Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker
Commits: a18296f4 by Adrian Bunk at 2024-09-07T16:44:11+03:00 Reserve DLA-3879-1 for bluez - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -35441,14 +35441,12 @@ CVE-2023-50231 (NETGEAR ProSAFE Network Management System saveNodeLabel Cross-Si CVE-2023-50230 (BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code ...) - bluez 5.70-1 [bookworm] - bluez 5.66-1+deb12u2 - [bullseye] - bluez <no-dsa> (Minor issue) [buster] - bluez <postponed> (Minor issue; can be fixed in next update) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1812/ NOTE: https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443 (5.70) CVE-2023-50229 (BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote Code ...) - bluez 5.70-1 [bookworm] - bluez 5.66-1+deb12u2 - [bullseye] - bluez <no-dsa> (Minor issue) [buster] - bluez <postponed> (Minor issue; can be fixed in next update) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1811/ NOTE: https://github.com/bluez/bluez/commit/5ab5352531a9cc7058cce569607f3a6831464443 (5.70) @@ -116798,7 +116796,6 @@ CVE-2023-27349 (BlueZ Audio Profile AVRCP Improper Validation of Array Index Rem {DLA-3820-1} - bluez 5.68-1 [bookworm] - bluez 5.66-1+deb12u2 - [bullseye] - bluez <no-dsa> (Minor issue) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-386/ NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=f54299a850676d92c3dafd83e9174fcfe420ccc9 (5.67) CVE-2023-27348 (PDF-XChange Editor TIF File Parsing Use-After-Free Remote Code Executi ...) @@ -162194,7 +162191,6 @@ CVE-2022-39178 (Webvendome - webvendome Internal Server IP Disclosure. Send GET CVE-2022-39177 (BlueZ before 5.59 allows physically proximate attackers to cause a den ...) {DLA-3157-1} - bluez 5.61-1 - [bullseye] - bluez <no-dsa> (Minor issue) NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b (5.59) NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7a80d2096f1b7125085e21448112aa02f49f5e9a (5.59) NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=0388794dc5fdb73a4ea88bcf148de0a12b4364d4 (5.60) @@ -162203,7 +162199,6 @@ CVE-2022-39177 (BlueZ before 5.59 allows physically proximate attackers to cause CVE-2022-39176 (BlueZ before 5.59 allows physically proximate attackers to obtain sens ...) {DLA-3157-1} - bluez 5.61-1 - [bullseye] - bluez <no-dsa> (Minor issue) NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e2b0f0d8d63e1223bb714a9efb37e2257818268b (5.59) NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7a80d2096f1b7125085e21448112aa02f49f5e9a (5.59) NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=0388794dc5fdb73a4ea88bcf148de0a12b4364d4 (5.60) @@ -209910,7 +209905,6 @@ CVE-2022-0205 (The YOP Poll WordPress plugin before 6.3.5 does not sanitise and CVE-2022-0204 (A heap overflow vulnerability was found in bluez in versions prior to ...) {DLA-3157-1} - bluez 5.64-1 (bug #1003712) - [bullseye] - bluez <no-dsa> (Minor issue) [stretch] - bluez <no-dsa> (Minor issue) NOTE: https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=591c546c536b42bef696d027f64aa22434f8c3f0 (5.63) @@ -223507,7 +223501,6 @@ CVE-2021-3929 (A DMA reentrancy issue was found in the NVM Express Controller (N CVE-2021-43400 (An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after- ...) {DLA-3157-1} - bluez 5.62-1 (bug #998626) - [bullseye] - bluez <no-dsa> (Minor issue; can be fixed in point release) [stretch] - bluez <ignored> (invasive patch, requires post-stretch revamps) NOTE: Introduced by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=93b64d9ca8a2bb663e37904d4b2c702c58a36e4f (5.40) NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=838c0dc7641e1c991c0f3027bf94bee4606012f8 (5.62) @@ -231403,7 +231396,6 @@ CVE-2021-41230 (Pomerium is an open source identity-aware access proxy. In affec CVE-2021-41229 (BlueZ is a Bluetooth protocol stack for Linux. In affected versions a ...) {DLA-3157-1 DLA-2827-1} - bluez 5.62-2 (bug #1000262) - [bullseye] - bluez <no-dsa> (Minor issue) NOTE: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq NOTE: Introduced by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=d939483328489fb835bb425d36f7c7c73d52c388 (4.0) NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e79417ed7185b150a056d4eb3a1ab528b91d2fc0 @@ -241798,7 +241790,6 @@ CVE-2021-3659 (A NULL pointer dereference flaw was found in the Linux kernel\u20 NOTE: https://git.kernel.org/linus/1165affd484889d4986cf3b724318935a0b120d8 CVE-2021-3658 (bluetoothd from bluez incorrectly saves adapters' Discoverable status ...) - bluez 5.61-1 (bug #991596) - [bullseye] - bluez <no-dsa> (Minor issue) [buster] - bluez <not-affected> (Vulnerable code introduced later) [stretch] - bluez <not-affected> (Vulnerable code introduced later) NOTE: Introduced by https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=d04eb02f9bad8795297210ef80e262be16ea8f07 (5.51) ===================================== data/DLA/list ===================================== @@ -1,3 +1,6 @@ +[07 Sep 2024] DLA-3879-1 bluez - security update + {CVE-2021-3658 CVE-2021-41229 CVE-2021-43400 CVE-2022-0204 CVE-2022-39176 CVE-2022-39177 CVE-2023-27349 CVE-2023-50229 CVE-2023-50230} + [bullseye] - bluez 5.55-3.1+deb11u2 [05 Sep 2024] DLA-3878-1 libxml2 - security update {CVE-2016-3709 CVE-2022-2309} [bullseye] - libxml2 2.9.10+dfsg-6.7+deb11u5 ===================================== data/dla-needed.txt ===================================== @@ -44,12 +44,6 @@ bind9 NOTE: 20240815: https://lists.debian.org/debian-security/2024/07/msg00009.html NOTE: 20240815: pu request not in the BTS yet, coordinate with maintainer (Beuc/front-desk) -- -bluez (Adrian Bunk) - NOTE: 20240815: Added by Front-Desk (Beuc) - NOTE: 20240815: Follow fixes from DLA-3157-1 (5 CVEs) - NOTE: 20240815: Follow fixes from DLA-3820-1 (1 CVE) - NOTE: 20240815: Follow fixes from bookworm 12.6 (3 CVEs) (Beuc/front-desk) --- cacti NOTE: 20240522: Added by oldstable Security Team (jmm) NOTE: 20240815: A bookworm DSA is planned (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a18296f4e7460910857a6ad323dc146bbe06f4d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a18296f4e7460910857a6ad323dc146bbe06f4d4 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits