Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
498f5f3b by Markus Koschany at 2023-07-31T00:15:47+02:00
Add cjose to dla-needed.txt
- - - - -
c9994c81 by Markus Koschany at 2023-07-31T00:15:48+02:00
CVE-2023-3748,frr: Buster is not affected
The vulnerable code was introduced later
- - - - -
eb450498 by Markus Koschany at 2023-07-31T00:15:48+02:00
Add nodejs to dla-needed.txt
- - - - -
44a1f513 by Markus Koschany at 2023-07-31T00:15:48+02:00
Add orthanc to dla-needed.txt
- - - - -
f0ea15f3 by Markus Koschany at 2023-07-31T00:15:49+02:00
CVE-2021-37819,libitext-java: buster is no-dsa
Minor issue
- - - - -
78172fc4 by Markus Koschany at 2023-07-31T00:15:50+02:00
CVE-2023-35946,CVE-2023-35947,gradle: Buster is no-dsa
Minor issues because Debian uses local system libraries to build packages. The
paths won't contain any special characters and an attacker will not have
control over the dependencies which are located in /usr/share/java or
/usr/share/maven-repo. This would require root access.
- - - - -
2d040c41 by Markus Koschany at 2023-07-31T00:15:51+02:00
Add open-vm-tools to dla-needed.txt
- - - - -
38ab281e by Markus Koschany at 2023-07-31T00:15:51+02:00
Add openssl to dla-needed.txt
- - - - -
a4571d12 by Markus Koschany at 2023-07-31T00:15:51+02:00
Add amd64-microcode to dla-needed.txt
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1037,6 +1037,7 @@ CVE-2023-3750 (A flaw was found in libvirt. The
virStoragePoolObjListSearch func
NOTE: Fixed by:
https://gitlab.com/libvirt/libvirt/-/commit/9a47442366fcf8a7b6d7422016d7bbb6764a1098
CVE-2023-3748 (A flaw was found in FRRouting when parsing certain babeld
unicast hell ...)
- frr <unfixed> (bug #1042473)
+ [buster] - frr <not-affected> (The vulnerable code was introduced later)
NOTE: https://github.com/FRRouting/frr/issues/11808
NOTE: https://github.com/FRRouting/frr/pull/12950
NOTE: https://github.com/FRRouting/frr/pull/12952
@@ -3541,6 +3542,7 @@ CVE-2023-35947 (Gradle is a build tool with a focus on
build automation and supp
- gradle <unfixed> (bug #1041424)
[bookworm] - gradle <no-dsa> (Minor issue)
[bullseye] - gradle <no-dsa> (Minor issue)
+ [buster] - gradle <no-dsa> (Minor issue)
NOTE:
https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842
NOTE:
https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879
(v8.2.0-RC3)
NOTE:
https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91
(v8.2.0-RC3)
@@ -3548,6 +3550,7 @@ CVE-2023-35946 (Gradle is a build tool with a focus on
build automation and supp
- gradle <unfixed> (bug #1041424)
[bookworm] - gradle <no-dsa> (Minor issue)
[bullseye] - gradle <no-dsa> (Minor issue)
+ [buster] - gradle <no-dsa> (Minor issue)
NOTE:
https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v
NOTE:
https://github.com/gradle/gradle/commit/859eae2b2acf751ae7db3c9ffefe275aa5da0d5d
(v8.2.0-RC3)
NOTE:
https://github.com/gradle/gradle/commit/b07e528feb3a5ffa66bdcc358549edd73e4c8a12
(v8.2.0-RC3)
@@ -144630,6 +144633,7 @@ CVE-2021-37819 (PDF Labs pdftk-java v3.2.3 was
discovered to contain an infinite
- libitext-java <unfixed>
[bookworm] - libitext-java <no-dsa> (Minor issue)
[bullseye] - libitext-java <no-dsa> (Minor issue)
+ [buster] - libitext-java <no-dsa> (Minor issue)
- libitext1-java <unfixed>
[bookworm] - libitext1-java <no-dsa> (Minor issue)
[bullseye] - libitext1-java <no-dsa> (Minor issue)
=====================================
data/dla-needed.txt
=====================================
@@ -24,6 +24,9 @@ rather than remove/replace existing ones.
amanda (Thorsten Alteholz)
NOTE: 20230730: Added by Front-Desk (apo)
--
+amd64-microcode
+ NOTE: 20230731: Added by Front-Desk (apo)
+--
cairosvg (gladk)
NOTE: 20230323: Added by Front-Desk (gladk)
NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport
the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive)
@@ -36,6 +39,9 @@ cinder
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store,
python-os-brick, nova and cinder.
--
+cjose
+ NOTE: 20230730: Added by Front-Desk (apo)
+--
docker.io (rouca)
NOTE: 20230303: Added by Front-Desk (Beuc)
NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)
@@ -82,6 +88,9 @@ libreoffice (Abhijith PA)
linux (Ben Hutchings)
NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
--
+nodejs
+ NOTE: 20230731: Added by Front-Desk (apo)
+--
nova
NOTE: 20230302: Re-add, request by maintainer (Beuc)
NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific
CVE-2022-47951 backport that introduces regression
@@ -101,6 +110,9 @@ nvidia-cuda-toolkit
NOTE: 20230610: Details:
https://lists.debian.org/debian-lts/2023/06/msg00032.html
NOTE: 20230610: my recommendation would be to put the package on the
"not-supported" list. (tobi)
--
+open-vm-tools
+ NOTE: 20230731: Added by Front-Desk (apo)
+--
openimageio (Markus Koschany)
NOTE: 20230406: Re-added due to regressions (apo)
NOTE: 20230612: Backporting is mostly done, but still some failures. (gladk)
@@ -111,6 +123,12 @@ openjdk-11 (Emilio)
NOTE: 20230612: sid updated, preparing backport (pochu)
NOTE: 20230717: waiting for DSA, might wait for next CPU (pochu)
--
+openssl
+ NOTE: 20230731: Added by Front-Desk (apo)
+--
+orthanc
+ NOTE: 20230731: Added by Front-Desk (apo)
+--
python-glance-store
NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store,
python-os-brick, nova and cinder.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fa588a70f24cb5fe4a07a24ed76ebbcd74806f66...a4571d126c6c7bd236cdcd2ba668a527821209a6
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fa588a70f24cb5fe4a07a24ed76ebbcd74806f66...a4571d126c6c7bd236cdcd2ba668a527821209a6
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
