[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2021-45960,expat: Remove no-dsa tag for Stretch

Sun Jan 30 21:00:13 GMT 2022


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e6ca95ac by Markus Koschany at 2022-01-30T21:57:29+01:00
CVE-2021-45960,expat: Remove no-dsa tag for Stretch

- - - - -
99ecc09a by Markus Koschany at 2022-01-30T21:58:50+01:00
Claim apache-log4j1.2, guacamole-client and wpa in dla-needed.txt

- - - - -
27ce04a9 by Markus Koschany at 2022-01-30T22:00:03+01:00
Reserve DLA-2904-1 for expat

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -6614,7 +6614,6 @@ CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or mor
 	- expat 2.4.3-1 (bug #1002994)
 	[bullseye] - expat <no-dsa> (Minor issue; can be fixed via point release)
 	[buster] - expat <no-dsa> (Minor issue; can be fixed via point release)
-	[stretch] - expat <no-dsa> (Minor issue)
 	NOTE: https://github.com/libexpat/libexpat/issues/531
 	NOTE: https://github.com/libexpat/libexpat/pull/534
 CVE-2022-0079 (showdoc is vulnerable to Generation of Error Message Containing Sensit ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[30 Jan 2022] DLA-2904-1 expat - security update
+	{CVE-2021-45960 CVE-2021-46143 CVE-2022-22822 CVE-2022-22823 CVE-2022-22824 CVE-2022-22825 CVE-2022-22826 CVE-2022-22827 CVE-2022-23852 CVE-2022-23990}
+	[stretch] - expat 2.2.0-2+deb9u4
 [29 Jan 2022] DLA-2903-1 libraw - security update
 	{CVE-2017-13735 CVE-2017-14265 CVE-2017-14348 CVE-2017-14608 CVE-2017-16909 CVE-2017-16910 CVE-2018-5800 CVE-2018-5801 CVE-2018-5802 CVE-2018-5804 CVE-2018-5805 CVE-2018-5806 CVE-2018-5807 CVE-2018-5808 CVE-2018-5810 CVE-2018-5811 CVE-2018-5812 CVE-2018-5813 CVE-2018-5815 CVE-2018-5817 CVE-2018-5818 CVE-2018-5819 CVE-2018-20363 CVE-2018-20364 CVE-2018-20365}
 	[stretch] - libraw 0.17.2-6+deb9u2


=====================================
data/dla-needed.txt
=====================================
@@ -18,7 +18,7 @@ ansible
   NOTE: 20210411: after that LTS. (apo)
   NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
 --
-apache-log4j1.2
+apache-log4j1.2 (Markus Koschany)
 --
 apache2 (Anton)
   NOTE: 20220109: WIP https://salsa.debian.org/lts-team/packages/apache2 (Anton)
@@ -37,8 +37,6 @@ debian-archive-keyring
   NOTE: 20211018: Jonathan is prepping the branch; will work
   NOTE: 20211018: with him and upload and publish the DLA. (utkarsh)
 --
-expat (Markus Koschany)
---
 firmware-nonfree
   NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
   NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
@@ -56,7 +54,7 @@ gpac (Roberto C. Sánchez)
   NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto)
   NOTE: 20211228: Returning to active work on this now that llvm/rustc update is complete (roberto)
 --
-guacamole-client
+guacamole-client (Markus Koschany)
   NOTE: 20220114: package unmaintained AFAICS and only present in stretch (Beuc)
 --
 libarchive (Thorsten Alteholz)
@@ -93,7 +91,7 @@ ujson (Anton)
 --
 vim (Emilio)
 --
-wpa
+wpa (Markus Koschany)
   NOTE: 20220124: CVE-2018-9495 has been applied
 --
 zabbix (Sylvain Beucler)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b663d5723c0cfd7a64fd47a33e78aa15cdb087d5...27ce04a95a8a22ee9fd206b18c1c1f8986728bec

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b663d5723c0cfd7a64fd47a33e78aa15cdb087d5...27ce04a95a8a22ee9fd206b18c1c1f8986728bec
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220130/22a74317/attachment-0001.htm>
