[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-32731/grpc: precise links + buster not-affected

Mon, 31 Jul 2023 08:22:30 -0700 


Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5ee54b17 by Sylvain Beucler at 2023-07-31T17:07:55+02:00
CVE-2023-32731/grpc: precise links + buster not-affected

- - - - -
f320dc28 by Sylvain Beucler at 2023-07-31T17:21:02+02:00
CVE-2023-32732/grpc: mention CVE possible confusion + buster postponed

- - - - -
5f8c6de5 by Sylvain Beucler at 2023-07-31T17:21:38+02:00
dla: drop grpc (no more open issues)

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5910,13 +5910,16 @@ CVE-2023-32732 (gRPC contains a vulnerability whereby a 
client can cause a termi
        - grpc <unfixed>
        [bookworm] - grpc <no-dsa> (Minor issue)
        [bullseye] - grpc <no-dsa> (Minor issue)
+       [buster] - grpc <postponed> (Minor issue; request smuggling; recheck if 
fixed or introduced by #32309 when CVE description is updated)
        NOTE: https://github.com/grpc/grpc/pull/32309
+       NOTE: CVE description and fix are sensible, but there seem to be 
confusion: https://github.com/grpc/grpc/pull/32309#issuecomment-1589703522
 CVE-2023-32731 (When gRPC HTTP2 stack raised a header size exceeded error, it 
skipped  ...)
        - grpc <unfixed>
        [bookworm] - grpc <no-dsa> (Minor issue)
        [bullseye] - grpc <no-dsa> (Minor issue)
-       NOTE: https://github.com/grpc/grpc/pull/32309
-       NOTE: https://github.com/grpc/grpc/pull/33005
+       [buster] - grpc <not-affected> (Vulnerable code introduced later)
+       NOTE: Introduced by: 
https://github.com/grpc/grpc/pull/32309#issuecomment-1589561295 (v1.53.0-pre1)
+       NOTE: Fixed by: 
https://github.com/grpc/grpc/commit/65a2a895afaf1d2072447b9baf246374b182a946 
(v1.56.0-pre1)
 CVE-2023-32312 (UmbracoIdentityExtensions is an Umbraco add-on package that 
enables ea ...)
        NOT-FOR-US: UmbracoIdentityExtensions
 CVE-2023-3177 (A vulnerability has been found in SourceCodester Lost and Found 
Inform ...)


=====================================
data/dla-needed.txt
=====================================
@@ -57,10 +57,6 @@ glib2.0 (santiago)
   NOTE: 20230710: WIP (santiago)
   NOTE: 20230724: buster should be ready. need if it's possible to run same 
reporter's fuzz test
 --
-grpc (Sylvain Beucler)
-  NOTE: 20230614: Added by Front-Desk (opal)
-  NOTE: 20230618: CVE-2023-32731 fix will need a massive rewrite (rouca)
---
 hdf5
   NOTE: 20230318: Added by Front-Desk (utkarsh)
   NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. 
(utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9261a21b181ab264e7006e65a5e39c3f147cccba...5f8c6de5a54b2bd8c687cb7dfd51f42afa2f0c86

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9261a21b181ab264e7006e65a5e39c3f147cccba...5f8c6de5a54b2bd8c687cb7dfd51f42afa2f0c86
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to