[Git][security-tracker-team/security-tracker][master] Reserve DLA-3240-1 for libde2565.

Tobias Frost (@tobi) tobi at debian.org
Thu Dec 15 16:55:14 GMT 2022 


Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker


Commits:
adaa8a72 by Tobias Frost at 2022-12-15T17:54:53+01:00
Reserve DLA-3240-1 for libde2565.

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -105788,14 +105788,12 @@ CVE-2021-36412 (A heap-based buffer overflow vulnerability exists in MP4Box in G
 CVE-2021-36411 (An issue has been found in libde265 v1.0.8 due to incorrect access con ...)
 	- libde265 1.0.8-1.1 (bug #1014977)
 	[bullseye] - libde265 <no-dsa> (Minor issue)
-	[buster] - libde265 <no-dsa> (Minor issue)
 	[stretch] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/302
 	NOTE: https://github.com/strukturag/libde265/commit/45904e5667c5bf59c67fcdc586dfba110832894c
 CVE-2021-36410 (A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion. ...)
 	- libde265 1.0.8-1.1 (bug #1014977)
 	[bullseye] - libde265 <no-dsa> (Minor issue)
-	[buster] - libde265 <no-dsa> (Minor issue)
 	[stretch] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/301
 	NOTE: https://github.com/strukturag/libde265/commit/697aa4f7c774abd6374596e6707a6f4f54265355
@@ -105804,14 +105802,12 @@ CVE-2021-3641 (Improper Link Resolution Before File Access ('Link Following') vu
 CVE-2021-36409 (There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at ...)
 	- libde265 1.0.8-1.1 (bug #1014977)
 	[bullseye] - libde265 <no-dsa> (Minor issue)
-	[buster] - libde265 <no-dsa> (Minor issue)
 	[stretch] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/300
 	NOTE: https://github.com/strukturag/libde265/commit/64d591a6c70737604ca3f5791736fc462cbe8a3c
 CVE-2021-36408 (An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-f ...)
 	- libde265 1.0.8-1.1 (bug #1014977)
 	[bullseye] - libde265 <no-dsa> (Minor issue)
-	[buster] - libde265 <no-dsa> (Minor issue)
 	[stretch] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/299
 	NOTE: https://github.com/strukturag/libde265/commit/f538254e4658ef5ea4e233c2185dcbfd165e8911
@@ -108248,7 +108244,6 @@ CVE-2021-35453
 CVE-2021-35452 (An Incorrect Access Control vulnerability exists in libde265 v1.0.8 du ...)
 	- libde265 1.0.8-1.1 (bug #1014977)
 	[bullseye] - libde265 <no-dsa> (Minor issue)
-	[buster] - libde265 <no-dsa> (Minor issue)
 	[stretch] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/strukturag/libde265/issues/298
 	NOTE: https://github.com/strukturag/libde265/commit/e83f3798dd904aa579425c53020c67e03735138d
@@ -174266,7 +174261,6 @@ CVE-2020-21600 (libde265 v1.0.4 contains a heap buffer overflow in the put_weigh
 CVE-2020-21599 (libde265 v1.0.4 contains a heap buffer overflow in the de265_image::av ...)
 	- libde265 1.0.9-1 (bug #1014999)
 	[bullseye] - libde265 <no-dsa> (Minor issue)
-	[buster] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
 	[stretch] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/strukturag/libde265/issues/235
 	NOTE: https://github.com/strukturag/libde265/commit/a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 (v1.0.9)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[15 Dec 2022] DLA-3240-1 libde265 - security update
+	{CVE-2020-21599 CVE-2021-35452 CVE-2021-36408 CVE-2021-36409 CVE-2021-36410 CVE-2021-36411}
+	[buster] - libde265 1.0.3-1+deb10u1
 [14 Dec 2022] DLA-3239-2 git - regression update
 	[buster] - git 1:2.20.1-2+deb10u6
 [13 Dec 2022] DLA-3239-1 git - security update


=====================================
data/dla-needed.txt
=====================================
@@ -101,10 +101,11 @@ lava
 libapreq2
   NOTE: 20221031: Programming language: C.
 --
-libde265 (tobi)
+libde265
   NOTE: 20221107: Programming language: C++.
   NOTE: 20221107: Most vulnerabilities unfixed upstream, but a handful are fixed, and v1.0.9 (2022-10) is a security release (Beuc/front-desk)
   NOTE: 20221107: No prior DSA/DLA/ELA afaics (Beuc/front-desk)
+  NOTE: 20221215: CVE-2020-21599 CVE-2021-35452 CVE-2021-36408 CVE-2021-36409 CVE-2021-36410 CVE-2021-36411 adressed, remaining CVEs are unfixed upstream. (I've proposed a patch upstream, waiting for feeback) (tobi)
 --
 libetpan
   NOTE: 20221203: Programming language: C++.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/adaa8a72fbc42f75f0d2279f575267e422f6ce21

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/adaa8a72fbc42f75f0d2279f575267e422f6ce21
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221215/688e6e45/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list