Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8fd8ff2d by Moritz Muehlenhoff at 2023-07-31T14:20:22+02:00
bullseye/bookworm triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -940,6 +940,8 @@ CVE-2023-35134 (Weintek Weincloud v0.13.6 could allow an
attacker to reset a p
NOT-FOR-US: Weincloud
CVE-2023-34478 (Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be
susceptible to a ...)
- shiro <unfixed>
+ [bookworm] - shiro <no-dsa> (Minor issue)
+ [bullseye] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/07/24/4
CVE-2023-34429 (Weintek Weincloud v0.13.6 could allow an attacker to cause
a denia ...)
NOT-FOR-US: Weincloud
@@ -60322,6 +60324,7 @@ CVE-2022-41725 (A denial of service is possible from
excessive resource consumpt
[experimental] - golang-1.19 1.19.6-1
- golang-1.19 1.19.6-2
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <no-dsa> (Minor issue)
- golang-1.11 <removed>
[buster] - golang-1.11 <postponed> (Limited support, follow bullseye
DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
@@ -60331,6 +60334,7 @@ CVE-2022-41724 (Large handshake records may cause
panics in crypto/tls. Both cli
[experimental] - golang-1.19 1.19.6-1
- golang-1.19 1.19.6-2
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <no-dsa> (Minor issue)
- golang-1.11 <not-affected> (Vulnerable code introduced later)
NOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
NOTE: https://go.dev/issue/58001
@@ -60342,6 +60346,7 @@ CVE-2022-41723 (A maliciously crafted HTTP/2 stream
could cause excessive CPU co
[experimental] - golang-1.19 1.19.6-1
- golang-1.19 1.19.6-2
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <no-dsa> (Minor issue)
- golang-1.11 <removed>
[buster] - golang-1.11 <postponed> (Limited support, follow bullseye
DSAs/point-releases)
- golang-golang-x-net 1:0.7.0+dfsg-1
@@ -60381,6 +60386,7 @@ CVE-2022-41717 (An attacker can cause excessive memory
growth in a Go server acc
- golang-1.19 1.19.4-1
- golang-1.18 1.18.9-1
- golang-1.15 <removed>
+ [bullseye] - golang-1.15 <no-dsa> (Minor issue)
- golang-1.11 <removed>
[buster] - golang-1.11 <postponed> (Limited support, follow bullseye
DSAs/point-releases)
- golang-golang-x-net 1:0.4.0+dfsg-1
=====================================
data/dsa-needed.txt
=====================================
@@ -21,6 +21,8 @@ cinder/oldstable
frr (aron)
maintainer proposed to update to 8.4.4 for bookworm, which might be a good
idea
--
+librsvg
+--
linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v5.10.y and 6.1.y versions
@@ -42,7 +44,10 @@ ntpsec (carnil)
openjdk-11/oldstable (jmm)
needs asmtools backport in bullseye
--
+openjdk-17/oldstable (jmm)
+--
orthanc (jmm)
+ needs ca-certificates-java fix for bookworm
--
php-cas/oldstable
--
@@ -87,7 +92,9 @@ sox
all issues unfixed upstream
for CVE-2023-34432, rest can be ignored
--
-wpewebkit
+tiff
+--
+wpewebkit/oldstable
--
xrdp/oldstable
needs some additional clarification, tentatively DSA worthy
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fd8ff2d62d95782afe0e51e5835d12f9cfc63bc
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fd8ff2d62d95782afe0e51e5835d12f9cfc63bc
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
