Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits: 5ee54b17 by Sylvain Beucler at 2023-07-31T17:07:55+02:00 CVE-2023-32731/grpc: precise links + buster not-affected - - - - - f320dc28 by Sylvain Beucler at 2023-07-31T17:21:02+02:00 CVE-2023-32732/grpc: mention CVE possible confusion + buster postponed - - - - - 5f8c6de5 by Sylvain Beucler at 2023-07-31T17:21:38+02:00 dla: drop grpc (no more open issues) - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -5910,13 +5910,16 @@ CVE-2023-32732 (gRPC contains a vulnerability whereby a client can cause a termi - grpc <unfixed> [bookworm] - grpc <no-dsa> (Minor issue) [bullseye] - grpc <no-dsa> (Minor issue) + [buster] - grpc <postponed> (Minor issue; request smuggling; recheck if fixed or introduced by #32309 when CVE description is updated) NOTE: https://github.com/grpc/grpc/pull/32309 + NOTE: CVE description and fix are sensible, but there seem to be confusion: https://github.com/grpc/grpc/pull/32309#issuecomment-1589703522 CVE-2023-32731 (When gRPC HTTP2 stack raised a header size exceeded error, it skipped ...) - grpc <unfixed> [bookworm] - grpc <no-dsa> (Minor issue) [bullseye] - grpc <no-dsa> (Minor issue) - NOTE: https://github.com/grpc/grpc/pull/32309 - NOTE: https://github.com/grpc/grpc/pull/33005 + [buster] - grpc <not-affected> (Vulnerable code introduced later) + NOTE: Introduced by: https://github.com/grpc/grpc/pull/32309#issuecomment-1589561295 (v1.53.0-pre1) + NOTE: Fixed by: https://github.com/grpc/grpc/commit/65a2a895afaf1d2072447b9baf246374b182a946 (v1.56.0-pre1) CVE-2023-32312 (UmbracoIdentityExtensions is an Umbraco add-on package that enables ea ...) NOT-FOR-US: UmbracoIdentityExtensions CVE-2023-3177 (A vulnerability has been found in SourceCodester Lost and Found Inform ...) ===================================== data/dla-needed.txt ===================================== @@ -57,10 +57,6 @@ glib2.0 (santiago) NOTE: 20230710: WIP (santiago) NOTE: 20230724: buster should be ready. need if it's possible to run same reporter's fuzz test -- -grpc (Sylvain Beucler) - NOTE: 20230614: Added by Front-Desk (opal) - NOTE: 20230618: CVE-2023-32731 fix will need a massive rewrite (rouca) --- hdf5 NOTE: 20230318: Added by Front-Desk (utkarsh) NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9261a21b181ab264e7006e65a5e39c3f147cccba...5f8c6de5a54b2bd8c687cb7dfd51f42afa2f0c86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9261a21b181ab264e7006e65a5e39c3f147cccba...5f8c6de5a54b2bd8c687cb7dfd51f42afa2f0c86 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits