[Git][security-tracker-team/security-tracker][master] 4 commits: Added needrestart to dla-needed since CVE-2022-30688 is already fixed in buster.
Ola Lundqvist (@opal)
opal at debian.org
Tue May 17 20:47:22 BST 2022
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker
Commits:
eb34768a by Ola Lundqvist at 2022-05-17T21:45:49+02:00
Added needrestart to dla-needed since CVE-2022-30688 is already fixed in buster.
- - - - -
77d25545 by Ola Lundqvist at 2022-05-17T21:45:49+02:00
Added elog to dla-needed with a note to check if it should be postponed or not.
- - - - -
f466ab61 by Ola Lundqvist at 2022-05-17T21:45:50+02:00
Marked CVE-2022-28368 as not-affected for php-dompdf. Checked the code and really tried to find any code that resembles the vulnerable code and could not find anything. So this must mean that the code is not vulnerable.
- - - - -
ad3b6a50 by Ola Lundqvist at 2022-05-17T21:45:51+02:00
Marked CVE-2022-29162 as not-affected for runc in stretch. There is no trace of inheritable capabilities anywhere in the code.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -5075,6 +5075,7 @@ CVE-2022-29163
CVE-2022-29162
RESERVED
- runc <unfixed>
+ [stretch] - runc <not-affected> (Vulnerable code not present)
NOTE: https://www.openwall.com/lists/oss-security/2022/05/12/1
NOTE: https://github.com/opencontainers/runc/commit/364ec0f1b4fa188ad96049c590ecb42fa70ea165 (v1.1.2)
NOTE: https://github.com/opencontainers/runc/commit/98fe566c527479195ce3c8167136d2a555fe6b65 (main)
@@ -7163,6 +7164,7 @@ CVE-2022-28369
RESERVED
CVE-2022-28368 (Dompdf 1.2.1 allows remote code execution via a .php file in the src:u ...)
- php-dompdf <unfixed> (bug #1010090)
+ [stretch] - php-dompdf <not-affected> (Vulnerable code not present)
NOTE: https://snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/
NOTE: https://positive.security/blog/dompdf-rce
NOTE: https://github.com/dompdf/dompdf/issues/2598
=====================================
data/dla-needed.txt
=====================================
@@ -56,6 +56,10 @@ debian-security-support (Utkarsh)
NOTE: 20220502: backport prepped, will contact Holger for more details. (utkarsh)
NOTE: 20220516: in review, will also co-help Holger to maintain this. (utkarsh)
--
+elog
+ NOTE: 20220517: Please check further. It looks like a denial of service can be triggered remotely without
+ NOTE: 20220517: authentication. If that is the case it should be fixed. If it cannot be triggered remotely then it can be postponed.
+--
exempi
NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis
NOTE: 20220517: is needed.
@@ -120,6 +124,9 @@ mbedtls (Utkarsh)
mysql-connector-java
NOTE: 20220512: Requires a new upstream version. (apo)
--
+needrestart
+ NOTE: 20220517: Source code is vulnerable also in stretch. Should be easy to fix.
+--
ntfs-3g
NOTE: 20220515: Please recheck. There are currently not enough information
NOTE: available. (apo)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/34c59c36c72f22d4c96bddb2a5e8b00c4874261d...ad3b6a50914eb47d1dd9c4466118326e8163c0b5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/34c59c36c72f22d4c96bddb2a5e8b00c4874261d...ad3b6a50914eb47d1dd9c4466118326e8163c0b5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220517/f8e2bc7a/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list