Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: db12bfbd by Markus Koschany at 2022-12-03T22:20:04+01:00 Claim hsqldb in dla-needed.txt - - - - - 5a4c54c5 by Markus Koschany at 2022-12-03T22:22:56+01:00 Remove android-platform-system-core from dla-needed.txt Minor issue. Requires a compromised adb daemon and root privileges to cause any harm and automated use cases are unlikely for the Debian version of Platform Tools. - - - - - 5fdb3c44 by Markus Koschany at 2022-12-03T22:28:41+01:00 Claim jqueryui in dla-needed.txt - - - - - 51cca91d by Markus Koschany at 2022-12-03T22:29:49+01:00 CVE-2022-3168,CVE-2022-20128,android-platform-system-core: Buster is no-dsa Minor issue - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -19384,6 +19384,7 @@ CVE-2022-3168 - android-platform-tools <unfixed> - android-platform-system-core <removed> [bullseye] - android-platform-system-core <no-dsa> (Minor issue) + [buster] - android-platform-system-core <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5 CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...) - openvswitch <unfixed> (bug #1021740) @@ -86873,6 +86874,7 @@ CVE-2022-20128 - android-platform-tools <unfixed> - android-platform-system-core <removed> [bullseye] - android-platform-system-core <no-dsa> (Minor issue) + [buster] - android-platform-system-core <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5 CVE-2022-20127 (In ce_t4t_data_cback of ce_t4t.cc, there is a possible out of bounds w ...) NOT-FOR-US: Android ===================================== data/dla-needed.txt ===================================== @@ -12,13 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. --- -android-platform-system-core - NOTE: 20221102: Programming language: C++. - NOTE: 20221102: VCS: https://salsa.debian.org/lts-team/packages/android-platform-system-core.git - NOTE: 20221102: The package in buster is likely affected but since no known fix is available it is hard to tell without running the proof of concept code. - NOTE: 20221102: Consider ignoring this if Debian Security team see the CVEs as minor. (ola) - NOTE: 20221103: Both PoCs (CVE-2022-20128 & CVE-2022-3168) work for me in buster (Beuc/front-desk) -- ceph NOTE: 20221031: Programming language: C++. @@ -76,7 +69,7 @@ golang-websocket NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk) NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies -- -hsqldb +hsqldb (Markus Koschany) NOTE: 20221031: Programming language: Java. NOTE: 20221031: To be investigated further. A possible outcome is to ignore it. NOTE: 20221031: https://lists.debian.org/debian-lts/2022/10/msg00060.html. @@ -91,7 +84,7 @@ jhead (Markus Koschany) NOTE: 20221031: Note that multiple options are vulnerable. The attacker have to trick someone to execute the command but arbitrary code exectuion is not good.. NOTE: 20221031: It should be stated in the DLA that multiple options are affected.. -- -jqueryui +jqueryui (Markus Koschany) NOTE: 20221111: Programming language: JavaScript. NOTE: 20221111: Follow fixes from bullseye 11.2 (and jessie/elts) (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d635d1226076a791464775edc577dc76c08a33f...51cca91dbdfed80ffe83a94e875befce8d3e704b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d635d1226076a791464775edc577dc76c08a33f...51cca91dbdfed80ffe83a94e875befce8d3e704b You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits