Helmut Grohne pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
24ec254d by Helmut Grohne at 2022-10-17T17:39:19+02:00
Reserve DLA-3152-1 for glibc
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -55590,13 +55590,11 @@ CVE-2022-23222 (kernel/bpf/verifier.c in the Linux
kernel through 5.15.14 allows
CVE-2022-23219 (The deprecated compatibility function clnt_create in the
sunrpc module ...)
- glibc 2.33-3
[bullseye] - glibc 2.31-13+deb11u3
- [buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22542
CVE-2022-23218 (The deprecated compatibility function svcunix_create in the
sunrpc mod ...)
- glibc 2.33-3
[bullseye] - glibc 2.31-13+deb11u3
- [buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28768
CVE-2022-23217
@@ -66139,7 +66137,6 @@ CVE-2021-4000 (showdoc is vulnerable to URL Redirection
to Untrusted Site ...)
CVE-2021-3999 (A flaw was found in glibc. An off-by-one buffer overflow and
underflow ...)
- glibc 2.33-4
[bullseye] - glibc 2.31-13+deb11u4
- [buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28769
NOTE: https://www.openwall.com/lists/oss-security/2022/01/24/4
@@ -90646,7 +90643,6 @@ CVE-2021-35943 (Couchbase Server 6.5.x and 6.6.x
through 6.6.2 has Incorrect Acc
NOT-FOR-US: Couchbase Server
CVE-2021-35942 (The wordexp function in the GNU C Library (aka glibc) through
2.33 may ...)
- glibc 2.31-13 (bug #990542)
- [buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28011
NOTE:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c
@@ -96227,7 +96223,6 @@ CVE-2021-33574 (The mq_notify function in the GNU C
Library (aka glibc) versions
[experimental] - glibc 2.32-0experimental0
- glibc 2.32-1 (bug #989147)
[bullseye] - glibc 2.31-13+deb11u3
- [buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27896
NOTE:
https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb
@@ -111866,7 +111861,6 @@ CVE-2021-27646 (Use After Free vulnerability in
iscsi_snapshot_comm_core in Syno
NOT-FOR-US: Synology
CVE-2021-27645 (The nameserver caching daemon (nscd) in the GNU C Library (aka
glibc o ...)
- glibc 2.31-10 (bug #983479)
- [buster] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27462
NOTE: Introduced by:
https://sourceware.org/git/?p=glibc.git;a=commit;h=745664bd798ec8fd50438605948eea594179fba1
(glibc-2.29)
NOTE: Fixed by:
https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673
@@ -115235,7 +115229,6 @@ CVE-2021-26273 (The Agent in NinjaRMM 5.0.909 has
Incorrect Access Control. ...)
NOT-FOR-US: NinjaRMM
CVE-2021-3326 (The iconv function in the GNU C Library (aka glibc or libc6)
2.32 and ...)
- glibc 2.31-10 (bug #981198)
- [buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2146
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27256
@@ -127324,7 +127317,6 @@ CVE-2020-35931 (An issue was discovered in Foxit
Reader before 10.1.1 (and befor
NOT-FOR-US: Foxit Reader
CVE-2019-25013 (The iconv feature in the GNU C Library (aka glibc or libc6)
through 2. ...)
- glibc 2.31-9 (bug #979273)
- [buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <postponed> (Minor issue; can be fixed in next update)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24973
NOTE: Fixed by:
https://sourceware.org/git/?p=glibc.git;a=commit;h=ee7a3144c9922808181009b7b3e50e852fb4999b
@@ -143848,7 +143840,6 @@ CVE-2020-27619 (In Python 3 through 3.9.0, the
Lib/test/multibytecodec_support.p
NOTE: Only affects the testsuite
CVE-2020-27618 (The iconv function in the GNU C Library (aka glibc or libc6)
2.32 and ...)
