[Git][security-tracker-team/security-tracker][master] dla: drop puppet

[Sylvain Beucler (@beuc)]

Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3239b059 by Sylvain Beucler at 2021-12-06T18:47:00+01:00
dla: drop puppet

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -46566,6 +46566,7 @@ CVE-2021-27025 (A flaw was discovered in Puppet Agent 
where the agent may silent
        - puppet <unfixed>
        [bullseye] - puppet <ignored> (Minor issue, too intrusive to backport)
        [buster] - puppet <ignored> (Minor issue, too intrusive to backport)
+       [stretch] - puppet <ignored> (Minor issue, too intrusive to backport)
        NOTE: https://puppet.com/security/cve/cve-2021-27025
        NOTE: 
https://github.com/puppetlabs/puppet/commit/da8b73edca174309a9bef5f62cd276933fe733e8
 (6.25.1)
        NOTE: Limited impact, needs a malformed custom type provider
@@ -46575,12 +46576,14 @@ CVE-2021-27023 (A flaw was discovered in Puppet Agent 
and Puppet Server that may
        - puppet <unfixed>
        [bullseye] - puppet <ignored> (Minor issue)
        [buster] - puppet <ignored> (Minor issue)
+       [stretch] - puppet <ignored> (Minor issue)
        NOTE: https://puppet.com/security/cve/cve-2021-27023
        NOTE: 
https://github.com/puppetlabs/puppet/commit/e90023a8b54a58073d71dae655d7636e2c9bcc61
 (6.25.1)
        NOTE: Marginal/unclear security implications, the redirects are fully 
under control of
        NOTE: the puppet masters and the advisory states this CVE would be 
similar to CVE-2018-1000007,
        NOTE: but CVE is for curl, which obviously has different scope being a 
library. Plus, all
        NOTE: reasonably secure installations use client auth on the agents
+       NOTE: Previous client code in lib/puppet/network/http/connection.rb 
also vulnerable
 CVE-2021-27022 (A flaw was discovered in bolt-server and ace where running a 
task with ...)
        - puppet <not-affected> (Only affects Puppet Enterprise)
        NOTE: https://puppet.com/security/cve/CVE-2021-27022/


=====================================
data/dla-needed.txt
=====================================
@@ -67,9 +67,6 @@ nvidia-graphics-drivers (Markus Koschany)
 pgbouncer (Thorsten Alteholz)
   NOTE: 20211128: also help with other releases
 --
-puppet (Sylvain Beucler)
-  NOTE: please recheck whether really affected
---
 rustc (Roberto C. Sánchez)
   NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable
   NOTE: https://bugs.debian.org/928422



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3239b05986b64e508c02ffc7793f3f38cb8fe919

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3239b05986b64e508c02ffc7793f3f38cb8fe919
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits