[Git][security-tracker-team/security-tracker][master] 4 commits: lts: CVE-2022-24613 and CVE-2022-24614 no-dsa for stretch

Emilio Pozuelo Monfort (@pochu) pochu at debian.org
Wed Mar 9 08:32:25 GMT 2022 


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
56a25436 by Emilio Pozuelo Monfort at 2022-03-09T09:31:59+01:00
lts: CVE-2022-24613 and CVE-2022-24614 no-dsa for stretch

- - - - -
3656fd2e by Emilio Pozuelo Monfort at 2022-03-09T09:32:00+01:00
lts: triage bluez mesh issues as n/a on stretch

- - - - -
89ad468d by Emilio Pozuelo Monfort at 2022-03-09T09:32:01+01:00
lts: CVE-2021-4209/gnutls28 postponed on stretch

- - - - -
9ffe018f by Emilio Pozuelo Monfort at 2022-03-09T09:32:01+01:00
lts: add gerbv

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5711,11 +5711,13 @@ CVE-2022-24614 (When reading a specially crafted JPEG file, metadata-extractor u
 	- libmetadata-extractor-java <unfixed>
 	[bullseye] - libmetadata-extractor-java <no-dsa> (Minor issue)
 	[buster] - libmetadata-extractor-java <no-dsa> (Minor issue)
+	[stretch] - libmetadata-extractor-java <no-dsa> (Minor issue)
 	NOTE: https://github.com/drewnoakes/metadata-extractor/issues/561
 CVE-2022-24613 (metadata-extractor up to 2.16.0 can throw various uncaught exceptions  ...)
 	- libmetadata-extractor-java <unfixed>
 	[bullseye] - libmetadata-extractor-java <no-dsa> (Minor issue)
 	[buster] - libmetadata-extractor-java <no-dsa> (Minor issue)
+	[stretch] - libmetadata-extractor-java <no-dsa> (Minor issue)
 	NOTE: https://github.com/drewnoakes/metadata-extractor/issues/561
 CVE-2022-24612 (An authenticated user can upload an XML file containing an XSS via the ...)
 	NOT-FOR-US: EyesOfNetwork (EON) eonweb
@@ -8562,7 +8564,9 @@ CVE-2022-0340
 CVE-2021-4209
 	RESERVED
 	- gnutls28 3.7.3-2
+	[stretch] - gnutls28 <postponed> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044156
+	NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1306
 	NOTE: https://gitlab.com/gnutls/gnutls/-/merge_requests/1503
 	NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/3db352734472d851318944db13be73da61300568 (3.7.3)
 CVE-2022-24300 (Minetest before 5.4.0 allows attackers to add or modify arbitrary meta ...)
@@ -99686,11 +99690,13 @@ CVE-2020-26561 (** UNSUPPORTED WHEN ASSIGNED ** Belkin LINKSYS WRT160NL 1.0.04.0
 	NOT-FOR-US: Belkin
 CVE-2020-26560 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0. ...)
 	- bluez <unfixed> (bug #1006406)
+	[stretch] - bluez <not-affected> (Mesh support introduced later)
 	NOTE: https://kb.cert.org/vuls/id/799380
 	NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/impersonation-mesh/
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1959994
 CVE-2020-26559 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0. ...)
 	- bluez <unfixed> (bug #1006406)
+	[stretch] - bluez <not-affected> (Mesh support introduced later)
 	NOTE: https://kb.cert.org/vuls/id/799380
 	NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/authvalue-leak/
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960011
@@ -99707,11 +99713,13 @@ CVE-2020-26558 (Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specifi
 	NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738
 CVE-2020-26557 (Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may perm ...)
 	- bluez <unfixed> (bug #1006406)
+	[stretch] - bluez <not-affected> (Mesh support introduced later)
 	NOTE: https://kb.cert.org/vuls/id/799380
 	NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/predicatable-authvalue/
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960009
 CVE-2020-26556 (Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may perm ...)
 	- bluez <unfixed>
+	[stretch] - bluez <not-affected> (Mesh support introduced later)
 	NOTE: https://kb.cert.org/vuls/id/799380
 	NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/malleable/
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960012


=====================================
data/dla-needed.txt
=====================================
@@ -39,6 +39,8 @@ firmware-nonfree (Markus Koschany)
   NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
   NOTE: 20211207: Intend to release this week.
 --
+gerbv
+--
 gpac (Roberto C. Sánchez)
   NOTE: 20211101: coordinating with secteam for s-p-u since stretch/buster versions match (roberto)
   NOTE: 20211120: received OK from secteam for buster update, working on stretch/buster in parallel (roberto)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1b7a6286733bc7e23ca1a7bea0e8834dca8f1bab...9ffe018f6dff68113873397e052806a33cb32af0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1b7a6286733bc7e23ca1a7bea0e8834dca8f1bab...9ffe018f6dff68113873397e052806a33cb32af0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220309/015a94c6/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list