[Git][security-tracker-team/security-tracker][master] 4 commits: dla: add thunderbird
Sylvain Beucler (@beuc)
beuc at debian.org
Fri May 27 09:04:40 BST 2022
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
08e3e4cc by Sylvain Beucler at 2022-05-27T10:02:22+02:00
dla: add thunderbird
- - - - -
e7f136de by Sylvain Beucler at 2022-05-27T10:02:22+02:00
dla: add smarty3
- - - - -
a4d0aac5 by Sylvain Beucler at 2022-05-27T10:02:23+02:00
CVE-2022-1851/vim: stretch postponed
- - - - -
d2d6e354 by Sylvain Beucler at 2022-05-27T10:04:17+02:00
dla: add qemu
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -539,6 +539,7 @@ CVE-2022-1851 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...
- vim <unfixed>
[bullseye] - vim <no-dsa> (Minor issue)
[buster] - vim <no-dsa> (Minor issue)
+ [stretch] - vim <postponed> (Minor issue, OOB read)
NOTE: https://huntr.dev/bounties/f8af901a-9a46-440d-942a-8f815b59394d
NOTE: https://github.com/vim/vim/commit/78d52883e10d71f23ab72a3d8b9733b00da8c9ad (v8.2.5013)
CVE-2022-1850 (Path Traversal in GitHub repository filegator/filegator prior to 7.8.0 ...)
=====================================
data/dla-needed.txt
=====================================
@@ -198,6 +198,10 @@ postgresql-9.6
puppet-module-puppetlabs-firewall
NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc/front-desk)
--
+qemu
+ NOTE: 20220527: a few new CVEs since last DLA, and buster got no updates since 2 years,
+ NOTE: 20220527: so maybe coordinate to start anticipating the next LTS (Beuc/front-desk)
+--
request-tracker4
NOTE: 20220524: Harmonize with Debian 10.11 (1 CVE) (Beuc/front-desk)
--
@@ -230,6 +234,10 @@ sleuthkit
slurm-llnl (Thorsten Alteholz)
NOTE: 20220516: Checking the code it looks like the patches will apply so the code is clearly vulnerable.
--
+smarty3
+ NOTE: 20220527: upcoming DSA by apo, but last DLA is recent (this month);
+ NOTE: 20220527: sync or postpone depending on severity (Beuc/front-desk)
+--
snapd
NOTE: 20220308: seems vulnerable at least to setup_private_mount,
NOTE: 20220308: but double check (pochu)
@@ -254,6 +262,10 @@ systemd
NOTE: 20220524: nor DLA-2715-1; the issue looks somewhat invasive to fix but at the
NOTE: 20220524: same time is severe and was fixed in other old distros (Beuc/front-desk)
--
+thunderbird
+ NOTE: 20220527: DSA-5141-1 & DLA-3020-1 were just released, but thunderbird
+ NOTE: 20220527: is back in dsa-needed.txt with 2 new CVEs (Beuc/front-desk)
+--
tiff (Utkarsh)
NOTE: 20220404: jessie upload at https://salsa.debian.org/lts-team/packages/tiff.
NOTE: 20220404: if that works out well, I'll roll the same for stretch. (utkarsh)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6b5b6f74a1a28cfa8f6a06083cd7e7cfbf6a9d88...d2d6e354c6f6111c596effee91b9d4e666499742
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6b5b6f74a1a28cfa8f6a06083cd7e7cfbf6a9d88...d2d6e354c6f6111c596effee91b9d4e666499742
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220527/6441737f/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list