Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
56a25436 by Emilio Pozuelo Monfort at 2022-03-09T09:31:59+01:00
lts: CVE-2022-24613 and CVE-2022-24614 no-dsa for stretch
- - - - -
3656fd2e by Emilio Pozuelo Monfort at 2022-03-09T09:32:00+01:00
lts: triage bluez mesh issues as n/a on stretch
- - - - -
89ad468d by Emilio Pozuelo Monfort at 2022-03-09T09:32:01+01:00
lts: CVE-2021-4209/gnutls28 postponed on stretch
- - - - -
9ffe018f by Emilio Pozuelo Monfort at 2022-03-09T09:32:01+01:00
lts: add gerbv
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -5711,11 +5711,13 @@ CVE-2022-24614 (When reading a specially crafted JPEG
file, metadata-extractor u
- libmetadata-extractor-java <unfixed>
[bullseye] - libmetadata-extractor-java <no-dsa> (Minor issue)
[buster] - libmetadata-extractor-java <no-dsa> (Minor issue)
+ [stretch] - libmetadata-extractor-java <no-dsa> (Minor issue)
NOTE: https://github.com/drewnoakes/metadata-extractor/issues/561
CVE-2022-24613 (metadata-extractor up to 2.16.0 can throw various uncaught
exceptions ...)
- libmetadata-extractor-java <unfixed>
[bullseye] - libmetadata-extractor-java <no-dsa> (Minor issue)
[buster] - libmetadata-extractor-java <no-dsa> (Minor issue)
+ [stretch] - libmetadata-extractor-java <no-dsa> (Minor issue)
NOTE: https://github.com/drewnoakes/metadata-extractor/issues/561
CVE-2022-24612 (An authenticated user can upload an XML file containing an XSS
via the ...)
NOT-FOR-US: EyesOfNetwork (EON) eonweb
@@ -8562,7 +8564,9 @@ CVE-2022-0340
CVE-2021-4209
RESERVED
- gnutls28 3.7.3-2
+ [stretch] - gnutls28 <postponed> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044156
+ NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1306
NOTE: https://gitlab.com/gnutls/gnutls/-/merge_requests/1503
NOTE: Fixed by:
https://gitlab.com/gnutls/gnutls/-/commit/3db352734472d851318944db13be73da61300568
(3.7.3)
CVE-2022-24300 (Minetest before 5.4.0 allows attackers to add or modify
arbitrary meta ...)
@@ -99686,11 +99690,13 @@ CVE-2020-26561 (** UNSUPPORTED WHEN ASSIGNED **
Belkin LINKSYS WRT160NL 1.0.04.0
NOT-FOR-US: Belkin
CVE-2020-26560 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0
and 1.0. ...)
- bluez <unfixed> (bug #1006406)
+ [stretch] - bluez <not-affected> (Mesh support introduced later)
NOTE: https://kb.cert.org/vuls/id/799380
NOTE:
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/impersonation-mesh/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1959994
CVE-2020-26559 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0
and 1.0. ...)
- bluez <unfixed> (bug #1006406)
+ [stretch] - bluez <not-affected> (Mesh support introduced later)
NOTE: https://kb.cert.org/vuls/id/799380
NOTE:
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/authvalue-leak/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960011
@@ -99707,11 +99713,13 @@ CVE-2020-26558 (Bluetooth LE and BR/EDR secure
pairing in Bluetooth Core Specifi
NOTE:
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738
CVE-2020-26557 (Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1
may perm ...)
- bluez <unfixed> (bug #1006406)
+ [stretch] - bluez <not-affected> (Mesh support introduced later)
NOTE: https://kb.cert.org/vuls/id/799380
NOTE:
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/predicatable-authvalue/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960009
CVE-2020-26556 (Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1
may perm ...)
- bluez <unfixed>
+ [stretch] - bluez <not-affected> (Mesh support introduced later)
NOTE: https://kb.cert.org/vuls/id/799380
NOTE:
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/malleable/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960012
=====================================
data/dla-needed.txt
=====================================
@@ -39,6 +39,8 @@ firmware-nonfree (Markus Koschany)
NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding
possible "ignore" tag
NOTE: 20211207: Intend to release this week.
--
+gerbv
+--
gpac (Roberto C. Sánchez)
NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster
versions match (roberto)
NOTE: 20211120: received OK from secteam for buster update, working on
stretch/buster in parallel (roberto)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1b7a6286733bc7e23ca1a7bea0e8834dca8f1bab...9ffe018f6dff68113873397e052806a33cb32af0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1b7a6286733bc7e23ca1a7bea0e8834dca8f1bab...9ffe018f6dff68113873397e052806a33cb32af0
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
