Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker
Commits: 56a25436 by Emilio Pozuelo Monfort at 2022-03-09T09:31:59+01:00 lts: CVE-2022-24613 and CVE-2022-24614 no-dsa for stretch - - - - - 3656fd2e by Emilio Pozuelo Monfort at 2022-03-09T09:32:00+01:00 lts: triage bluez mesh issues as n/a on stretch - - - - - 89ad468d by Emilio Pozuelo Monfort at 2022-03-09T09:32:01+01:00 lts: CVE-2021-4209/gnutls28 postponed on stretch - - - - - 9ffe018f by Emilio Pozuelo Monfort at 2022-03-09T09:32:01+01:00 lts: add gerbv - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -5711,11 +5711,13 @@ CVE-2022-24614 (When reading a specially crafted JPEG file, metadata-extractor u - libmetadata-extractor-java <unfixed> [bullseye] - libmetadata-extractor-java <no-dsa> (Minor issue) [buster] - libmetadata-extractor-java <no-dsa> (Minor issue) + [stretch] - libmetadata-extractor-java <no-dsa> (Minor issue) NOTE: https://github.com/drewnoakes/metadata-extractor/issues/561 CVE-2022-24613 (metadata-extractor up to 2.16.0 can throw various uncaught exceptions ...) - libmetadata-extractor-java <unfixed> [bullseye] - libmetadata-extractor-java <no-dsa> (Minor issue) [buster] - libmetadata-extractor-java <no-dsa> (Minor issue) + [stretch] - libmetadata-extractor-java <no-dsa> (Minor issue) NOTE: https://github.com/drewnoakes/metadata-extractor/issues/561 CVE-2022-24612 (An authenticated user can upload an XML file containing an XSS via the ...) NOT-FOR-US: EyesOfNetwork (EON) eonweb @@ -8562,7 +8564,9 @@ CVE-2022-0340 CVE-2021-4209 RESERVED - gnutls28 3.7.3-2 + [stretch] - gnutls28 <postponed> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044156 + NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1306 NOTE: https://gitlab.com/gnutls/gnutls/-/merge_requests/1503 NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/3db352734472d851318944db13be73da61300568 (3.7.3) CVE-2022-24300 (Minetest before 5.4.0 allows attackers to add or modify arbitrary meta ...) @@ -99686,11 +99690,13 @@ CVE-2020-26561 (** UNSUPPORTED WHEN ASSIGNED ** Belkin LINKSYS WRT160NL 1.0.04.0 NOT-FOR-US: Belkin CVE-2020-26560 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0. ...) - bluez <unfixed> (bug #1006406) + [stretch] - bluez <not-affected> (Mesh support introduced later) NOTE: https://kb.cert.org/vuls/id/799380 NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/impersonation-mesh/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1959994 CVE-2020-26559 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0. ...) - bluez <unfixed> (bug #1006406) + [stretch] - bluez <not-affected> (Mesh support introduced later) NOTE: https://kb.cert.org/vuls/id/799380 NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/authvalue-leak/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960011 @@ -99707,11 +99713,13 @@ CVE-2020-26558 (Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specifi NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738 CVE-2020-26557 (Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may perm ...) - bluez <unfixed> (bug #1006406) + [stretch] - bluez <not-affected> (Mesh support introduced later) NOTE: https://kb.cert.org/vuls/id/799380 NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/predicatable-authvalue/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960009 CVE-2020-26556 (Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may perm ...) - bluez <unfixed> + [stretch] - bluez <not-affected> (Mesh support introduced later) NOTE: https://kb.cert.org/vuls/id/799380 NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/malleable/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960012 ===================================== data/dla-needed.txt ===================================== @@ -39,6 +39,8 @@ firmware-nonfree (Markus Koschany) NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag NOTE: 20211207: Intend to release this week. -- +gerbv +-- gpac (Roberto C. Sánchez) NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto) NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1b7a6286733bc7e23ca1a7bea0e8834dca8f1bab...9ffe018f6dff68113873397e052806a33cb32af0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1b7a6286733bc7e23ca1a7bea0e8834dca8f1bab...9ffe018f6dff68113873397e052806a33cb32af0 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits