diff options
| author | Moritz Mühlenhoff <jmm@debian.org> | 2024-03-13 09:56:50 +0100 |
|---|---|---|
| committer | Moritz Mühlenhoff <jmm@debian.org> | 2024-03-13 09:58:16 +0100 |
| commit | 2a8f25ba580442788930760d6b1673e6712772b7 (patch) | |
| tree | 497485252ff1398a98c5ce4abba5d01d36172cd8 | |
| parent | 84074748af68726611fbb86cb7056bfdd8f25afc (diff) | |
bookworm/bullseye triage
| -rw-r--r-- | data/CVE/list | 20 | ||||
| -rw-r--r-- | data/dsa-needed.txt | 6 |
2 files changed, 26 insertions, 0 deletions
diff --git a/data/CVE/list b/data/CVE/list index 30436400e0..036024ba01 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -583,6 +583,8 @@ CVE-2024-1487 (The Photos and Files Contest Gallery WordPress plugin before 21.3 NOT-FOR-US: WordPress plugin CVE-2024-1441 (An off-by-one error flaw was found in the udevListInterfacesByStatus() ...) - libvirt <unfixed> (bug #1066058) + [bookworm] - libvirt <no-dsa> (Minor issue) + [bullseye] - libvirt <no-dsa> (Minor issue) NOTE: Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/5a33366f5c0b18c93d161bd144f9f079de4ac8ca (v1.0.0-rc1) NOTE: Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/d6064e2759a24e0802f363e3a810dc5a7d7ebb15 (v5.10.0-rc1) NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/c664015fe3a7bf59db26686e9ed69af011c6ebb8 (v10.1.0) @@ -636,9 +638,13 @@ CVE-2024-2363 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in AOL NOT-FOR-US: AOL AIM Triton CVE-2024-2314 (If kernel headers need to be extracted, bcc will attempt to load them ...) - bpfcc <unfixed> + [bookworm] - bpfcc <no-dsa> (Minor issue) + [bullseye] - bpfcc <no-dsa> (Minor issue) NOTE: https://github.com/iovisor/bcc/commit/008ea09e891194c072f2a9305a3c872a241dc342 CVE-2024-2313 (If kernel headers need to be extracted, bpftrace will attempt to load ...) - bpftrace <unfixed> + [bookworm] - bpftrace <no-dsa> (Minor issue) + [bullseye] - bpftrace <no-dsa> (Minor issue) NOTE: https://github.com/bpftrace/bpftrace/commit/4be4b7191acb8218240e6b7178c30fa8c9b59998 CVE-2024-2184 (Buffer overflow in identifier field of WSD probe request process of Sm ...) NOT-FOR-US: Small Office Multifunction Printers and Laser Printers (Canon) @@ -1478,7 +1484,9 @@ CVE-2024-24785 (If errors returned from MarshalJSON methods contain user control - golang-1.22 1.22.1-1 - golang-1.21 1.21.8-1 - golang-1.19 <removed> + [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <no-dsa> (Minor issue) - golang-1.11 <removed> [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65697 @@ -1488,7 +1496,9 @@ CVE-2024-24784 (The ParseAddressList function incorrectly handles comments (text - golang-1.22 1.22.1-1 - golang-1.21 1.21.8-1 - golang-1.19 <removed> + [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <no-dsa> (Minor issue) - golang-1.11 <removed> [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65083 @@ -1498,7 +1508,9 @@ CVE-2024-24783 (Verifying a certificate chain which contains a certificate with - golang-1.22 1.22.1-1 - golang-1.21 1.21.8-1 - golang-1.19 <removed> + [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <no-dsa> (Minor issue) - golang-1.11 <removed> [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65390 @@ -1516,7 +1528,9 @@ CVE-2023-45290 (When parsing a multipart form (either explicitly with Request.Pa - golang-1.22 1.22.1-1 - golang-1.21 1.21.8-1 - golang-1.19 <removed> + [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <no-dsa> (Minor issue) - golang-1.11 <removed> [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65383 @@ -1526,7 +1540,9 @@ CVE-2023-45289 (When following an HTTP redirect to a domain which is not a subdo - golang-1.22 1.22.1-1 - golang-1.21 1.21.8-1 - golang-1.19 <removed> + [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <no-dsa> (Minor issue) - golang-1.11 <removed> [buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/golang/go/issues/65065 @@ -7405,6 +7421,7 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4 [bullseye] - knot-resolver <ignored> (Too intrusive to backport, if DNSSEC is used Bookworm can be used) [buster] - knot-resolver <ignored> (Too intrusive to backport) - pdns-recursor 4.9.3-1 (bug #1063852) + [bullseye] - pdns-recursor <ignored> (Too intrusive to backport, if DNSSEC is used Bookworm can be used) - unbound 1.19.1-1 (bug #1063845) - systemd 255.4-1 [bookworm] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release) @@ -7445,6 +7462,7 @@ CVE-2023-50868 (The Closest Encloser Proof aspect of the DNS protocol (in RFC 51 [bullseye] - knot-resolver <ignored> (Too intrusive to backport, if DNSSEC is used Bookworm can be used) [buster] - knot-resolver <ignored> (Too intrusive to backport, if DNSSEC is used Bookworm can be used) - pdns-recursor 4.9.3-1 (bug #1063852) + [bullseye] - pdns-recursor <ignored> (Too intrusive to backport, if DNSSEC is used Bookworm can be used) - unbound 1.19.1-1 (bug #1063845) - systemd 255.4-1 [bookworm] - systemd <no-dsa> (DNSSEC is disabled by default in systemd-resolved; can be fixed via point release) @@ -8985,6 +9003,8 @@ CVE-2024-24768 (1Panel is an open source Linux server operation and maintenance NOT-FOR-US: 1Panel CVE-2024-24762 (`python-multipart` is a streaming multipart parser for Python. When us ...) - python-multipart 0.0.9-1 (bug #1063538) + [bookworm] - python-multipart <no-dsa> (Minor issue) + [bullseye] - python-multipart <no-dsa> (Minor issue) NOTE: Original report at fastapi: https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389 NOTE: But the fix is within python-multipart: NOTE: https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4 (0.0.7) diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index 32d2cdf2c4..6c97c49b13 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -22,8 +22,12 @@ dav1d -- dnsdist (jmm) -- +dnsmasq +-- expat (carnil) -- +fontforge +-- frr -- gpac/oldstable @@ -85,6 +89,8 @@ ruby3.1/stable -- ruby-nokogiri/oldstable -- +ruby-rack +-- ruby-rails-html-sanitizer -- ruby-sinatra/oldstable |