From 616b899709e60c138ffd96a96ec061da24a0c52f Mon Sep 17 00:00:00 2001
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Mon, 28 Aug 2023 11:52:30 +0200
Subject: bullseye/bookworm triage

---
 data/CVE/list | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

(limited to 'data')

diff --git a/data/CVE/list b/data/CVE/list
index 84c6b7704c..9119ff38a6 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -54,7 +54,9 @@ CVE-2023-41121 (Array AG OS before 9.4.0.499 allows denial of service: remote at
 	NOT-FOR-US: Array AG OS
 CVE-2023-41080 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in F ...)
 	- tomcat10 <unfixed>
+	[bookworm] - tomcat10 <postponed> (Minor issue, fix along with future update)
 	- tomcat9 9.0.70-2
+	[bullseye] - tomcat9 <postponed> (Minor issue, fix along with future update)
 	- tomcat8 <removed>
 	NOTE: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f
 	NOTE: https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27 (10.1.13)
@@ -46229,8 +46231,11 @@ CVE-2022-47023
 	RESERVED
 CVE-2022-47022 (An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to ca ...)
 	- hwloc <unfixed>
+	[bookworm] - hwloc <no-dsa> (Minor issue)
+	[bullseye] - hwloc <no-dsa> (Minor issue)
 	NOTE: https://github.com/open-mpi/hwloc/issues/544
-	TODO: check, additionally openmpi and mpich embedd hwloc, but issue seems negligible
+	NOTE: https://github.com/open-mpi/hwloc/commit/eec84f84d4c4a7af6ed2c57ba95a9256e56e73b4
+	NOTE: Additionally openmpi and mpich embedd hwloc, but issue seems negligible
 CVE-2022-47021 (A null pointer dereference issue was discovered in functions op_get_da ...)
 	- opusfile 0.12-4 (bug #1030049)
 	[bullseye] - opusfile <no-dsa> (Minor issue)
@@ -59984,6 +59989,8 @@ CVE-2022-43358 (Stack overflow vulnerability in ast_selectors.cpp: in function S
 	NOTE: https://github.com/sass/libsass/issues/3178
 CVE-2022-43357 (Stack overflow vulnerability in ast_selectors.cpp in function Sass::Co ...)
 	- libsass <unfixed>
+	[bookworm] - libsass <no-dsa> (Minor issue)
+	[bullseye] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/3177
 CVE-2022-43356
 	RESERVED
@@ -68800,6 +68807,7 @@ CVE-2022-40091 (Online Tours & Travels Management System v1.0 was discovered to
 	NOT-FOR-US: Online Tours & Travels Management System
 CVE-2022-40090 (An issue was discovered in function TIFFReadDirectory libtiff before 4 ...)
 	- tiff 4.5.0-2
+	[bullseye] - tiff <no-dsa> (Minor issue)
 	NOTE: https://gitlab.com/libtiff/libtiff/-/issues/455
 	NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/386
 	NOTE: https://gitlab.com/libtiff/libtiff/-/commit/d093eb5d961e21ba51420bc22382c514683a4d91 (v4.5.0rc1)
@@ -107155,6 +107163,8 @@ CVE-2022-26593 (Cross-site scripting (XSS) vulnerability in the Asset module's a
 	NOT-FOR-US: Liferay
 CVE-2022-26592 (Stack Overflow vulnerability in libsass 3.6.5 via the CompoundSelector ...)
 	- libsass <unfixed>
+	[bookworm] - libsass <no-dsa> (Minor issue)
+	[bullseye] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/3174
 CVE-2022-26591 (FANTEC GmbH MWiD25-DS Firmware v2.000.030 allows unauthenticated attac ...)
 	NOT-FOR-US: FANTEC GmbH MWiD25-DS Firmware
@@ -118015,6 +118025,8 @@ CVE-2021-46313 (The binary MP4Box in GPAC v1.0.1 was discovered to contain a seg
 	NOTE: https://github.com/gpac/gpac/commit/ee969d3c4c425ecb25999eb68ada616925b58eba (v2.0.0)
 CVE-2021-46312 (An issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in all ...)
 	- djvulibre <unfixed>
+	[bookworm] - djvulibre <no-dsa> (Minor issue)
+	[bullseye] - djvulibre <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/djvu/bugs/344/
 CVE-2021-46311 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the ...)
 	- gpac 2.0.0+dfsg1-2
@@ -118025,6 +118037,8 @@ CVE-2021-46311 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 v
 	NOTE: https://github.com/gpac/gpac/commit/ad19e0c4504a89ca273442b1b1483ae7adfb9491 (v2.0.0)
 CVE-2021-46310 (An issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows at ...)
 	- djvulibre <unfixed>
+	[bookworm] - djvulibre <no-dsa> (Minor issue)
+	[bullseye] - djvulibre <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/djvu/bugs/345/
 CVE-2021-46309 (An SQL Injection vulnerability exists in Sourcecodester Employee and V ...)
 	NOT-FOR-US: Sourcecodester
@@ -221395,10 +221409,11 @@ CVE-2020-21529 (fig2dev 3.2.7b contains a stack buffer overflow in the bezier_sp
 	NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/d70e4ba6308046f71cb51f67db8412155af52411/ (3.2.8)
 	NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/e3cee2576438f47a3b8678c6960472e625f8f7d7/ (3.2.8)
 CVE-2020-21528 (A Segmentation Fault issue discovered in in ieee_segment function in o ...)
-	- nasm 2.16.01-1
+	- nasm 2.16.01-1 (unimportant)
 	NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392637
 	NOTE: Introduced by: https://github.com/netwide-assembler/nasm/commit/98578071b9d71ecaa2344dd9c185237c1765041e (nasm-2.14rc1)
 	NOTE: Fixed by: https://github.com/netwide-assembler/nasm/commit/93c774d482694643cafbc82578ac8b729fb5bc8b (nasm-2.16rc1)
+	NOTE: Crash in CLI tool, no security impact
 CVE-2020-21527 (There is an Arbitrary file deletion vulnerability in halo v1.1.3. A ba ...)
 	NOT-FOR-US: Halo
 CVE-2020-21526 (An Arbitrary file writing vulnerability in halo v1.1.3. In an interfac ...)
-- 
cgit v1.2.3