diff options
| author | Moritz Muehlenhoff <jmm@debian.org> | 2024-04-05 15:59:05 +0200 |
|---|---|---|
| committer | Moritz Muehlenhoff <jmm@debian.org> | 2024-04-05 15:59:05 +0200 |
| commit | a4f5e6679564093912e4b6505c181a4c5aa6b261 (patch) | |
| tree | 1033e43f03b45d6d060deb3acf18ea8e913fdaca /data | |
| parent | e2b6b5341d0aef09423ad75303b9bb2fd8c5f53c (diff) | |
bookworm/bullseye triage
Diffstat (limited to 'data')
| -rw-r--r-- | data/CVE/list | 18 | ||||
| -rw-r--r-- | data/dsa-needed.txt | 2 |
2 files changed, 15 insertions, 5 deletions
diff --git a/data/CVE/list b/data/CVE/list index 995e5dabb2..b74c930eb3 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -88,12 +88,14 @@ CVE-2024-30263 (macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pd NOT-FOR-US: PDF Viewer Macro for XWiki CVE-2024-30261 (Undici is an HTTP/1.1 client, written from scratch for Node.js. An att ...) - node-undici 5.28.4+dfsg1+~cs23.12.11-1 + [bookworm] - node-undici <no-dsa> (Minor issue) NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672 NOTE: https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055 (v5.28.4) NOTE: https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3 (v6.11.1) NOTE: https://hackerone.com/reports/2377760 CVE-2024-30260 (Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici ...) - node-undici 5.28.4+dfsg1+~cs23.12.11-1 + [bookworm] - node-undici <no-dsa> (Minor issue) NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7 NOTE: https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f (v5.28.4) NOTE: https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75 (v6.11.1) @@ -446,7 +448,9 @@ CVE-2023-45288 (An attacker may cause an HTTP/2 endpoint to read arbitrary amoun - golang-1.22 1.22.2-1 - golang-1.21 1.21.9-1 - golang-1.19 <removed> + [bookworm] - golang-1.19 <no-dsa> (Minor issue) - golang-1.15 <removed> + [bullseye] - golang-1.15 <no-dsa> (Minor issue) - golang-1.11 <removed> - golang-golang-x-net 1:0.23.0+dfsg-1 NOTE: https://github.com/golang/go/issues/65051 @@ -1920,6 +1924,7 @@ CVE-2024-XXXX [mediawiki: XSS in edit summary parser] CVE-2024-XXXX [mediawiki: Denial of service vector via GET request to Special:MovePage on pages with thousands of subpages] - mediawiki 1:1.39.7-1 [bookworm] - mediawiki 1:1.39.7-1~deb12u1 + [bullseye] - mediawiki 1:1.35.13-1+deb11u2 NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitech-l@lists.wikimedia.org/thread/V3WXEPXV2DU6WTVEKK4XHW4QXD5OFKD7/ NOTE: https://phabricator.wikimedia.org/T357760 NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/1015423 @@ -3269,11 +3274,12 @@ CVE-2023-46046 (An issue in MiniZinc before 2.8.0 allows a NULL pointer derefere NOTE: https://github.com/MiniZinc/libminizinc/commit/afe67acc20898e4308044b54c4acf7a08df544f0 (2.8.0) NOTE: Negligible security impact, crash in CLI tool CVE-2023-45935 (Qt 6 through 6.6 was discovered to contain a NULL pointer dereference ...) - - qt6-base <unfixed> - - qtbase-opensource-src <unfixed> - - qtbase-opensource-src-gles <unfixed> + - qt6-base <unfixed> (unimportant) + - qtbase-opensource-src <unfixed> (unimportant) + - qtbase-opensource-src-gles <unfixed> (unimportant) NOTE: https://bugreports.qt.io/browse/QTBUG-115599 NOTE: https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=df77d8939d1c04aa18833fe1e141bb71af1f8e04 (v6.5.3) + NOTE: No security impact CVE-2023-45931 (Mesa 23.0.4 was discovered to contain a NULL pointer dereference in ch ...) - mesa <unfixed> (unimportant) NOTE: https://gitlab.freedesktop.org/mesa/mesa/-/issues/9859 @@ -4056,6 +4062,8 @@ CVE-2024-30161 (In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component ma TODO: check details CVE-2024-30156 (Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 L ...) - varnish <unfixed> + [bookworm] - varnish <ignored> (Minor issue, too intrusive to backport) + [bullseye] - varnish <ignored> (Minor issue, too intrusive to backport) NOTE: https://varnish-cache.org/security/VSV00014.html NOTE: https://varnish-cache.org/docs/7.5/whats-new/changes-7.5.html#cve-2024-30156 NOTE: https://github.com/varnishcache/varnish-cache/commit/c0201724f0280894ec714fe76fc26ba9831f0551 (varnish-7.5.0) @@ -5198,6 +5206,7 @@ CVE-2023-6597 (An issue was found in the CPython `tempfile.TemporaryDirectory` c - python3.11 3.11.8-1 - python3.10 <unfixed> - python3.9 <removed> + [bullseye] - python3.9 <no-dsa> (Minor issue) - python3.7 <removed> - python2.7 <not-affected> (tempfile.TemporaryDirectory added in 3.2) NOTE: https://github.com/python/cpython/pull/99930 @@ -7324,6 +7333,7 @@ CVE-2023-28746 (Information exposure through microarchitectural state after tran [buster] - intel-microcode <postponed> (Decide after exposure on unstable for update) - linux 6.7.9-2 - xen <unfixed> + [bookworm] - xen <postponed> (Minor issue, fix along in next DSA) [bullseye] - xen <end-of-life> (EOLed in Bullseye) [buster] - xen <end-of-life> (DSA 4677-1) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00898.html @@ -37802,6 +37812,8 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource - dnsdist 1.8.2-2 [buster] - dnsdist <not-affected> (HTTP/2 support was added later) - varnish <unfixed> (bug #1056156) + [bookworm] - varnish <ignored> (Minor issue, too intrusive to backport) + [bullseye] - varnish <ignored> (Minor issue, too intrusive to backport) NOTE: Tomcat: https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 (10.1.14) NOTE: Tomcat: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a (9.0.81) NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index eb09e66808..878b5c415c 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -88,8 +88,6 @@ salt/oldstable -- squid -- -varnish --- webkit2gtk (berto) -- wpa |