[Git][security-tracker-team/security-tracker][master] 5 commits: Reclaim firmware-nonfree in dla-needed.txt

Markus Koschany (@apo) apo at debian.org
Fri Feb 4 14:19:07 GMT 2022 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a9be54e8 by Markus Koschany at 2022-02-04T15:12:56+01:00
Reclaim firmware-nonfree in dla-needed.txt

- - - - -
9e0de800 by Markus Koschany at 2022-02-04T15:13:27+01:00
Remove minetest from dla-needed.txt again

Games are not supported

- - - - -
f7a81994 by Markus Koschany at 2022-02-04T15:14:51+01:00
CVE-2022-24300,CVE-2022-24301,minetest: Mark as end-of-life

- - - - -
3787efe8 by Markus Koschany at 2022-02-04T15:15:33+01:00
Remove guacamole-client from dla-needed.txt

- - - - -
3af7f763 by Markus Koschany at 2022-02-04T15:17:43+01:00
CVE-2021-41767,guacamole-client: end-of-life

See https://lists.debian.org/debian-lts/2022/01/msg00015.html

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2230,6 +2230,7 @@ CVE-2021-4209
 	RESERVED
 CVE-2022-24300 (Minetest before 5.4.0 allows attackers to add or modify arbitrary meta ...)
 	- minetest 5.4.1+repack-1 (bug #1004223)
+	[stretch] - minetest <end-of-life> (games are not supported in LTS)
 	NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-hwj2-xf72-r4cf
 	NOTE: Fixed by: https://github.com/minetest/minetest/commit/b5956bde259faa240a81060ff4e598e25ad52dae (5.4.0)
 	NOTE: When fixing this issue the fix for GHSA-7q63-4fq2-hqcr should be included,
@@ -2238,6 +2239,7 @@ CVE-2022-24300 (Minetest before 5.4.0 allows attackers to add or modify arbitrar
 	NOTE: https://github.com/minetest/minetest/commit/8d6a0b917ce1e7f4f1017835af0ca76e79c98c38 (5.2.0)
 CVE-2022-24301 (In Minetest before 5.4.0, players can add or subtract items from a dif ...)
 	- minetest 5.4.1+repack-1
+	[stretch] - minetest <end-of-life> (games are not supported in LTS)
 	NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-fvwv-qcq6-wmp5
 	NOTE: Fixed by: https://github.com/minetest/minetest/commit/3693b6871eba268ecc79b3f52d00d3cefe761131 (5.4.0)
 CVE-2022-23850 (xhtml_translate_entity in xhtml.c in epub2txt (aka epub2txt2) through  ...)
@@ -23269,6 +23271,7 @@ CVE-2021-41768
 	RESERVED
 CVE-2021-41767 (Apache Guacamole 1.3.0 and older may incorrectly include a private tun ...)
 	- guacamole-client <unfixed>
+	[stretch] - guacamole-client <end-of-life> (unmaintained stretch-only package)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/01/11/6
 CVE-2021-3837 (openwhyd is vulnerable to Improper Authorization ...)
 	NOT-FOR-US: openwhyd


=====================================
data/dla-needed.txt
=====================================
@@ -31,7 +31,7 @@ debian-archive-keyring
   NOTE: 20211018: Jonathan is prepping the branch; will work
   NOTE: 20211018: with him and upload and publish the DLA. (utkarsh)
 --
-firmware-nonfree
+firmware-nonfree (Markus Koschany)
   NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
   NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
   NOTE: 20211207: Intend to release this week.
@@ -48,9 +48,6 @@ gpac (Roberto C. Sánchez)
   NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto)
   NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto)
 --
-guacamole-client (Markus Koschany)
-  NOTE: 20220114: package unmaintained AFAICS and only present in stretch (Beuc)
---
 libarchive (Thorsten Alteholz)
   NOTE: 20220116: waiting for upload in higher releases
   NOTE: 20220130: new CVEs arrived
@@ -62,9 +59,6 @@ linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
 --
-minetest
-   NOTE: 20220203: a DSA is planned (Beuc)
---
 nvidia-graphics-drivers
    NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/199dc479a6ad00b91b9fde09bed767a5c4b8fdfe...3af7f7635798aefdf9881f985862badd54082931

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/199dc479a6ad00b91b9fde09bed767a5c4b8fdfe...3af7f7635798aefdf9881f985862badd54082931
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220204/8fd33d74/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list