[Git][security-tracker-team/security-tracker][master] 11 commits: Mark CVE-2021-22060/libspring-java as end-of-life for stretch

Utkarsh Gupta (@utkarsh) utkarsh at debian.org
Sun Jan 30 22:49:04 GMT 2022 


Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9e758159 by Utkarsh Gupta at 2022-01-31T04:18:39+05:30
Mark CVE-2021-22060/libspring-java as end-of-life for stretch

- - - - -
05fc5d74 by Utkarsh Gupta at 2022-01-31T04:18:39+05:30
Add librecad to dla-needed

- - - - -
908c369f by Utkarsh Gupta at 2022-01-31T04:18:39+05:30
Add minetest to dla-needed

- - - - -
176f894d by Utkarsh Gupta at 2022-01-31T04:18:39+05:30
Add spip to dla-needed

- - - - -
efa303fd by Utkarsh Gupta at 2022-01-31T04:18:39+05:30
Add varnish to dla-needed

- - - - -
811c7935 by Utkarsh Gupta at 2022-01-31T04:18:39+05:30
Mark CVE-2022-23935/libimage-exiftool-perl as no-dsa for stretch

- - - - -
0f0c3fb0 by Utkarsh Gupta at 2022-01-31T04:18:40+05:30
Mark CVE-2021-45340/libsixel as no-dsa for stretch

- - - - -
023c6825 by Utkarsh Gupta at 2022-01-31T04:18:41+05:30
Mark CVE-2021-45942/openexr as no-dsa for stretch

- - - - -
ea63c9de by Utkarsh Gupta at 2022-01-31T04:18:41+05:30
Mark CVE-2021-4160/openssl as no-dsa for stretch

- - - - -
c71327c3 by Utkarsh Gupta at 2022-01-31T04:18:42+05:30
Mark CVE-2022-23807/phpmyadmin as not-affected at all

- - - - -
34982fa7 by Utkarsh Gupta at 2022-01-31T04:18:43+05:30
Mark CVE-2022-23808/phpmyadmin as not-affected at all

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -841,6 +841,7 @@ CVE-2022-23935 (lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $fil
 	- libimage-exiftool-perl 12.38+dfsg-1
 	[bullseye] - libimage-exiftool-perl <no-dsa> (Minor issue)
 	[buster] - libimage-exiftool-perl <no-dsa> (Minor issue)
+	[stretch] - libimage-exiftool-perl <no-dsa> (Minor issue)
 	NOTE: https://github.com/exiftool/exiftool/commit/74dbab1d2766d6422bb05b033ac6634bf8d1f582 (12.38)
 CVE-2022-23934
 	RESERVED
@@ -1499,14 +1500,18 @@ CVE-2021-4208
 CVE-2022-23809
 	RESERVED
 CVE-2022-23808 (An issue was discovered in phpMyAdmin 5.1 before 5.1.2. An attacker ca ...)
-	- phpmyadmin <unfixed>
+	- phpmyadmin <not-affected> (2FA is not packaged yet and the setup is not available to be used)
 	NOTE: https://www.phpmyadmin.net/security/PMASA-2022-2/
 	NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/5118acce1dfcdb09cbc0f73927bf51c46feeaf38
 	NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/44eb12f15a562718bbe54c9a16af91ceea335d59
+	NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/28 (setup not available)
+	NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/3 (missing 2FA packages)
 CVE-2022-23807 (An issue was discovered in phpMyAdmin 4.9 before 4.9.8 and 5.1 before  ...)
-	- phpmyadmin <unfixed>
+	- phpmyadmin <not-affected> (2FA is not packaged yet and the setup is not available to be used)
 	NOTE: https://www.phpmyadmin.net/security/PMASA-2022-1/
 	NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/ca54f1db050859eb8555875c6aa5d7796fdf4b32
+	NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/28 (setup not available)
+	NOTE: https://salsa.debian.org/phpmyadmin-team/phpmyadmin/-/issues/3 (missing 2FA packages)
 CVE-2022-23806
 	RESERVED
 CVE-2022-23805
@@ -6702,6 +6707,7 @@ CVE-2021-45943 (GDAL 3.3.0 through 3.4.0 has a heap-based buffer overflow in PCI
 CVE-2021-45942 (OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in Imf_3_1 ...)
 	- openexr <unfixed>
 	[buster] - openexr <no-dsa> (Minor issue)
+	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1209
 CVE-2021-45941 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in _ ...)
@@ -8134,6 +8140,7 @@ CVE-2021-4160 (There is a carry propagation bug in the MIPS32 and MIPS64 squarin
 	- openssl 1.1.1m-1
 	[bullseye] - openssl <no-dsa> (Minor issue)
 	[buster] - openssl <no-dsa> (Minor issue)
+	[stretch] - openssl <no-dsa> (Minor issue)
 	NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb (OpenSSL_1_1_1m)
 	NOTE: https://mta.openssl.org/pipermail/openssl-announce/2022-January/000214.html
 	NOTE: https://www.openssl.org/news/secadv/20220128.txt
@@ -8908,6 +8915,7 @@ CVE-2021-45340 (In Libsixel prior to and including v1.10.3, a NULL pointer deref
 	- libsixel <unfixed> (bug #1004377)
 	[bullseye] - libsixel <no-dsa> (Minor issue)
 	[buster] - libsixel <no-dsa> (Minor issue)
+	[stretch] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/libsixel/libsixel/issues/51
 	NOTE: Fixed by: https://github.com/libsixel/libsixel/pull/52
 CVE-2021-45339 (Privilege escalation vulnerability in Avast Antivirus prior to 20.4 al ...)
@@ -70960,6 +70968,7 @@ CVE-2021-22061
 	RESERVED
 CVE-2021-22060 (In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older ...)
 	- libspring-java <unfixed>
+	[stretch] - libspring-java <end-of-life> (EOL'd for stretch)
 	NOTE: follow-up to CVE-2021-22096
 	NOTE: https://tanzu.vmware.com/security/cve-2021-22060
 CVE-2021-22059


=====================================
data/dla-needed.txt
=====================================
@@ -64,10 +64,15 @@ libarchive (Thorsten Alteholz)
 libgit2 (Utkarsh)
   NOTE: 20220125: got clearance. will upload this week. (utkarsh)
 --
+librecad
+--
 linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
 --
+minetest
+  NOTE: 20220130: double check for impact. (utkarsh)
+--
 openjdk-8 (Emilio)
 --
 pgbouncer
@@ -86,9 +91,16 @@ samba (Utkarsh Gupta)
   NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh)
   NOTE: 20220125: ftbfs, wip. (utkarsh)
 --
+spip
+  NOTE: 20220130: git.spip.net doesn't load for me atm, so check. :) (utkarsh)
+--
 ujson (Anton)
   NOTE: 20220121: please reheck, at least the mentioned function is available in Stretch
 --
+varnish
+  NOTE: 20220130: also fix no-dsa issues. (utkarsh)
+  NOTE: 20220130: VRB_Ignore function is very different from what's in the patch. (utkarsh)
+--
 vim (Emilio)
 --
 wpa (Markus Koschany)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/50b5939d4ff47cea06ba1862964a3cb225a9a68d...34982fa7b201b730fa6c8cff987430f27a1bf11b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/50b5939d4ff47cea06ba1862964a3cb225a9a68d...34982fa7b201b730fa6c8cff987430f27a1bf11b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220130/57e81f70/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list