[Git][security-tracker-team/security-tracker][master] 2 commits: lrzip DSA

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue May 24 18:39:41 BST 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1f457268 by Moritz Mühlenhoff at 2022-05-24T19:32:42+02:00
lrzip DSA

- - - - -
21db2b49 by Moritz Mühlenhoff at 2022-05-24T19:38:28+02:00
puma DSA

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,4 +1,3 @@
-
 CVE-2022-31598
 	RESERVED
 CVE-2022-31597
@@ -14806,8 +14805,6 @@ CVE-2022-26292
 CVE-2022-26291 (lrzip v0.641 was discovered to contain a multiple concurrency use-afte ...)
 	{DLA-2981-1}
 	- lrzip 0.650-1
-	[bullseye] - lrzip <no-dsa> (Minor issue)
-	[buster] - lrzip <no-dsa> (Minor issue)
 	NOTE: https://github.com/ckolivas/lrzip/issues/206
 	NOTE: https://github.com/ckolivas/lrzip/commit/4b3942103b57c639c8e0f31d6d5fd7bac53bbdf4 (v0.650)
 	NOTE: clear_rulist() introduced by CVE-2021-27345+CVE-2021-27347 fix
@@ -81066,6 +81063,7 @@ CVE-2021-27348
 CVE-2021-27347 (Use after free in lzma_decompress_buf function in stream.c in Irzip 0. ...)
 	{DLA-2981-1}
 	- lrzip 0.640-1 (unimportant; bug #990583)
+	[buster] - lrzip 0.631+git180528-1+deb10u1
 	NOTE: https://github.com/ckolivas/lrzip/issues/165
 	NOTE: https://github.com/ckolivas/lrzip/commit/be884d09e09b00fbddd31b75dc1f4736d72006a8 (v0.640)
 	NOTE: Crash in CLI tool, no security impact
@@ -81075,6 +81073,7 @@ CVE-2021-27346
 CVE-2021-27345 (A null pointer dereference was discovered in ucompthread in stream.c i ...)
 	{DLA-2981-1}
 	- lrzip 0.640-1 (unimportant)
+	[buster] - lrzip 0.631+git180528-1+deb10u1
 	NOTE: https://github.com/ckolivas/lrzip/issues/164
 	NOTE: https://github.com/ckolivas/lrzip/commit/be884d09e09b00fbddd31b75dc1f4736d72006a8 (v0.640)
 	NOTE: Crash in CLI tool, no security impact
@@ -117627,6 +117626,7 @@ CVE-2020-25468
 CVE-2020-25467 (A null pointer dereference was discovered lzo_decompress_buf in stream ...)
 	{DLA-2981-1}
 	- lrzip 0.640-1
+	[buster] - lrzip 0.631+git180528-1+deb10u1
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/lrzip/+bug/1893641
 	NOTE: https://github.com/ckolivas/lrzip/issues/163
 	NOTE: https://github.com/ckolivas/lrzip/commit/e74a11c21bb89d1f48632d8a08f6d66eee923a80 (v0.640)
@@ -276685,8 +276685,6 @@ CVE-2017-18044 (A Command Injection issue was discovered in ContentStore/Base/CV
 CVE-2018-5786 (In Long Range Zip (aka lrzip) 0.631, there is an infinite loop and app ...)
 	{DLA-2981-1}
 	- lrzip 0.651-2 (bug #888506)
-	[bullseye] - lrzip <no-dsa> (Minor issue)
-	[buster] - lrzip <no-dsa> (Minor issue)
 	[jessie] - lrzip <no-dsa> (Minor issue)
 	[wheezy] - lrzip <no-dsa> (Minor issue)
 	NOTE: https://github.com/ckolivas/lrzip/issues/91


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,10 @@
+[24 May 2022] DSA-5146-1 puma - security update
+	{CVE-2021-41136 CVE-2022-23634 CVE-2022-24790}
+	[bullseye] - puma 4.3.8-1+deb11u2
+[24 May 2022] DSA-5145-1 lrzip - security update
+	{CVE-2018-5786 CVE-2022-26291 CVE-2022-28044}
+	[buster] - lrzip 0.631+git180528-1+deb10u1
+	[bullseye] - lrzip 0.641-1+deb11u1
 [22 May 2022] DSA-5144-1 condor - security update
 	{CVE-2019-18823 CVE-2022-26110}
 	[buster] - condor 8.6.8~dfsg.1-2+deb10u1


=====================================
data/dsa-needed.txt
=====================================
@@ -37,8 +37,6 @@ ndpi/oldstable
 --
 nodejs (jmm)
 --
-puma
---
 rpki-client/stable
   new 7.6 release required libretls, which isn't in Bullseye
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/07a81f3a4b85b253dff30fdc8a2a9bd1e7293107...21db2b4984d9c9f4f6de4257c3ba73a547dcac9e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/07a81f3a4b85b253dff30fdc8a2a9bd1e7293107...21db2b4984d9c9f4f6de4257c3ba73a547dcac9e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220524/6f0d61d6/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list