Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
74696943 by Markus Koschany at 2024-04-21T23:11:59+02:00
CVE-2024-31497,filezilla: buster is no-dsa
Minor issue.
- - - - -
8bc9a7e7 by Markus Koschany at 2024-04-21T23:11:59+02:00
Add nghttp2 to dla-needed.txt
- - - - -
efec8650 by Markus Koschany at 2024-04-21T23:11:59+02:00
Add python-idna to dla-needed.txt
- - - - -
51771358 by Markus Koschany at 2024-04-21T23:12:01+02:00
CVE-2024-3446,CVE-2024-3447,CVE-2024-3567,qemu: buster is no-dsa
Minor issues. It is good practice not to run qemu directly as a privileged
user.
- - - - -
0e9b47d2 by Markus Koschany at 2024-04-21T23:12:01+02:00
Add tryton-server to dla-needed.txt and claim it
- - - - -
7a3f0d28 by Markus Koschany at 2024-04-21T23:12:02+02:00
CVE-2024-31047,openexr: buster is no-dsa
Minor issue
- - - - -
76475ee7 by Markus Koschany at 2024-04-21T23:12:03+02:00
CVE-2024-32462,flatpak: buster is ignored
We have previously marked sandbox escape issues as ignored because they were
either intrusive to backport or could be easily mitigated. Although the fix
for CVE-2024-32462 seems straightforward, the whole application should be
upgraded to the version in Bullseye in my opinion. Since we approach the end
of the Buster LTS cycle I am going to mark CVE-2024-32462 as ignored too.
- - - - -
76d860ac by Markus Koschany at 2024-04-21T23:12:03+02:00
Add astropy to dla-needed.txt
- - - - -
d913e443 by Markus Koschany at 2024-04-21T23:12:03+02:00
Add php7.3 to dla-needed.txt and claim it
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -428,6 +428,7 @@ CVE-2024-32466 (Tolgee is an open-source localization
platform. For the `/v2/pro
CVE-2024-32462 (Flatpak is a system for building, distributing, and running
sandboxed ...)
{DSA-5666-1}
- flatpak 1.14.6-1
+ [buster] - flatpak <ignored> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2024/04/18/5
NOTE:
https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj
NOTE: Fixed by:
https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931
(1.15.8)
@@ -2113,6 +2114,7 @@ CVE-2024-31497 (In PuTTY 0.68 through 0.80 before 0.81,
biased ECDSA nonce gener
- filezilla 3.67.0-1
[bookworm] - filezilla <no-dsa> (Minor issue)
[bullseye] - filezilla <no-dsa> (Minor issue)
+ [buster] - filezilla <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2024/04/15/6
NOTE:
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html
CVE-2024-3804 (A vulnerability, which was classified as critical, has been
found in V ...)
@@ -3149,6 +3151,7 @@ CVE-2024-3567 (A flaw was found in QEMU. An assertion
failure was present in the
- qemu <unfixed> (bug #1068822)
[bookworm] - qemu <no-dsa> (Minor issue)
[bullseye] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274339
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2273
CVE-2024-3566 (A command inject vulnerability allows an attacker to perform
command i ...)
@@ -3572,6 +3575,7 @@ CVE-2024-3447
- qemu <unfixed> (bug #1068821)
[bookworm] - qemu <no-dsa> (Minor issue)
[bullseye] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <no-dsa> (Minor issue)
NOTE: https://patchew.org/QEMU/20240404085549.16987-1-phi...@linaro.org/
NOTE: https://patchew.org/QEMU/20240409145524.27913-1-phi...@linaro.org/
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813
@@ -3735,6 +3739,7 @@ CVE-2024-3446 (A double free vulnerability was found in
QEMU virtio devices (vir
- qemu <unfixed> (bug #1068820)
[bookworm] - qemu <no-dsa> (Minor issue)
[bullseye] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274211
NOTE: https://patchew.org/QEMU/20240409105537.18308-1-phi...@linaro.org/
CVE-2024-3281 (A vulnerability was discovered in the firmware builds after
8.0.2.3267 ...)
@@ -4499,6 +4504,7 @@ CVE-2024-31047 (An issue in Academy Software Foundation
openexr v.3.2.3 and befo
- openexr <unfixed> (bug #1068939)
[bookworm] - openexr <no-dsa> (Minor issue)
[bullseye] - openexr <no-dsa> (Minor issue)
+ [buster] - openexr <no-dsa> (Minor issue)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1680
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1681
NOTE: Fixed by:
https://github.com/AcademySoftwareFoundation/openexr/commit/7aa89e1d09b09d9f5dbb96976ee083a331ab9d71
=====================================
data/dla-needed.txt
=====================================
@@ -33,6 +33,9 @@ ansible (debian)
apache2
NOTE: 20240418: Added by Front-Desk (apo)
--
+astropy
+ NOTE: 20240421: Added by Front-Desk (apo)
+--
atril
NOTE: 20240121: Added by Front-Desk (apo)
NOTE: 20240121: Decide whether it makes sense to disable comic feature or
use libarchive instead.
@@ -178,6 +181,9 @@ mediawiki (guilhem)
netty
NOTE: 20240419: Added by Front-Desk (apo)
--
+nghttp2
+ NOTE: 20240421: Added by Front-Desk (apo)
+--
nodejs (guilhem)
NOTE: 20240406: Added by Front-Desk (lamby)
--
@@ -226,6 +232,9 @@ pdns-recursor
NOTE: 20240306: Added by Front-Desk (opal)
NOTE: 20240319: Upload postponed due to #1067124 (dleidert)
--
+php7.3 (Markus Koschany)
+ NOTE: 20240421: Added by Front-Desk (apo)
+--
putty (rouca)
NOTE: 20231224: Added by Front-Desk (ta)
NOTE: 20240104: massive code change against bullseye. May be better to
backport bullseye (rouca)
@@ -240,6 +249,9 @@ python-asyncssh
NOTE: 20240116: Added by Front-Desk (lamby)
NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and
in Git, but one test is failing. Waiting for feedback before release. (dleidert)
--
+python-idna
+ NOTE: 20240421: Added by Front-Desk (apo)
+--
rails
NOTE: 20220909: Re-added due to regression (abhijith)
NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
@@ -315,6 +327,11 @@ tinymce
trafficserver
NOTE: 20240421: Added by Front-Desk (apo)
--
+tryton-server (Markus Koschany)
+ NOTE: 20240421: Added by Front-Desk (apo)
+ NOTE: 20240421: Fix causes regressions in tryton client. Waiting for that
+ NOTE: 20240421: being resolved upstream.
+--
varnish
NOTE: 20231117: Added by Front-Desk (apo)
NOTE: 20231204: Working on pre commits for CVE-2023-44487,
https://github.com/varnishcache/varnish-cache/pull/4004
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6e1b35d1311021d380f3eefbf2371b353cc12e9...d913e443f2cc5a6dc94abb9a1d99a773d90951d5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6e1b35d1311021d380f3eefbf2371b353cc12e9...d913e443f2cc5a6dc94abb9a1d99a773d90951d5
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