- glibc 2.31-5 (bug #973914)
- [buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=26224
NOTE:
https://sourceware.org/git/?p=glibc.git;a=commit;h=9a99c682144bdbd40792ebf822fe9264e0376fb5
@@ -187428,7 +187419,6 @@ CVE-2020-10030 (An issue has been found in PowerDNS
Recursor 4.1.0 up to and inc
NOTE: Non exploitable on Linux
CVE-2020-10029 (The GNU C Library (aka glibc or libc6) before 2.32 could
overflow an o ...)
- glibc 2.30-1 (bug #953108)
- [buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
[jessie] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25487
@@ -197478,7 +197468,6 @@ CVE-2020-6097 (An exploitable denial of service
vulnerability exists in the atft
NOTE:
https://sourceforge.net/u/peterkaestle/atftp/ci/96409ef3b9ca061f9527cfaafa778105cf15d994/
CVE-2020-6096 (An exploitable signed comparison vulnerability exists in the
ARMv7 mem ...)
- glibc 2.31-2 (low; bug #961452)
- [buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
[jessie] - glibc <not-affected> (Vulnerable code not present)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25620
@@ -209822,7 +209811,6 @@ CVE-2020-1753 (A security flaw was found in Ansible
Engine, all Ansible 2.7.x ve
NOTE: options.
CVE-2020-1752 (A use-after-free vulnerability introduced in glibc upstream
version 2. ...)
- glibc 2.30-3 (bug #953788)
- [buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
[jessie] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25414
@@ -210711,7 +210699,6 @@ CVE-2019-19127 (An authentication bypass
vulnerability is present in the standal
NOT-FOR-US: Tribal SITS
CVE-2019-19126 (On the x86-64 architecture, the GNU C Library (aka glibc)
before 2.31 ...)
- glibc 2.29-8 (bug #945250)
- [buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
[jessie] - glibc <not-affected> (Vulnerable code introduced in 2.23)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25204
@@ -359043,7 +359030,6 @@ CVE-2017-6077 (ping.cgi on NETGEAR DGN2200 devices
with firmware through 10.0.0.
NOT-FOR-US: NETGEAR
CVE-2016-10228 (The iconv program in the GNU C Library (aka glibc or libc6)
2.31 and e ...)
- glibc 2.31-3 (low; bug #856503)
- [buster] - glibc <no-dsa> (Minor issue)
[stretch] - glibc <no-dsa> (Minor issue)
[jessie] - glibc <no-dsa> (Minor issue)
- eglibc <removed>
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[17 Oct 2022] DLA-3152-1 glibc - security update
+ {CVE-2016-10228 CVE-2019-19126 CVE-2019-25013 CVE-2020-1752
CVE-2020-6096 CVE-2020-10029 CVE-2020-27618 CVE-2021-3326 CVE-2021-3999
CVE-2021-27645 CVE-2021-33574 CVE-2021-35942 CVE-2022-23218 CVE-2022-23219}
+ [buster] - glibc 2.28-10+deb10u2
[13 Oct 2022] DLA-3151-1 squid - security update
{CVE-2022-41317 CVE-2022-41318}
[buster] - squid 4.6-1+deb10u8
=====================================
data/dla-needed.txt
=====================================
@@ -55,10 +55,6 @@ gerbv
ghostwriter
NOTE: 20221009: Programming language: C.
--
-glibc (Helmut Grohne)
- NOTE: 20220913: Programming language: C, Assembly.
- NOTE: 20220913: Harmonize with bullseye: 4 CVEs fixed in Debian 11.3 and
Debian 11.5 (Beuc/front-desk)
---
golang-1.11
NOTE: 20220916: Programming language: Go.
NOTE: 20220916: Special attention: limited support; requires rebuilding
reverse build dependencies (though recent bullseye updates didn't)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24ec254d368f0275f3275f29ec954d1a68afee9b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24ec254d368f0275f3275f29ec954d1a68afee9b
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
