[Git][security-tracker-team/security-tracker][master] 5 commits: Mark pluxml CVE in buster EOL

Fri, 05 May 2023 15:52:21 -0700 


Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1f8dda2f by Markus Koschany at 2023-05-06T00:14:57+02:00
Mark pluxml CVE in buster EOL

pluxml has been removed from Debian. Last upstream activity was in August 2022.
Currently there is no sign that any CVE will be addressed in the near future.
pluxml is almost not used by any Debian user according to popcon.

- - - - -
9a0db038 by Markus Koschany at 2023-05-06T00:20:56+02:00
CVE-2022-23494,tinymce: Mark buster no-dsa

This is a minor issue. Only citadel-webcit in Buster might be affected by this 
issue.
I don't think a XSS issue like that warrants a DLA.

NOTE: tinymce has been removed from Debian.

- - - - -
a95b624e by Markus Koschany at 2023-05-06T00:24:19+02:00
Remove tinymce and pluxml from dla-needed.txt

- - - - -
1610beb5 by Markus Koschany at 2023-05-06T00:49:33+02:00
Triage CVE-2022-47015,mariadb-10.3 as postponed for Buster

Null pointer dereference. Wait for next point release.

- - - - -
a2dab2f2 by Markus Koschany at 2023-05-06T00:51:28+02:00
Claim emacs in dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -97195,11 +97195,13 @@ CVE-2022-25021
        RESERVED
 CVE-2022-25020 (A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 
allows att ...)
        - pluxml <removed> (bug #1008264)
+       [buster] - pluxml <end-of-life> (EOL in buster LTS)
        NOTE: 
https://github.com/MoritzHuppert/CVE-2022-25020/blob/main/CVE-2022-25020.pdf
 CVE-2022-25019
        REJECTED
 CVE-2022-25018 (Pluxml v5.8.7 was discovered to allow attackers to execute 
arbitrary c ...)
        - pluxml <removed> (bug #1008264)
+       [buster] - pluxml <end-of-life> (EOL in buster LTS)
        NOTE: 
https://github.com/MoritzHuppert/CVE-2022-25018/blob/main/CVE-2022-25018.pdf
 CVE-2022-25017 (Hitron CHITA 7.2.2.0.3b6-CD devices contain a command 
injection vulner ...)
        NOT-FOR-US: Hitron CHITA
@@ -98744,12 +98746,15 @@ CVE-2022-24588 (Flatpress v1.2.1 was discovered to 
contain a cross-site scriptin
        NOT-FOR-US: Flatpress
 CVE-2022-24587 (A stored cross-site scripting (XSS) vulnerability in the 
component cor ...)
        - pluxml <removed> (bug #1008264)
+       [buster] - pluxml <end-of-life> (EOL in buster LTS)
        NOTE: 
https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24587/CVE-2022-24587.pdf
 CVE-2022-24586 (A stored cross-site scripting (XSS) vulnerability in the 
component /co ...)
        - pluxml <removed> (bug #1008264)
+       [buster] - pluxml <end-of-life> (EOL in buster LTS)
        NOTE: 
https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24586/CVE-2022-24586.pdf
 CVE-2022-24585 (A stored cross-site scripting (XSS) vulnerability in the 
component /co ...)
        - pluxml <removed> (bug #1008264)
+       [buster] - pluxml <end-of-life> (EOL in buster LTS)
        NOTE: 
https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24585/CVE-2022-24585.pdf
 CVE-2022-24584 (Incorrect access control in Yubico OTP functionality of the 
YubiKey ha ...)
        NOT-FOR-US: yubico.com
@@ -102643,6 +102648,7 @@ CVE-2022-23495 (go-merkledag implements the 
'DAGService' interface and adds two
        NOT-FOR-US: go-merkledag
 CVE-2022-23494 (tinymce is an open source rich text editor. A cross-site 
scripting (XS ...)
        - tinymce <removed>
+       [buster] - tinymce <no-dsa> (Minor issue)
        NOTE: 
https://github.com/tinymce/tinymce/commit/6923d85eba6de3e08ebc9c5a387b5abdaa21150e
        NOTE: 
https://github.com/tinymce/tinymce/commit/8bb2d2646d4e1a718fce61a775fa22e9d317b32d
        NOTE: 
https://github.com/tinymce/tinymce/security/advisories/GHSA-gg8r-xjwq-4w92


=====================================
data/dla-needed.txt
=====================================
@@ -35,7 +35,7 @@ docker.io (gladk)
   NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git
   NOTE: 20230424: Is in preparation.
 --
-emacs
+emacs (Markus Koschany)
   NOTE: 20230223: Programming language: Lisp.
   NOTE: 20230223: VCS: https://salsa.debian.org/lts-team/packages/emacs.git
   NOTE: 20230228: Waiting for confirmation that CVE-2022-48337 regression
@@ -87,7 +87,7 @@ hdf5
 linux (Ben Hutchings)
   NOTE: 20230111: Programming language: C
 --
-man2html
+man2html (Markus Koschany)
   NOTE: 20221004: Programming language: C.
   NOTE: 20221004: It looks like not patch is available.
   NOTE: 20221004: Please evalulate, whether the issue can be marked as 
<ignored>.
@@ -95,12 +95,6 @@ man2html
   NOTE: 20230226: I would prefer to fix it instead of ignoring. (gladk)
   NOTE: 20230226: It looks like upstream is dead. Patch needs to be written. 
(gladk)
 --
-mariadb-10.3
-  NOTE: 20230225: Programming language: C.
-  NOTE: 20230225: VCS: 
https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/buster
-  NOTE: 20230225: Testsuite: 
https://lists.debian.org/debian-lts/2019/07/msg00049.html
-  NOTE: 20230225: Maintainer notes: Contact original maintainer, Otto.
---
 nbconvert
   NOTE: 20230423: Programming language: Python.
   NOTE: 20230423: XSS may be worth fixing and this was a lot of them. To 
consider if this require
@@ -165,11 +159,6 @@ php-cas
   NOTE: 20221110: a DSA is planned (Beuc/front-desk)
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/php-cas.git
 --
-pluxml (Markus Koschany)
-  NOTE: 20220913: Programming language: PHP.
-  NOTE: 20220913: Special attention: orphaned package.
-  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/pluxml.git
---
 puppet-module-puppetlabs-mysql
   NOTE: 20221107: Programming language: Puppet, Ruby.
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/puppet-module-puppetlabs-mysql.git
@@ -253,10 +242,6 @@ sssd (gladk)
   NOTE: 20230131: Programming language: C.
   NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git
 --
-tinymce (Markus Koschany)
-  NOTE: 20221227: Programming language: PHP.
-  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git
---
 webkit2gtk (Emilio)
   NOTE: 20230503: Programming language: C++.
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/webkit2gtk.git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89c485def98a05273f84e9fadd23e094eaeb7620...a2dab2f2b4ae8ed2551c51493194be35dc833986

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89c485def98a05273f84e9fadd23e094eaeb7620...a2dab2f2b4ae8ed2551c51493194be35dc833986
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to