[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Fri May 6 13:04:13 BST 2022



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0a9201d8 by Moritz Muehlenhoff at 2022-05-06T13:06:18+02:00
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -36,6 +36,8 @@ CVE-2022-1589
 	RESERVED
 CVE-2022-30292 (thread_call in sqbaselib.cpp in SQUIRREL 3.2 lacks a certain sq_reserv ...)
 	- squirrel3 <unfixed>
+	[bullseye] - squirrel3 <no-dsa> (Minor issue)
+	[buster] - squirrel3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/albertodemichelis/squirrel/commit/a6413aa690e0bdfef648c68693349a7b878fe60d
 CVE-2022-30291
 	RESERVED
@@ -808,6 +810,8 @@ CVE-2022-29974
 	RESERVED
 CVE-2022-29973 (relan exFAT 1.3.0 allows local users to obtain sensitive information ( ...)
 	- fuse-exfat <unfixed>
+	[bullseye] - fuse-exfat <no-dsa> (Minor issue)
+	[buster] - fuse-exfat <no-dsa> (Minor issue)
 	NOTE: https://github.com/relan/exfat/issues/185
 CVE-2022-29972
 	RESERVED
@@ -2697,10 +2701,14 @@ CVE-2022-29341
 	RESERVED
 CVE-2022-29340 (GPAC 2.1-DEV-rev87-g053aae8-master. has a Null Pointer Dereference vul ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <ignored> (Minor issue)
+	[buster] - gpac <ignored> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/commit/37592ad86c6ca934d34740012213e467acc4a3b0
 	NOTE: https://github.com/gpac/gpac/issues/2163
 CVE-2022-29339 (In GPAC 2.1-DEV-rev87-g053aae8-master, function BS_ReadByte() in utils ...)
 	- gpac <unfixed>
+	[bullseye] - gpac <ignored> (Minor issue)
+	[buster] - gpac <ignored> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/commit/9ea93a2ec8f555ceed1ee27294cf94822f14f10f
 	NOTE: https://github.com/gpac/gpac/issues/2165
 CVE-2022-29338
@@ -6371,6 +6379,8 @@ CVE-2022-28067 (An incorrect access control issue in Sandboxie Classic v5.55.13
 	NOT-FOR-US: Sandboxie Classic
 CVE-2022-28066 (Libarchive v3.6.0 was discovered to contain a read memory access vulne ...)
 	- libarchive <unfixed>
+	[bullseye] - libarchive <no-dsa> (Minor issue)
+	[buster] - libarchive <no-dsa> (Minor issue)
 	NOTE: https://github.com/libarchive/libarchive/issues/1672
 	NOTE: https://github.com/libarchive/libarchive/commit/cfaa28168a07ea4a53276b63068f94fce37d6aff (v3.6.1)
 CVE-2022-28065
@@ -8225,6 +8235,8 @@ CVE-2022-27338
 	RESERVED
 CVE-2022-27337 (A logic error in the Hints::Hints function of Poppler v22.03.0 allows  ...)
 	- poppler <unfixed>
+	[bullseye] - poppler <no-dsa> (Minor issue)
+	[buster] - poppler <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1230
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/81044c64b9ed9a10ae82a28bac753060bdfdac74 (poppler-22.04.0)
 CVE-2022-27336 (Seacms v11.6 was discovered to contain a remote code execution (RCE) v ...)
@@ -21893,6 +21905,8 @@ CVE-2022-22966 (An authenticated, high privileged malicious actor with network a
 	NOT-FOR-US: VMware
 CVE-2022-22965 (A Spring MVC or Spring WebFlux application running on JDK 9+ may be vu ...)
 	- libspring-java <unfixed>
+	[bullseye] - libspring-java <no-dsa> (No reverse dependencies in the archive affected)
+	[buster] - libspring-java <no-dsa> (No reverse dependencies in the archive affected)
 	[stretch] - libspring-java <end-of-life> (EOL'd for stretch)
 	NOTE: https://bugalert.org/content/notices/2022-03-30-spring.html
 	NOTE: https://tanzu.vmware.com/security/cve-2022-22965
@@ -21926,9 +21940,10 @@ CVE-2022-22951 (VMware Carbon Black App Control (8.5.x prior to 8.5.14, 8.6.x pr
 	NOT-FOR-US: VMware
 CVE-2022-22950 (n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versi ...)
 	- libspring-java <unfixed>
+	[bullseye] - libspring-java <no-dsa> (Minor issue)
+	[buster] - libspring-java <no-dsa> (Minor issue)
 	[stretch] - libspring-java <end-of-life> (EOL'd for stretch)
 	NOTE: https://tanzu.vmware.com/security/cve-2022-22950
-	TODO: check, no details available
 CVE-2022-22949
 	RESERVED
 CVE-2022-22948 (The vCenter Server contains an information disclosure vulnerability du ...)
@@ -93474,10 +93489,12 @@ CVE-2021-21240 (httplib2 is a comprehensive HTTP client library for Python. In h
 CVE-2021-21239 (PySAML2 is a pure python implementation of SAML Version 2 Standard. Py ...)
 	{DLA-2577-1}
 	- python-pysaml2 6.5.1-1 (bug #980772)
+	[buster] - python-pysaml2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-5p3x-r448-pc62
 	NOTE: https://github.com/IdentityPython/pysaml2/commit/751dbf50a51131b13d55989395f9b115045f9737
 CVE-2021-21238 (PySAML2 is a pure python implementation of SAML Version 2 Standard. Py ...)
 	- python-pysaml2 6.5.1-1 (bug #980773)
+	[buster] - python-pysaml2 <no-dsa> (Minor issue)
 	[stretch] - python-pysaml2 <ignored> (python3-xmlschema not available in stretch for fix)
 	NOTE: https://github.com/IdentityPython/pysaml2/security/advisories/GHSA-f4g9-h89h-jgv9
 	NOTE: https://github.com/IdentityPython/pysaml2/commit/3b707723dcf1bf60677b424aac398c0c3557641d


=====================================
data/dsa-needed.txt
=====================================
@@ -22,8 +22,6 @@ epiphany-browser
 --
 freecad (aron)
 --
-libspring-java
---
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v4.19.y versions.
@@ -34,8 +32,6 @@ nodejs (jmm)
 --
 puma
 --
-python-pysaml2 (jmm)
---
 qemu/stable
   Maintainer is proposing update for some CVEs, need review
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a9201d829e82e9d68df93fb48556a0373eb72b7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a9201d829e82e9d68df93fb48556a0373eb72b7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220506/46bdd707/attachment.htm>


More information about the debian-security-tracker-commits mailing list