Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker
Commits: 24ec254d by Helmut Grohne at 2022-10-17T17:39:19+02:00 Reserve DLA-3152-1 for glibc - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -55590,13 +55590,11 @@ CVE-2022-23222 (kernel/bpf/verifier.c in the Linux kernel through 5.15.14 allows CVE-2022-23219 (The deprecated compatibility function clnt_create in the sunrpc module ...) - glibc 2.33-3 [bullseye] - glibc 2.31-13+deb11u3 - [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22542 CVE-2022-23218 (The deprecated compatibility function svcunix_create in the sunrpc mod ...) - glibc 2.33-3 [bullseye] - glibc 2.31-13+deb11u3 - [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28768 CVE-2022-23217 @@ -66139,7 +66137,6 @@ CVE-2021-4000 (showdoc is vulnerable to URL Redirection to Untrusted Site ...) CVE-2021-3999 (A flaw was found in glibc. An off-by-one buffer overflow and underflow ...) - glibc 2.33-4 [bullseye] - glibc 2.31-13+deb11u4 - [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28769 NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/4 @@ -90646,7 +90643,6 @@ CVE-2021-35943 (Couchbase Server 6.5.x and 6.6.x through 6.6.2 has Incorrect Acc NOT-FOR-US: Couchbase Server CVE-2021-35942 (The wordexp function in the GNU C Library (aka glibc) through 2.33 may ...) - glibc 2.31-13 (bug #990542) - [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28011 NOTE: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c @@ -96227,7 +96223,6 @@ CVE-2021-33574 (The mq_notify function in the GNU C Library (aka glibc) versions [experimental] - glibc 2.32-0experimental0 - glibc 2.32-1 (bug #989147) [bullseye] - glibc 2.31-13+deb11u3 - [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27896 NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb @@ -111866,7 +111861,6 @@ CVE-2021-27646 (Use After Free vulnerability in iscsi_snapshot_comm_core in Syno NOT-FOR-US: Synology CVE-2021-27645 (The nameserver caching daemon (nscd) in the GNU C Library (aka glibc o ...) - glibc 2.31-10 (bug #983479) - [buster] - glibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27462 NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commit;h=745664bd798ec8fd50438605948eea594179fba1 (glibc-2.29) NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673 @@ -115235,7 +115229,6 @@ CVE-2021-26273 (The Agent in NinjaRMM 5.0.909 has Incorrect Access Control. ...) NOT-FOR-US: NinjaRMM CVE-2021-3326 (The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and ...) - glibc 2.31-10 (bug #981198) - [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2146 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27256 @@ -127324,7 +127317,6 @@ CVE-2020-35931 (An issue was discovered in Foxit Reader before 10.1.1 (and befor NOT-FOR-US: Foxit Reader CVE-2019-25013 (The iconv feature in the GNU C Library (aka glibc or libc6) through 2. ...) - glibc 2.31-9 (bug #979273) - [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <postponed> (Minor issue; can be fixed in next update) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24973 NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=ee7a3144c9922808181009b7b3e50e852fb4999b @@ -143848,7 +143840,6 @@ CVE-2020-27619 (In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.p NOTE: Only affects the testsuite CVE-2020-27618 (The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and ...) - glibc 2.31-5 (bug #973914) - [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26224 NOTE: https://sourceware.org/git/?p=glibc.git;a=commit;h=9a99c682144bdbd40792ebf822fe9264e0376fb5 @@ -187428,7 +187419,6 @@ CVE-2020-10030 (An issue has been found in PowerDNS Recursor 4.1.0 up to and inc NOTE: Non exploitable on Linux CVE-2020-10029 (The GNU C Library (aka glibc or libc6) before 2.32 could overflow an o ...) - glibc 2.30-1 (bug #953108) - [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) [jessie] - glibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25487 @@ -197478,7 +197468,6 @@ CVE-2020-6097 (An exploitable denial of service vulnerability exists in the atft NOTE: https://sourceforge.net/u/peterkaestle/atftp/ci/96409ef3b9ca061f9527cfaafa778105cf15d994/ CVE-2020-6096 (An exploitable signed comparison vulnerability exists in the ARMv7 mem ...) - glibc 2.31-2 (low; bug #961452) - [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) [jessie] - glibc <not-affected> (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25620 @@ -209822,7 +209811,6 @@ CVE-2020-1753 (A security flaw was found in Ansible Engine, all Ansible 2.7.x ve NOTE: options. CVE-2020-1752 (A use-after-free vulnerability introduced in glibc upstream version 2. ...) - glibc 2.30-3 (bug #953788) - [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) [jessie] - glibc <no-dsa> (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25414 @@ -210711,7 +210699,6 @@ CVE-2019-19127 (An authentication bypass vulnerability is present in the standal NOT-FOR-US: Tribal SITS CVE-2019-19126 (On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 ...) - glibc 2.29-8 (bug #945250) - [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) [jessie] - glibc <not-affected> (Vulnerable code introduced in 2.23) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25204 @@ -359043,7 +359030,6 @@ CVE-2017-6077 (ping.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0. NOT-FOR-US: NETGEAR CVE-2016-10228 (The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and e ...) - glibc 2.31-3 (low; bug #856503) - [buster] - glibc <no-dsa> (Minor issue) [stretch] - glibc <no-dsa> (Minor issue) [jessie] - glibc <no-dsa> (Minor issue) - eglibc <removed> ===================================== data/DLA/list ===================================== @@ -1,3 +1,6 @@ +[17 Oct 2022] DLA-3152-1 glibc - security update + {CVE-2016-10228 CVE-2019-19126 CVE-2019-25013 CVE-2020-1752 CVE-2020-6096 CVE-2020-10029 CVE-2020-27618 CVE-2021-3326 CVE-2021-3999 CVE-2021-27645 CVE-2021-33574 CVE-2021-35942 CVE-2022-23218 CVE-2022-23219} + [buster] - glibc 2.28-10+deb10u2 [13 Oct 2022] DLA-3151-1 squid - security update {CVE-2022-41317 CVE-2022-41318} [buster] - squid 4.6-1+deb10u8 ===================================== data/dla-needed.txt ===================================== @@ -55,10 +55,6 @@ gerbv ghostwriter NOTE: 20221009: Programming language: C. -- -glibc (Helmut Grohne) - NOTE: 20220913: Programming language: C, Assembly. - NOTE: 20220913: Harmonize with bullseye: 4 CVEs fixed in Debian 11.3 and Debian 11.5 (Beuc/front-desk) --- golang-1.11 NOTE: 20220916: Programming language: Go. NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24ec254d368f0275f3275f29ec954d1a68afee9b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24ec254d368f0275f3275f29ec954d1a68afee9b You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits