Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: 0efe7456 by Markus Koschany at 2023-02-20T00:28:43+01:00 Triage gpac for Buster as EOL. - - - - - 73e31c31 by Markus Koschany at 2023-02-20T00:28:43+01:00 LTS: add curl to dla-needed.txt - - - - - a035b7b9 by Markus Koschany at 2023-02-20T00:28:43+01:00 LTS: add sofia-sip to dla-needed.txt - - - - - ec9c34ea by Markus Koschany at 2023-02-20T00:28:43+01:00 LTS: add clamav to dla-needed.txt - - - - - e4b1027d by Markus Koschany at 2023-02-20T00:28:43+01:00 CVE-2023-23082,kodi: Buster is no-dsa Minor issue - - - - - 3c8575fd by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2022-3560,pesign: Buster is no-dsa Minor issue - - - - - 503c323b by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2023-22332,pgpool2: Buster is no-dsa Minor issue - - - - - c35ede04 by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2023-24607,qtbase-opensource-src: Buster is no-dsa Minor issue - - - - - 2cb655fd by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2023-22799,ruby-globalid: Buster is no-dsa Minor issue - - - - - 7824121b by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2023-23627,ruby-sanitize: Buster is no-dsa Minor issue - - - - - 39aeedb1 by Markus Koschany at 2023-02-20T00:28:44+01:00 Triage symfony CVE as no-dsa for Buster Minor issues - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -431,6 +431,7 @@ CVE-2023-0867 CVE-2023-0866 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3 ...) - gpac <unfixed> [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <end-of-life> (EOL in buster LTS) NOTE: https://huntr.dev/bounties/7d3c5792-d20b-4cb6-9c6d-bb14f3430d7f NOTE: https://github.com/gpac/gpac/commit/b964fe4226f1424cf676d5822ef898b6b01f5937 CVE-2023-0865 @@ -844,16 +845,19 @@ CVE-2023-0820 CVE-2023-0819 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to v2. ...) - gpac <unfixed> [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <end-of-life> (EOL in buster LTS) NOTE: https://huntr.dev/bounties/35793610-dccc-46c8-9f55-6a24c621e4ef NOTE: https://github.com/gpac/gpac/commit/d067ab3ccdeaa340e8c045a0fd5bcfc22b809e8f CVE-2023-0818 (Off-by-one Error in GitHub repository gpac/gpac prior to v2.3.0-DEV. ...) - gpac <unfixed> [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <end-of-life> (EOL in buster LTS) NOTE: https://huntr.dev/bounties/038e7472-f3e9-46c2-9aea-d6dafb62a18a NOTE: https://github.com/gpac/gpac/commit/377ab25f3e502db2934a9cf4b54739e1c89a02ff CVE-2023-0817 (Buffer Over-read in GitHub repository gpac/gpac prior to v2.3.0-DEV. ...) - gpac <unfixed> [bullseye] - gpac <not-affected> (Vulnerable code not present) + [buster] - gpac <end-of-life> (EOL in buster LTS) NOTE: https://huntr.dev/bounties/cb730bc5-d79c-4de6-9e57-10e8c3ce2cf3 NOTE: https://github.com/gpac/gpac/commit/be9f8d395bbd196e3812e9cd80708f06bcc206f7 CVE-2023-25754 @@ -1377,6 +1381,7 @@ CVE-2023-0771 (SQL Injection in GitHub repository ampache/ampache prior to 5.5.7 CVE-2023-0770 (Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2. ...) - gpac <unfixed> [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <end-of-life> (EOL in buster LTS) NOTE: https://huntr.dev/bounties/e0fdeee5-7909-446e-9bd0-db80fd80e8dd NOTE: https://github.com/gpac/gpac/commit/c31941822ee275a35bc148382bafef1c53ec1c26 CVE-2023-0769 @@ -1467,6 +1472,7 @@ CVE-2023-0761 CVE-2023-0760 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to V2. ...) - gpac <unfixed> [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <end-of-life> (EOL in buster LTS) NOTE: https://huntr.dev/bounties/d06223df-a473-4c82-96d0-23726b844b21 NOTE: https://github.com/gpac/gpac/commit/ea7395f39f601a7750d48d606e9d10ea0b7beefe CVE-2023-0759 (Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2. ...) @@ -4101,6 +4107,7 @@ CVE-2023-24607 [When using the Qt SQL ODBC driver plugin, then it is possible to RESERVED - qtbase-opensource-src <unfixed> [bullseye] - qtbase-opensource-src <no-dsa> (Minor issue) + [buster] - qtbase-opensource-src <no-dsa> (Minor issue) - qt6-base <unfixed> - qtbase-opensource-src-gles <unfixed> [bullseye] - qtbase-opensource-src-gles <no-dsa> (Minor issue) @@ -6850,6 +6857,7 @@ CVE-2023-23628 (Metabase is an open source data analytics platform. Affected ver CVE-2023-23627 (Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 ...) - ruby-sanitize <unfixed> (bug #1030047) [bullseye] - ruby-sanitize <no-dsa> (Minor issue) + [buster] - ruby-sanitize <no-dsa> (Minor issue) NOTE: https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7 NOTE: https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22 (v6.0.1) CVE-2023-23626 (go-bitfield is a simple bitfield package for the go language aiming to ...) @@ -8429,6 +8437,7 @@ CVE-2023-23083 CVE-2023-23082 (A heap buffer overflow vulnerability in Kodi Home Theater Software up ...) - kodi 2:20.0+dfsg-2 (bug #1031048) [bullseye] - kodi <no-dsa> (Minor issue) + [buster] - kodi <no-dsa> (Minor issue) NOTE: https://github.com/xbmc/xbmc/issues/22377 NOTE: https://github.com/xbmc/xbmc/commit/00fec1dbdd1df827872c7b55ad93059636dfc076 NOTE: https://github.com/xbmc/xbmc/commit/7e5f9fbf9aaa3540aab35e7504036855b23dcf60 @@ -9524,6 +9533,7 @@ CVE-2023-22800 CVE-2023-22799 (A ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could ...) - ruby-globalid <unfixed> (bug #1029851) [bullseye] - ruby-globalid <no-dsa> (Minor issue) + [buster] - ruby-globalid <no-dsa> (Minor issue) NOTE: https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127 NOTE: https://github.com/rails/globalid/commit/3bc4349422e60f2235876a59dd415e98b072eb2b (v1.1.0) CVE-2023-22798 (Prior to commit 51867e0d15a6d7f80d5b714fd0e9976b9c160bb0, https://gith ...) @@ -11473,6 +11483,7 @@ CVE-2023-22333 (Cross-site scripting vulnerability in EasyMail 2.00.130 and earl CVE-2023-22332 (Information disclosure vulnerability exists in Pgpool-II 4.4.0 to 4.4. ...) - pgpool2 <unfixed> (bug #1030048) [bullseye] - pgpool2 <no-dsa> (Minor issue) + [buster] - pgpool2 <no-dsa> (Minor issue) NOTE: https://www.pgpool.net/mediawiki/index.php/Main_Page#News CVE-2023-22324 (SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5. ...) NOT-FOR-US: CONPROSYS @@ -18275,6 +18286,7 @@ CVE-2022-4203 [openssl: X.509 Name Constraints Read Buffer Overflow] CVE-2022-4202 (A vulnerability, which was classified as problematic, was found in GPA ...) - gpac <unfixed> [bullseye] - gpac <no-dsa> (Minor issue) + [buster] - gpac <end-of-life> (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2333 NOTE: https://github.com/gpac/gpac/commit/b3d821c4ae9ba62b3a194d9dcb5e99f17bd56908 CVE-2021-46856 (The multi-screen collaboration module has a path traversal vulnerabili ...) @@ -30177,6 +30189,7 @@ CVE-2022-3561 (Cross-site Scripting (XSS) - Generic in GitHub repository librenm CVE-2022-3560 (A flaw was found in pesign. The pesign package provides a systemd serv ...) - pesign <unfixed> (bug #1030168) [bullseye] - pesign <no-dsa> (Minor issue) + [buster] - pesign <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/01/31/6 NOTE: https://www.openwall.com/lists/oss-security/2023/02/01/2 NOTE: https://github.com/rhboot/pesign/commit/d8a8c259994d0278c59b30b41758a8dd0abff998 (116) @@ -80973,11 +80986,13 @@ CVE-2022-24896 (Tuleap is a Free & Open Source Suite to manage software deve CVE-2022-24895 (Symfony is a PHP framework for web and console applications and a set ...) - symfony 5.4.20+dfsg-1 [bullseye] - symfony <no-dsa> (Minor issue) + [buster] - symfony <no-dsa> (Minor issue) NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m NOTE: https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4 CVE-2022-24894 (Symfony is a PHP framework for web and console applications and a set ...) - symfony 5.4.20+dfsg-1 [bullseye] - symfony <no-dsa> (Minor issue) + [buster] - symfony <no-dsa> (Minor issue) NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv NOTE: https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb CVE-2022-24893 (ESP-IDF is the official development framework for Espressif SoCs. In E ...) ===================================== data/dla-needed.txt ===================================== @@ -45,11 +45,22 @@ ceph NOTE: 20221130: https://lists.debian.org/debian-lts/2022/11/msg00025.html (zigo/maintainer) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git -- +clamav + NOTE: 20230220: Programming language: C. + NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/clamav.git + NOTE: 20230220: Testsuite: https://lists.debian.org/debian-lts/2019/04/msg00117.html +-- consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git -- +curl + NOTE: 20230220: Programming language: C. + NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/curl.git + NOTE: 20230220: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/curl.html + NOTE: 20230220: Special attention: High popcon! Roberto has some experience with the package.. +-- erlang NOTE: 20221119: Programming language: Erlang. NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) @@ -331,6 +342,10 @@ snakeyaml NOTE: 20230120: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/snakeyaml.git -- +sofia-sip + NOTE: 20230220: Programming language: C. + NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/sofia-sip.git +-- spip NOTE: 20230206: Programming language: PHP. NOTE: 20230206: Special attention: Please contact maintainer regarding VCS usage View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b3e1ae1a031ccb1a8fa0dd6aab7e85fb75a6bc68...39aeedb1ddfe0c6bfd5efe0e459dbf900ccb0393 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b3e1ae1a031ccb1a8fa0dd6aab7e85fb75a6bc68...39aeedb1ddfe0c6bfd5efe0e459dbf900ccb0393 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits