[Git][security-tracker-team/security-tracker][master] Reserve DLA-3164-1 for python-django

[Chris Lamb (@lamby)]

Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4a0a2559 by Chris Lamb at 2022-10-27T11:18:45-07:00
Reserve DLA-3164-1 for python-django

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -118518,7 +118518,6 @@ CVE-2021-3282 (HashiCorp Vault Enterprise 1.6.0 & 
1.6.1 allowed the `remove-
 CVE-2021-3281 (In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 
3.1.6,  ...)
        {DLA-2540-1}
        - python-django 2:2.2.18-1 (bug #981562)
-       [buster] - python-django <no-dsa> (Minor issue)
        NOTE: 
https://www.djangoproject.com/weblog/2021/feb/01/security-releases/
        NOTE: 
https://github.com/django/django/commit/05413afa8c18cdb978fcdf470e09f7a12b234a23
 (master)
        NOTE: 
https://github.com/django/django/commit/21e7622dec1f8612c85c2fc37fe8efbfd3311e37
 (2.2.18)
@@ -124993,7 +124992,6 @@ CVE-2021-23337 (Lodash versions prior to 4.17.21 are 
vulnerable to Command Injec
 CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 
3.7.0 and be ...)
        {DLA-2628-1 DLA-2619-1 DLA-2569-1}
        - python-django 2:2.2.19-1 (bug #983090)
-       [buster] - python-django <no-dsa> (Minor issue; can be fixed via point 
release)
        - python3.9 3.9.2-1
        [buster] - python3.9 <ignored> (Will break existing applications, don't 
backport to released suites)
        - python3.8 <removed>
@@ -153881,7 +153879,6 @@ CVE-2020-24585 (An issue was discovered in the DTLS 
handshake implementation in
        NOTE: 
https://github.com/wolfSSL/wolfssl/commit/3be7f3ea3a56d178acf0f7f84ee4ae8cbfee8915
 (v4.5.0-stable)
 CVE-2020-24584 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 
before 3.0.10 ...)
        - python-django 2:2.2.16-1 (bug #969367)
-       [buster] - python-django <postponed> (Fix along in future DSA)
        [stretch] - python-django <not-affected> (Requires Python 3.7+)
        NOTE: 
https://github.com/django/django/commit/1853724acaf17ed7414d54c7d2b5563a25025a71
 (master)
        NOTE: 
https://github.com/django/django/commit/2b099caa5923afa8cfb5f1e8c0d56b6e0e81915b
 (3.1.1)
@@ -153889,7 +153886,6 @@ CVE-2020-24584 (An issue was discovered in Django 2.2 
before 2.2.16, 3.0 before
        NOTE: 
https://github.com/django/django/commit/a3aebfdc8153dc230686b6d2454ccd32ed4c9e6f
 (2.2.16)
 CVE-2020-24583 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 
before 3.0.10 ...)
        - python-django 2:2.2.16-1 (bug #969367)
-       [buster] - python-django <postponed> (Fix along in future DSA)
        [stretch] - python-django <not-affected> (Requires Python 3.7+)
        NOTE: 
https://github.com/django/django/commit/8d7271578d7b153435b40fe40236ebec43cbf1b9
 (master)
        NOTE: 
https://github.com/django/django/commit/934430d22aa5d90c2ba33495ff69a6a1d997d584
 (3.1.1)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[27 Oct 2022] DLA-3164-1 python-django - security update
+       {CVE-2020-24583 CVE-2020-24584 CVE-2021-3281 CVE-2021-23336 
CVE-2022-34265}
+       [buster] - python-django 1:1.11.29-1+deb10u2
 [26 Oct 2022] DLA-3163-1 wordpress - security update
        [buster] - wordpress 5.0.18+dfsg1-0+deb10u1
 [26 Oct 2022] DLA-3162-1 libdatetime-timezone-perl - new timezone database


=====================================
data/dla-needed.txt
=====================================
@@ -149,14 +149,6 @@ pluxml
   NOTE: 20220913: Programming language: PHP.
   NOTE: 20220913: Special attention: orphaned package.
 --
-python-django (Chris Lamb)
-  NOTE: 20220911: Programming language: Python
-  NOTE: 20220911: There are many minors issues that should be done in a point 
release. No further point releases for buster.
-  NOTE: 20220911: Some issue was fixed in stretch so it should also be fixed 
for buster.
-  NOTE: 20221018: There are 4 CVEs on the debian/buster branch that are 
seemingly unreleased: CVE-2020-24583, CVE-2020-24584, CVE-2021-3281 and 
CVE-2021-23336. (lamby)
-  NOTE: 20221018: This leaves 8 CVEs that need fixing, either simply because 
the code is vulnerable or the issue has already been fixed in stretch: 
CVE-2022-34265, CVE-2022-28346, CVE-2022-23833, CVE-2022-22818, CVE-2021-33571, 
CVE-2021-33203, CVE-2021-31542 & CVE-2021-28658 (lamby)
-  NOTE: 20221027: To clarify, only the first CVE mentioned in the previous 
comment (CVE-2022-34265) is vulnerable and not fixed in stretch, and the other 
seven have already been fixed in stretch. I plan to fix these remaining 1 CVE 
and release (with 5 total CVEs) instead of trying to co-ordinate a release with 
12 (!) new patches. I can address them later. (lamby)
---
 python-scciclient
   NOTE: 20221009: Programming language: Python.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a0a2559b2fbf88b59b56b8d70e9a820d30c4eaa

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a0a2559b2fbf88b59b56b8d70e9a820d30c4eaa
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits