Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: 498f5f3b by Markus Koschany at 2023-07-31T00:15:47+02:00 Add cjose to dla-needed.txt - - - - - c9994c81 by Markus Koschany at 2023-07-31T00:15:48+02:00 CVE-2023-3748,frr: Buster is not affected The vulnerable code was introduced later - - - - - eb450498 by Markus Koschany at 2023-07-31T00:15:48+02:00 Add nodejs to dla-needed.txt - - - - - 44a1f513 by Markus Koschany at 2023-07-31T00:15:48+02:00 Add orthanc to dla-needed.txt - - - - - f0ea15f3 by Markus Koschany at 2023-07-31T00:15:49+02:00 CVE-2021-37819,libitext-java: buster is no-dsa Minor issue - - - - - 78172fc4 by Markus Koschany at 2023-07-31T00:15:50+02:00 CVE-2023-35946,CVE-2023-35947,gradle: Buster is no-dsa Minor issues because Debian uses local system libraries to build packages. The paths won't contain any special characters and an attacker will not have control over the dependencies which are located in /usr/share/java or /usr/share/maven-repo. This would require root access. - - - - - 2d040c41 by Markus Koschany at 2023-07-31T00:15:51+02:00 Add open-vm-tools to dla-needed.txt - - - - - 38ab281e by Markus Koschany at 2023-07-31T00:15:51+02:00 Add openssl to dla-needed.txt - - - - - a4571d12 by Markus Koschany at 2023-07-31T00:15:51+02:00 Add amd64-microcode to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -1037,6 +1037,7 @@ CVE-2023-3750 (A flaw was found in libvirt. The virStoragePoolObjListSearch func NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/9a47442366fcf8a7b6d7422016d7bbb6764a1098 CVE-2023-3748 (A flaw was found in FRRouting when parsing certain babeld unicast hell ...) - frr <unfixed> (bug #1042473) + [buster] - frr <not-affected> (The vulnerable code was introduced later) NOTE: https://github.com/FRRouting/frr/issues/11808 NOTE: https://github.com/FRRouting/frr/pull/12950 NOTE: https://github.com/FRRouting/frr/pull/12952 @@ -3541,6 +3542,7 @@ CVE-2023-35947 (Gradle is a build tool with a focus on build automation and supp - gradle <unfixed> (bug #1041424) [bookworm] - gradle <no-dsa> (Minor issue) [bullseye] - gradle <no-dsa> (Minor issue) + [buster] - gradle <no-dsa> (Minor issue) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842 NOTE: https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879 (v8.2.0-RC3) NOTE: https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91 (v8.2.0-RC3) @@ -3548,6 +3550,7 @@ CVE-2023-35946 (Gradle is a build tool with a focus on build automation and supp - gradle <unfixed> (bug #1041424) [bookworm] - gradle <no-dsa> (Minor issue) [bullseye] - gradle <no-dsa> (Minor issue) + [buster] - gradle <no-dsa> (Minor issue) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v NOTE: https://github.com/gradle/gradle/commit/859eae2b2acf751ae7db3c9ffefe275aa5da0d5d (v8.2.0-RC3) NOTE: https://github.com/gradle/gradle/commit/b07e528feb3a5ffa66bdcc358549edd73e4c8a12 (v8.2.0-RC3) @@ -144630,6 +144633,7 @@ CVE-2021-37819 (PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite - libitext-java <unfixed> [bookworm] - libitext-java <no-dsa> (Minor issue) [bullseye] - libitext-java <no-dsa> (Minor issue) + [buster] - libitext-java <no-dsa> (Minor issue) - libitext1-java <unfixed> [bookworm] - libitext1-java <no-dsa> (Minor issue) [bullseye] - libitext1-java <no-dsa> (Minor issue) ===================================== data/dla-needed.txt ===================================== @@ -24,6 +24,9 @@ rather than remove/replace existing ones. amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) -- +amd64-microcode + NOTE: 20230731: Added by Front-Desk (apo) +-- cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) @@ -36,6 +39,9 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +cjose + NOTE: 20230730: Added by Front-Desk (apo) +-- docker.io (rouca) NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) @@ -82,6 +88,9 @@ libreoffice (Abhijith PA) linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- +nodejs + NOTE: 20230731: Added by Front-Desk (apo) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression @@ -101,6 +110,9 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- +open-vm-tools + NOTE: 20230731: Added by Front-Desk (apo) +-- openimageio (Markus Koschany) NOTE: 20230406: Re-added due to regressions (apo) NOTE: 20230612: Backporting is mostly done, but still some failures. (gladk) @@ -111,6 +123,12 @@ openjdk-11 (Emilio) NOTE: 20230612: sid updated, preparing backport (pochu) NOTE: 20230717: waiting for DSA, might wait for next CPU (pochu) -- +openssl + NOTE: 20230731: Added by Front-Desk (apo) +-- +orthanc + NOTE: 20230731: Added by Front-Desk (apo) +-- python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fa588a70f24cb5fe4a07a24ed76ebbcd74806f66...a4571d126c6c7bd236cdcd2ba668a527821209a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fa588a70f24cb5fe4a07a24ed76ebbcd74806f66...a4571d126c6c7bd236cdcd2ba668a527821209a6 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits