diff options
| author | Moritz Muehlenhoff <jmm@debian.org> | 2023-12-21 11:08:54 +0100 |
|---|---|---|
| committer | Moritz Muehlenhoff <jmm@debian.org> | 2023-12-21 11:08:54 +0100 |
| commit | 433acc839e19a08e047c7fbfaa981de0620fc332 (patch) | |
| tree | 311cb474fdaa39cb301eae13802544fc7e8627a1 | |
| parent | 4c2977135f54939cc9df67eb9d4c47fd15cdf56b (diff) | |
bookworm/bullseye triage
| -rw-r--r-- | data/CVE/list | 14 | ||||
| -rw-r--r-- | data/dsa-needed.txt | 2 |
2 files changed, 15 insertions, 1 deletions
diff --git a/data/CVE/list b/data/CVE/list index 2b99196331..ec59de4a9c 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -57,6 +57,8 @@ CVE-2023-7018 (Deserialization of Untrusted Data in GitHub repository huggingfac NOT-FOR-US: Transformers CVE-2023-7008 [Unsigned name response in signed zone is not refused when DNSSEC=yes] - systemd <unfixed> + [bookworm] - systemd <no-dsa> (Minor issue) + [bullseye] - systemd <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2222672 CVE-2023-6912 (Lack of protection against brute force attacks in M-Files Server befor ...) NOT-FOR-US: M-Files Server @@ -299,6 +301,8 @@ CVE-2023-49489 (Reflective Cross Site Scripting (XSS) vulnerability in KodeExplo NOT-FOR-US: kalcaddle KodExplorer CVE-2023-49006 (Cross Site Request Forgery (CSRF) vulnerability in Phpsysinfo version ...) - phpsysinfo 3.4.3-1 + [bookworm] - phpsysinfo <no-dsa> (Minor issue) + [bullseye] - phpsysinfo <no-dsa> (Minor issue) NOTE: https://huntr.com/bounties/ca6d669f-fd82-4188-aae2-69e08740d982/ NOTE: https://github.com/phpsysinfo/phpsysinfo/commit/4f2cee505e4f2e9b369a321063ff2c5e0c34ba45 (v3.4.3) CVE-2023-46804 (An attacker sending specially crafted data packets to the Mobile Devic ...) @@ -679,6 +683,8 @@ CVE-2023-32230 (An improper handling of a malformed API request to an API server CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, found in O ...) - dropbear <unfixed> (bug #1059001) - erlang 1:25.3.2.8+dfsg-1 (bug #1059002) + [bookworm] - erlang <no-dsa> (Minor issue) + [bullseye] - erlang <no-dsa> (Minor issue) - golang-go.crypto <unfixed> (bug #1059003) - jsch <not-affected> (ChaCha20-Poly1305 support introduced in 0.1.61; *-EtM support introduced in 0.1.58) - libssh <unfixed> (bug #1059004) @@ -12113,6 +12119,8 @@ CVE-2023-39960 (Nextcloud Server provides data storage for Nextcloud, an open so - nextcloud-server <itp> (bug #941708) CVE-2023-38000 (Auth. Stored (contributor+) Cross-Site Scripting (XSS) vulnerability i ...) - wordpress 6.3.2+dfsg1-1 + [bookworm] - wordpress <no-dsa> (Minor issue) + [bullseye] - wordpress <not-affected> (Vulnerable code was introduced in 5.9) [buster] - wordpress <not-affected> (Vulnerable code was introduced in 5.9) NOTE: https://wordpress.org/documentation/wordpress-version/version-6-3-2/ NOTE: https://plugins.trac.wordpress.org/changeset/2978318/gutenberg/trunk/build/block-library/blocks/post-navigation-link.php @@ -14953,7 +14961,9 @@ CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read Information Disclosure Vu NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt CVE-2023-XXXX [AV1 codec parser buffer overflow] - gst-plugins-bad1.0 1.22.8-1 - - gst-plugins-bad0.10 <removed> + [bullseye] - gst-plugins-bad1.0 <not-affected> (Vulnerable code not present) + [buster] - gst-plugins-bad1.0 <not-affected> (Vulnerable code not present) + - gst-plugins-bad0.10 <not-affected> (Vulnerable code not present) NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0011.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5823 NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/890d59e97e291fe848147ebf4d5884bcec1101c9 @@ -241920,6 +241930,8 @@ CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in P NOTE: Probably fixed with r1832 and r1836 from http://svn.code.sf.net/p/freeimage/svn/FreeImage/ CVE-2020-21426 (Buffer Overflow vulnerability in function C_IStream::read in PluginEXR ...) - freeimage <unfixed> (bug #1051736) + [bookworm] - freeimage <postponed> (Revisit when patches are available) + [bullseye] - freeimage <postponed> (Revisit when patches are available) [buster] - freeimage <postponed> (Revisit from patches are available) NOTE: https://sourceforge.net/p/freeimage/bugs/300/ NOTE: it looks like the issue is in openexr. No relevant patches in freeimage are detected diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index d64a529469..e33eb54b0f 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -29,6 +29,8 @@ frr -- gpac/oldstable -- +gst-plugins-bad1.0 (jmm) +-- h2o (jmm) -- haproxy (carnil) |