[Git][security-tracker-team/security-tracker][master] 4 commits: Claim hsqldb in dla-needed.txt

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
db12bfbd by Markus Koschany at 2022-12-03T22:20:04+01:00
Claim hsqldb in dla-needed.txt

- - - - -
5a4c54c5 by Markus Koschany at 2022-12-03T22:22:56+01:00
Remove android-platform-system-core from dla-needed.txt

Minor issue. Requires a compromised adb daemon and root privileges to cause any
harm and automated use cases are unlikely for the Debian version of Platform
Tools.

- - - - -
5fdb3c44 by Markus Koschany at 2022-12-03T22:28:41+01:00
Claim jqueryui in dla-needed.txt

- - - - -
51cca91d by Markus Koschany at 2022-12-03T22:29:49+01:00
CVE-2022-3168,CVE-2022-20128,android-platform-system-core: Buster is no-dsa

Minor issue

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -19384,6 +19384,7 @@ CVE-2022-3168
 	- android-platform-tools <unfixed>
 	- android-platform-system-core <removed>
 	[bullseye] - android-platform-system-core <no-dsa> (Minor issue)
+	[buster] - android-platform-system-core <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5
 CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...)
 	- openvswitch <unfixed> (bug #1021740)
@@ -86873,6 +86874,7 @@ CVE-2022-20128
 	- android-platform-tools <unfixed>
 	- android-platform-system-core <removed>
 	[bullseye] - android-platform-system-core <no-dsa> (Minor issue)
+	[buster] - android-platform-system-core <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5
 CVE-2022-20127 (In ce_t4t_data_cback of ce_t4t.cc, there is a possible out of bounds w ...)
 	NOT-FOR-US: Android


=====================================
data/dla-needed.txt
=====================================
@@ -12,13 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 To make it easier to see the entire history of an update, please append notes
 rather than remove/replace existing ones.
 
---
-android-platform-system-core
-  NOTE: 20221102: Programming language: C++.
-  NOTE: 20221102: VCS: https://salsa.debian.org/lts-team/packages/android-platform-system-core.git
-  NOTE: 20221102: The package in buster is likely affected but since no known fix is available it is hard to tell without running the proof of concept code.
-  NOTE: 20221102: Consider ignoring this if Debian Security team see the CVEs as minor. (ola)
-  NOTE: 20221103: Both PoCs (CVE-2022-20128 & CVE-2022-3168) work for me in buster (Beuc/front-desk)
 --
 ceph
   NOTE: 20221031: Programming language: C++.
@@ -76,7 +69,7 @@ golang-websocket
   NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk)
   NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies
 --
-hsqldb
+hsqldb (Markus Koschany)
   NOTE: 20221031: Programming language: Java.
   NOTE: 20221031: To be investigated further. A possible outcome is to ignore it.
   NOTE: 20221031: https://lists.debian.org/debian-lts/2022/10/msg00060.html.
@@ -91,7 +84,7 @@ jhead (Markus Koschany)
   NOTE: 20221031: Note that multiple options are vulnerable. The attacker have to trick someone to execute the command but arbitrary code exectuion is not good..
   NOTE: 20221031: It should be stated in the DLA that multiple options are affected..
 --
-jqueryui
+jqueryui (Markus Koschany)
   NOTE: 20221111: Programming language: JavaScript.
   NOTE: 20221111: Follow fixes from bullseye 11.2 (and jessie/elts) (Beuc/front-desk)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d635d1226076a791464775edc577dc76c08a33f...51cca91dbdfed80ffe83a94e875befce8d3e704b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2d635d1226076a791464775edc577dc76c08a33f...51cca91dbdfed80ffe83a94e875befce8d3e704b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221203/e5717676/attachment-0001.htm>