Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
db12bfbd by Markus Koschany at 2022-12-03T22:20:04+01:00
Claim hsqldb in dla-needed.txt
- - - - -
5a4c54c5 by Markus Koschany at 2022-12-03T22:22:56+01:00
Remove android-platform-system-core from dla-needed.txt
Minor issue. Requires a compromised adb daemon and root privileges to cause any
harm and automated use cases are unlikely for the Debian version of Platform
Tools.
- - - - -
5fdb3c44 by Markus Koschany at 2022-12-03T22:28:41+01:00
Claim jqueryui in dla-needed.txt
- - - - -
51cca91d by Markus Koschany at 2022-12-03T22:29:49+01:00
CVE-2022-3168,CVE-2022-20128,android-platform-system-core: Buster is no-dsa
Minor issue
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -19384,6 +19384,7 @@ CVE-2022-3168
- android-platform-tools <unfixed>
- android-platform-system-core <removed>
[bullseye] - android-platform-system-core <no-dsa> (Minor issue)
+ [buster] - android-platform-system-core <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5
CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x
through 2.1 ...)
- openvswitch <unfixed> (bug #1021740)
@@ -86873,6 +86874,7 @@ CVE-2022-20128
- android-platform-tools <unfixed>
- android-platform-system-core <removed>
[bullseye] - android-platform-system-core <no-dsa> (Minor issue)
+ [buster] - android-platform-system-core <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5
CVE-2022-20127 (In ce_t4t_data_cback of ce_t4t.cc, there is a possible out of
bounds w ...)
NOT-FOR-US: Android
=====================================
data/dla-needed.txt
=====================================
@@ -12,13 +12,6 @@
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
---
-android-platform-system-core
- NOTE: 20221102: Programming language: C++.
- NOTE: 20221102: VCS:
https://salsa.debian.org/lts-team/packages/android-platform-system-core.git
- NOTE: 20221102: The package in buster is likely affected but since no known
fix is available it is hard to tell without running the proof of concept code.
- NOTE: 20221102: Consider ignoring this if Debian Security team see the CVEs
as minor. (ola)
- NOTE: 20221103: Both PoCs (CVE-2022-20128 & CVE-2022-3168) work for me in
buster (Beuc/front-desk)
--
ceph
NOTE: 20221031: Programming language: C++.
@@ -76,7 +69,7 @@ golang-websocket
NOTE: 20220915: 1 CVE fixed in stretch and bullseye
(golang-github-gorilla-websocket) (Beuc/front-desk)
NOTE: 20220915: Special attention: limited support; requires rebuilding
reverse dependencies
--
-hsqldb
+hsqldb (Markus Koschany)
NOTE: 20221031: Programming language: Java.
NOTE: 20221031: To be investigated further. A possible outcome is to ignore
it.
NOTE: 20221031: https://lists.debian.org/debian-lts/2022/10/msg00060.html.
@@ -91,7 +84,7 @@ jhead (Markus Koschany)
NOTE: 20221031: Note that multiple options are vulnerable. The attacker have
to trick someone to execute the command but arbitrary code exectuion is not
good..
NOTE: 20221031: It should be stated in the DLA that multiple options are
affected..
--
-jqueryui
+jqueryui (Markus Koschany)
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.2 (and jessie/elts)
(Beuc/front-desk)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d635d1226076a791464775edc577dc76c08a33f...51cca91dbdfed80ffe83a94e875befce8d3e704b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d635d1226076a791464775edc577dc76c08a33f...51cca91dbdfed80ffe83a94e875befce8d3e704b
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
