[Git][security-tracker-team/security-tracker][master] 6 commits: add apache-log4j1.2

Sun Jan 23 23:25:36 GMT 2022


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
16441a89 by Thorsten Alteholz at 2022-01-23T23:58:31+01:00
add apache-log4j1.2

- - - - -
bb3c1dfd by Thorsten Alteholz at 2022-01-24T00:05:57+01:00
mark CVE-2022-0204 as no-dsa for Stretch

- - - - -
3dbae0dc by Thorsten Alteholz at 2022-01-24T00:11:05+01:00
mark CVE-2021-3979 as no-dsa for Stretch

- - - - -
b62e32b1 by Thorsten Alteholz at 2022-01-24T00:13:38+01:00
mark CVE-2021-45942 as no-dsa for Stretch

- - - - -
39901946 by Thorsten Alteholz at 2022-01-24T00:18:51+01:00
mark CVE-2022-23303 as not-affected for Stretch

- - - - -
1bcc23e6 by Thorsten Alteholz at 2022-01-24T00:23:58+01:00
add wpa

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1607,6 +1607,7 @@ CVE-2022-23304 (The implementations of EAP-pwd in hostapd before 2.10 and wpa_su
 	NOTE: Issue exists because of an incomplete fix for CVE-2019-9495
 CVE-2022-23303 (The implementations of SAE in hostapd before 2.10 and wpa_supplicant b ...)
 	- wpa 2:2.10-1
+	[stretch] - wpa <not-affected> (CVE-2019-9494 was not applied and is marked as ignored)
 	NOTE: https://w1.fi/security/2022-1/
 	NOTE: Issue exists because of an incomplete fix for CVE-2019-9494
 CVE-2022-0264 [bpf: Fix kernel address leakage in atomic fetch]
@@ -2058,6 +2059,7 @@ CVE-2022-0205
 CVE-2022-0204 [Heap overflow vulnerability in the implementation of the gatt protocol]
 	RESERVED
 	- bluez <unfixed> (bug #1003712)
+	[stretch] - bluez <no-dsa> (Minor issue)
 	NOTE: https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
 	NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=591c546c536b42bef696d027f64aa22434f8c3f0 (5.63)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2039807
@@ -5221,6 +5223,7 @@ CVE-2021-45943 (GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCI
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2021-1651.yaml
 CVE-2021-45942 (OpenEXR 3.1.0 through 3.1.3 has a heap-based buffer overflow in Imf_3_ ...)
 	- openexr <unfixed>
+	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1209
 CVE-2021-45941 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in _ ...)
@@ -11637,6 +11640,7 @@ CVE-2021-3980 (elgg is vulnerable to Exposure of Private Personal Information to
 CVE-2021-3979 [ceph: Ceph volume does not honour osd_dmcrypt_key_size]
 	RESERVED
 	- ceph <unfixed>
+	[stretch] - ceph <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/01/11/5
 CVE-2021-44034
 	RESERVED


=====================================
data/dla-needed.txt
=====================================
@@ -21,6 +21,8 @@ ansible
 apache2 (Anton)
   NOTE: 20220109: WIP https://salsa.debian.org/lts-team/packages/apache2 (Anton)
 --
+apache-log4j1.2
+--
 apng2gif
   NOTE: 20211229: CVE-2017-6960 was fixed in DLAs for wheezy and jessie
   NOTE: 20211229: but is unfixed in stretch, plus 2 additional CVEs (bunk)
@@ -112,5 +114,7 @@ ujson
 --
 vim (Emilio)
 --
+wpa
+  NOTE: 20220124: CVE-2018-9495 has been applied
 zabbix
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/39ddba5bd08dd748d9b4f2dac2207e63a6ce90f2...1bcc23e6e5eaf733893375a0c5b844b1acc1320f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/39ddba5bd08dd748d9b4f2dac2207e63a6ce90f2...1bcc23e6e5eaf733893375a0c5b844b1acc1320f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220123/d7349698/attachment-0001.htm>
