Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: 1f8dda2f by Markus Koschany at 2023-05-06T00:14:57+02:00 Mark pluxml CVE in buster EOL pluxml has been removed from Debian. Last upstream activity was in August 2022. Currently there is no sign that any CVE will be addressed in the near future. pluxml is almost not used by any Debian user according to popcon. - - - - - 9a0db038 by Markus Koschany at 2023-05-06T00:20:56+02:00 CVE-2022-23494,tinymce: Mark buster no-dsa This is a minor issue. Only citadel-webcit in Buster might be affected by this issue. I don't think a XSS issue like that warrants a DLA. NOTE: tinymce has been removed from Debian. - - - - - a95b624e by Markus Koschany at 2023-05-06T00:24:19+02:00 Remove tinymce and pluxml from dla-needed.txt - - - - - 1610beb5 by Markus Koschany at 2023-05-06T00:49:33+02:00 Triage CVE-2022-47015,mariadb-10.3 as postponed for Buster Null pointer dereference. Wait for next point release. - - - - - a2dab2f2 by Markus Koschany at 2023-05-06T00:51:28+02:00 Claim emacs in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -97195,11 +97195,13 @@ CVE-2022-25021 RESERVED CVE-2022-25020 (A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows att ...) - pluxml <removed> (bug #1008264) + [buster] - pluxml <end-of-life> (EOL in buster LTS) NOTE: https://github.com/MoritzHuppert/CVE-2022-25020/blob/main/CVE-2022-25020.pdf CVE-2022-25019 REJECTED CVE-2022-25018 (Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary c ...) - pluxml <removed> (bug #1008264) + [buster] - pluxml <end-of-life> (EOL in buster LTS) NOTE: https://github.com/MoritzHuppert/CVE-2022-25018/blob/main/CVE-2022-25018.pdf CVE-2022-25017 (Hitron CHITA 7.2.2.0.3b6-CD devices contain a command injection vulner ...) NOT-FOR-US: Hitron CHITA @@ -98744,12 +98746,15 @@ CVE-2022-24588 (Flatpress v1.2.1 was discovered to contain a cross-site scriptin NOT-FOR-US: Flatpress CVE-2022-24587 (A stored cross-site scripting (XSS) vulnerability in the component cor ...) - pluxml <removed> (bug #1008264) + [buster] - pluxml <end-of-life> (EOL in buster LTS) NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24587/CVE-2022-24587.pdf CVE-2022-24586 (A stored cross-site scripting (XSS) vulnerability in the component /co ...) - pluxml <removed> (bug #1008264) + [buster] - pluxml <end-of-life> (EOL in buster LTS) NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24586/CVE-2022-24586.pdf CVE-2022-24585 (A stored cross-site scripting (XSS) vulnerability in the component /co ...) - pluxml <removed> (bug #1008264) + [buster] - pluxml <end-of-life> (EOL in buster LTS) NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24585/CVE-2022-24585.pdf CVE-2022-24584 (Incorrect access control in Yubico OTP functionality of the YubiKey ha ...) NOT-FOR-US: yubico.com @@ -102643,6 +102648,7 @@ CVE-2022-23495 (go-merkledag implements the 'DAGService' interface and adds two NOT-FOR-US: go-merkledag CVE-2022-23494 (tinymce is an open source rich text editor. A cross-site scripting (XS ...) - tinymce <removed> + [buster] - tinymce <no-dsa> (Minor issue) NOTE: https://github.com/tinymce/tinymce/commit/6923d85eba6de3e08ebc9c5a387b5abdaa21150e NOTE: https://github.com/tinymce/tinymce/commit/8bb2d2646d4e1a718fce61a775fa22e9d317b32d NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-gg8r-xjwq-4w92 ===================================== data/dla-needed.txt ===================================== @@ -35,7 +35,7 @@ docker.io (gladk) NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git NOTE: 20230424: Is in preparation. -- -emacs +emacs (Markus Koschany) NOTE: 20230223: Programming language: Lisp. NOTE: 20230223: VCS: https://salsa.debian.org/lts-team/packages/emacs.git NOTE: 20230228: Waiting for confirmation that CVE-2022-48337 regression @@ -87,7 +87,7 @@ hdf5 linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- -man2html +man2html (Markus Koschany) NOTE: 20221004: Programming language: C. NOTE: 20221004: It looks like not patch is available. NOTE: 20221004: Please evalulate, whether the issue can be marked as <ignored>. @@ -95,12 +95,6 @@ man2html NOTE: 20230226: I would prefer to fix it instead of ignoring. (gladk) NOTE: 20230226: It looks like upstream is dead. Patch needs to be written. (gladk) -- -mariadb-10.3 - NOTE: 20230225: Programming language: C. - NOTE: 20230225: VCS: https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/buster - NOTE: 20230225: Testsuite: https://lists.debian.org/debian-lts/2019/07/msg00049.html - NOTE: 20230225: Maintainer notes: Contact original maintainer, Otto. --- nbconvert NOTE: 20230423: Programming language: Python. NOTE: 20230423: XSS may be worth fixing and this was a lot of them. To consider if this require @@ -165,11 +159,6 @@ php-cas NOTE: 20221110: a DSA is planned (Beuc/front-desk) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/php-cas.git -- -pluxml (Markus Koschany) - NOTE: 20220913: Programming language: PHP. - NOTE: 20220913: Special attention: orphaned package. - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/pluxml.git --- puppet-module-puppetlabs-mysql NOTE: 20221107: Programming language: Puppet, Ruby. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/puppet-module-puppetlabs-mysql.git @@ -253,10 +242,6 @@ sssd (gladk) NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git -- -tinymce (Markus Koschany) - NOTE: 20221227: Programming language: PHP. - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git --- webkit2gtk (Emilio) NOTE: 20230503: Programming language: C++. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/webkit2gtk.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89c485def98a05273f84e9fadd23e094eaeb7620...a2dab2f2b4ae8ed2551c51493194be35dc833986 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89c485def98a05273f84e9fadd23e094eaeb7620...a2dab2f2b4ae8ed2551c51493194be35dc833986 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits