277,6 +5277,7 @@ CVE-2024-8950 (Improper Neutralization of Special
Elements used in an SQL Comman
NOT-FOR-US: Arne Informatics Piramit Automation
CVE-2024-56431 (oc_huff_tree_unpack in huffdec.c in libtheora in Theora
through 1.0 71 ...)
- libtheora <unfixed> (bug #1091633)
+ [bookworm] - libtheora <no-dsa> (Minor issue)
NOTE: https://github.com/UnionTech-Software/libtheora-CVE-2024-56431-PoC
NOTE: https://github.com/advisories/GHSA-8xp8-gmmj-xc8w
NOTE: https://github.com/xiph/theora/issues/18
@@ -5294,6 +5295,7 @@ CVE-2024-52534 (Dell ECS, version(s) prior to ECS
3.8.1.3, contain(s) an Authent
NOT-FOR-US: Dell
CVE-2024-52046 (The ObjectSerializationDecoder in Apache MINA uses Java\u2019s
native ...)
- mina <unfixed>
+ [bookworm] - mina <no-dsa> (Minor issue)
- mina2 <unfixed> (bug #1091530)
NOTE: https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8
CVE-2024-47978 (Dell NativeEdge, version(s) 2.1.0.0, contain(s) an Execution
with Unne ...)
@@ -6932,6 +6934,7 @@ CVE-2024-11841 (The Tithe.ly Giving Button WordPress
plugin through 1.1 does not
NOT-FOR-US: WordPress plugin
CVE-2024-7701 (Use of Password Hash With Insufficient Computational Effort
vulnerabil ...)
- percona-toolkit <unfixed> (bug #1091435)
+ [bookworm] - percona-toolkit <no-dsa> (Minor issue)
NOTE: https://github.com/percona/percona-toolkit/pull/896
NOTE: Fixed by:
https://github.com/percona/percona-toolkit/commit/78f20304859ce8d6b236bc2c9c18d74c0b273dd7
(v3.7.0)
NOTE: Fixed by:
https://github.com/percona/percona-toolkit/commit/3dd1f7da83f642a4e823a098cb4c97e6dc11f478
(v3.7.0)
@@ -20507,6 +20510,7 @@ CVE-2024-7883 (When using Arm Cortex-M Security
Extensions (CMSE), Secure stack
- llvm-toolchain-17 <unfixed>
- llvm-toolchain-18 <unfixed>
- llvm-toolchain-19 <unfixed>
+ [bookworm] - llvm-toolchain-19 <ignored> (Minor issue, doesn't affect
the default build flags in Debian and no backport into release branches planned)
NOTE:
https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2322994
NOTE: https://github.com/llvm/llvm-project/pull/114433
@@ -264558,6 +264562,7 @@ CVE-2021-3857 (chaskiq is vulnerable to Improper
Neutralization of Input During
NOT-FOR-US: chaskiq
CVE-2021-41973 (In Apache MINA, a specifically crafted, malformed HTTP request
may cau ...)
- mina <unfixed>
+ [bookworm] - mina <no-dsa> (Minor issue)
- mina2 2.1.5-1
NOTE: https://lists.apache.org/thread/sq0kkqvxcp7xjt8gxdyb650nj8dv6qv0
CVE-2021-41972 (Apache Superset up to and including 1.3.1 allowed for database
connect ...)
@@ -285512,18 +285517,22 @@ CVE-2021-33647 (When performing the inference shape
operation of the Tile operat
NOT-FOR-US: Mindspore deep learning
CVE-2021-33646 (The th_read() function doesn\u2019t free a variable
t->th_buf.gnu_long ...)
- libtar <unfixed>
+ [bookworm] - libtar <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121295
NOTE: (not-upstream) patch from OpenEuler:
https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch
CVE-2021-33645 (The th_read() function doesn\u2019t free a variable
t->th_buf.gnu_long ...)
- libtar <unfixed>
+ [bookworm] - libtar <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121295
NOTE: (not-upstream) patch from OpenEuler:
https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch
CVE-2021-33644 (An attacker who submits a crafted tar file with size in header
struct ...)
- libtar <unfixed>
+ [bookworm] - libtar <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121292
NOTE: (not-upstream) patch from OpenEuler:
https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch
CVE-2021-33643 (An attacker who submits a crafted tar file with size in header
struct ...)
- libtar <unfixed>
+ [bookworm] - libtar <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121289
NOTE: (not-upstream) patch from OpenEuler:
https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch
CVE-2021-33642 (When a file is processed, an infinite loop occurs in
next_inline() of ...)
@@ -460672,6 +460681,7 @@ CVE-2019-0232 (When running on Windows with
enableCmdLineArguments enabled, the
NOTE:
https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html
CVE-2019-0231 (Handling of the close_notify SSL/TLS message does not lead to a
connec ...)
- mina <unfixed>
+ [bookworm] - mina <no-dsa> (Minor issue)
- mina2 2.1.4-1
CVE-2019-0230 (Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation,
when eval ...)
- libstruts1.2-java <removed>
=====================================
data/dsa-needed.txt
=====================================
@@ -16,6 +16,9 @@ cacti
Bastien (rouca) proposed to help out on the cacti DSA while working on the
DLA for LTS
WIP for review:
https://salsa.debian.org/debian/cacti/-/tree/bookworm?ref_type=heads
--
+fort-validator
+ probably best to bump bookworm to current upstream
+--
frr
coordination with the maintainer ongoing, Daniel Baumann proposing an update
--
@@ -34,6 +37,10 @@ linux (carnil)
mosquitto (carnil)
Backports of patches for CVEs done, but autopkgtests fail as regression
--
+nodejs
+--
+openjpeg2
+--
opennds
pinged maintainer, but no reply yet. should most probably be bumped to 10.x
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/faaaaf4470d4ee1d9e14248f6f3de3d9fe896238
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/faaaaf4470d4ee1d9e14248f6f3de3d9fe896238
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
