[Git][security-tracker-team/security-tracker][master] 2 commits: Remove no-dsa tags for upcoming curl update

Markus Koschany (@apo) apo at debian.org
Sun Aug 28 23:49:57 BST 2022 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1d34d950 by Markus Koschany at 2022-08-29T00:47:54+02:00
Remove no-dsa tags for upcoming curl update

- - - - -
cd62cd85 by Markus Koschany at 2022-08-29T00:49:45+02:00
Reserve DLA-3085-1 for curl

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -112122,13 +112122,11 @@ CVE-2021-22948 (Vulnerability in the generation of session IDs in revive-adserve
 CVE-2021-22947 (When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 se ...)
 	{DSA-5197-1 DLA-2773-1}
 	- curl 7.79.1-1
-	[buster] - curl <no-dsa> (Minor issue)
 	NOTE: https://curl.se/docs/CVE-2021-22947.html
 	NOTE: Fixed by: https://github.com/curl/curl/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68 (curl-7_79_0)
 CVE-2021-22946 (A user can tell curl >= 7.20.0 and <= 7.78.0 to require a succes ...)
 	{DSA-5197-1 DLA-2773-1}
 	- curl 7.79.1-1 (bug #1017589)
-	[buster] - curl <no-dsa> (Minor issue)
 	NOTE: https://curl.se/docs/CVE-2021-22946.html
 	NOTE: Fixed by: https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca (curl-7_79_0)
 CVE-2021-22945 (When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 c ...)
@@ -112206,7 +112204,6 @@ CVE-2021-22925 (curl supports the `-t` command line option, known as `CURLOPT_TE
 CVE-2021-22924 (libcurl keeps previously used connections in a connection pool for sub ...)
 	{DSA-5197-1 DLA-2734-1}
 	- curl 7.79.1-1 (bug #991492)
-	[buster] - curl <no-dsa> (Minor issue)
 	NOTE: https://curl.se/docs/CVE-2021-22924.html
 	NOTE: Introduced by: https://github.com/curl/curl/commit/89721ff04af70f527baae1368f3b992777bf6526 (curl-7_10_4)
 	NOTE: Fixed by: https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161 (curl-7_78_0)
@@ -112291,7 +112288,6 @@ CVE-2021-22899 (A command injection vulnerability exists in Pulse Connect Secure
 CVE-2021-22898 (curl 7.7 through 7.76.1 suffers from an information disclosure when th ...)
 	{DSA-5197-1 DLA-2734-1}
 	- curl 7.79.1-1 (bug #989228)
-	[buster] - curl <no-dsa> (Minor issue)
 	NOTE: https://curl.se/docs/CVE-2021-22898.html
 	NOTE: Introduced by: https://github.com/curl/curl/commit/a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4 (7.7)
 	NOTE: Fixed by: https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde (7.77.0)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[29 Aug 2022] DLA-3085-1 curl - security update
+	{CVE-2021-22898 CVE-2021-22924 CVE-2021-22946 CVE-2021-22947 CVE-2022-22576 CVE-2022-27776 CVE-2022-27781 CVE-2022-27782 CVE-2022-32206 CVE-2022-32208}
+	[buster] - curl 7.64.0-4+deb10u3
 [27 Aug 2022] DLA-3084-1 ndpi - security update
 	{CVE-2020-15472 CVE-2020-15476}
 	[buster] - ndpi 2.6-3+deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -27,10 +27,6 @@ apache2
 asterisk (Markus Koschany)
   NOTE: 20220810: Programming language: C.
 --
-curl (Markus Koschany)
-  NOTE: 20220802: Programming language: C.
-  NOTE: 20220821: VCS: https://salsa.debian.org/lts-team/packages/curl
---
 exiv2 (Roberto C. Sánchez)
   NOTE: 20220819: Programming language: C++.
   NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cd30c18b586b62b3e2cd6937fb68b5117842e75b...cd62cd85632ef4e5e618d4d986524d5a36308573

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cd30c18b586b62b3e2cd6937fb68b5117842e75b...cd62cd85632ef4e5e618d4d986524d5a36308573
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220828/870fa0b6/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list