[Git][security-tracker-team/security-tracker][master] 2 commits: Ignore CVE-2022-3287 for buster - vulnerable code was introduced later

Stefano Rivera (@stefanor) stefanor at debian.org
Tue Dec 27 16:04:03 GMT 2022 


Stefano Rivera pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1a5e3bba by Stefano Rivera at 2022-12-27T12:02:25-04:00
Ignore CVE-2022-3287 for buster - vulnerable code was introduced later

- - - - -
ff193807 by Stefano Rivera at 2022-12-27T12:02:27-04:00
Take ceph

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -22735,6 +22735,7 @@ CVE-2022-3288 (A branch/tag name confusion in GitLab CE/EE affecting all version
 CVE-2022-3287 (When creating an OPERATOR user account on the BMC, the redfish plugin  ...)
 	- fwupd 1.8.5-1
 	[bullseye] - fwupd <no-dsa> (Minor issue)
+	[buster] - fwupd <not-affected> (Vulnerable code introduced in 1.7.0)
 	NOTE: https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091 (1.8.5)
 CVE-2022-3286 (Lack of IP address checking in GitLab EE affecting all versions from 1 ...)
 	- gitlab <not-affected> (Only affects Gitlab EE)


=====================================
data/dla-needed.txt
=====================================
@@ -20,7 +20,7 @@ cacti (guilhem)
   NOTE: 20221208: Programming language: PHP.
   NOTE: 20221208: VCS: https://salsa.debian.org/cacti-team/cacti/
 --
-ceph
+ceph (Stefano Rivera)
   NOTE: 20221031: Programming language: C++.
   NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system.
   NOTE: 20221031: What should be checked is whether any user with ceph permission can do the actions described in the exploit. (ola/front-desk)
@@ -62,9 +62,6 @@ fusiondirectory
   NOTE: 20221203: Also the package was removed from sid recently (gladk).
   NOTE: 20221203: Feel free to marke both CVEs as <ignored>, if they are not too serious (gladk).
 --
-fwupd
-  NOTE: 20221003: Programming language: C++.
---
 golang-1.11
   NOTE: 20220916: Programming language: Go.
   NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/52c3a1e62877cb75a47473a086123b19bd90ec1c...ff193807632c3916bfe557a88aa29bcc1d0a0d60

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/52c3a1e62877cb75a47473a086123b19bd90ec1c...ff193807632c3916bfe557a88aa29bcc1d0a0d60
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221227/fddca29d/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list