[Git][security-tracker-team/security-tracker][master] 2 commits: dla: add golang-github-hashicorp-go-getter

Sat May 28 08:09:55 BST 2022


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d87287a3 by Sylvain Beucler at 2022-05-28T09:09:36+02:00
dla: add golang-github-hashicorp-go-getter

- - - - -
5c60ad70 by Sylvain Beucler at 2022-05-28T09:09:36+02:00
dla: clarify triage following IRC question

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=====================================
data/dla-needed.txt
=====================================
@@ -23,7 +23,7 @@ asterisk (Abhijith PA)
   NOTE: 20220424: programming language C
 --
 avahi
-  NOTE: 20220523: Harmonize with Debian 10.9 (1 Debian-specific CVE) (Beuc/front-desk)
+  NOTE: 20220523: Follow buster: harmonize with with Debian 10.9 (1 Debian-specific CVE) (Beuc/front-desk)
 --
 cgal
   NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without uploading a new upstream release (Anton)
@@ -42,7 +42,7 @@ curl (Emilio)
   NOTE: 20220510: Programming language C.
 --
 cyrus-imapd
-  NOTE: 20220523: Harmonize with DSA-4590-1 and Debian 10.11 (2 CVEs) (Beuc/front-desk)
+  NOTE: 20220523: Follow buster: harmonize with with DSA-4590-1 and Debian 10.11 (2 CVEs) (Beuc/front-desk)
 --
 debian-security-support (Utkarsh)
   NOTE: 20220402: need to update the list of unsupported packages (Beuc/front-desk)
@@ -52,7 +52,7 @@ debian-security-support (Utkarsh)
   NOTE: 20220516: in review, will also co-help Holger to maintain this. (utkarsh)
 --
 dpdk
-  NOTE: 20220523: Harmonize with Debian 10.7 (5 CVEs) (Beuc/front-desk)
+  NOTE: 20220523: Follow buster: harmonize with with Debian 10.7 (5 CVEs) (Beuc/front-desk)
 --
 exempi
   NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis
@@ -72,16 +72,20 @@ gerbv
   NOTE: 20220326: CVE-2021-4040{0,2,3} do not have confirmed upstream fixes yet. (Anton)
 --
 glib2.0
-  NOTE: 20220523: Harmonize with Debian 10.10 (3 CVEs) (Beuc/front-desk)
+  NOTE: 20220523: Follow buster: harmonize with with Debian 10.10 (3 CVEs) (Beuc/front-desk)
+--
+golang-github-hashicorp-go-getter
+  NOTE: 20220528: limited golang support in stretch (cf. stretch release notes)
+  NOTE: 20220528: no rdeps AFAICS so no need to rebuild other golang packages (Beuc/front-desk)
 --
 golang-go.crypto
   NOTE: 20220331: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1; also check buster status (Beuc/front-desk)
 --
 haproxy
-  NOTE: 20220523: Harmonize with Debian 10.0 and 10.6 (3 CVEs) (Beuc/front-desk)
+  NOTE: 20220523: Follow buster: harmonize with with Debian 10.0 and 10.6 (3 CVEs) (Beuc/front-desk)
 --
 horizon
-  NOTE: 20220523: Harmonize with DSA-4820-1 (1 CVE) (Beuc/front-desk)
+  NOTE: 20220523: Follow buster: harmonize with with DSA-4820-1 (1 CVE) (Beuc/front-desk)
   NOTE: 20220523: part of OpenStack (Beuc/front-desk)
 --
 icingaweb2 (Abhijith PA)
@@ -93,21 +97,21 @@ intel-microcode
   NOTE: 20220213: please recheck
 --
 isync
-  NOTE: 20220523: Harmonize with Debian 10.10 and possibly 11.2 (3 CVEs) (Beuc/front-desk)
+  NOTE: 20220523: Follow buster: harmonize with with Debian 10.10 and possibly 11.2 (3 CVEs) (Beuc/front-desk)
 --
 kvmtool
   NOTE: 20220402: stretch-specific, orphaned package (Beuc/front-desk)
   NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc/front-desk)
 --
 lemonldap-ng
-  NOTE: 20220523: Harmonize with Debian 10.4 (1 CVE) and 10.5 (regression fix) (Beuc/front-desk)
+  NOTE: 20220523: Follow buster: harmonize with with Debian 10.4 (1 CVE) and 10.5 (regression fix) (Beuc/front-desk)
 --
 libdbi-perl
-  NOTE: 20220523: Harmonize with Debian 10.8 (CVE-2014-10402 is a follow-up to CVE-2014-10401
+  NOTE: 20220523: Follow buster: harmonize with with Debian 10.8 (CVE-2014-10402 is a follow-up to CVE-2014-10401
   NOTE: 20220523: which was fixed before stretch, buster's debian/changelog is incorrect) (Beuc/front-desk)
 --
 libjpeg-turbo
-  NOTE: 20220523: Harmonize with Debian 10.7 (only 1 CVE but last
+  NOTE: 20220523: Follow buster: harmonize with with Debian 10.7 (only 1 CVE but last
   NOTE: 20220523: stretch update back in 2020 and possible RCE) (Beuc/front-desk)
 --
 liblouis
@@ -124,10 +128,10 @@ linux (Ben Hutchings)
 linux-4.19 (Ben Hutchings)
 --
 mailman
-  NOTE: 20220523: Harmonize with Debian 10.12 (3 CVEs, regression fixes) (Beuc/front-desk)
+  NOTE: 20220523: Follow buster: harmonize with with Debian 10.12 (3 CVEs, regression fixes) (Beuc/front-desk)
 --
 manila
-  NOTE: 20220523: Harmonize with Debian 10.4 (1 CVE) (Beuc/front-desk)
+  NOTE: 20220523: Follow buster: harmonize with with Debian 10.4 (1 CVE) (Beuc/front-desk)
   NOTE: 20220523: part of OpenStack (Beuc/front-desk)
 --
 mariadb-10.1
@@ -142,16 +146,16 @@ mbedtls (Utkarsh)
   NOTE: 20220516: be squeezed in. waiting on -pu. (utkarsh)
 --
 modsecurity-apache (Chris Lamb)
-  NOTE: 20220524: Harmonize with DSA-5023-1 (1 CVE) (Beuc/front-desk)
+  NOTE: 20220524: Follow buster: harmonize with with DSA-5023-1 (1 CVE) (Beuc/front-desk)
 --
 modsecurity-crs
-  NOTE: 20220524: Harmonize with Debian 10.2 and 10.11 (2 CVEs) (Beuc/front-desk)
+  NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 and 10.11 (2 CVEs) (Beuc/front-desk)
 --
 mysql-connector-java (Markus Koschany)
   NOTE: 20220512: Requires a new upstream version. (apo)
 --
 ncurses
-  NOTE: 20220524: Harmonize with Debian 10.2 (2-3 CVEs + some non-CVE'd issues) (Beuc/front-desk)
+  NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 (2-3 CVEs + some non-CVE'd issues) (Beuc/front-desk)
 --
 ntfs-3g
   NOTE: 20220515: Please recheck. There are currently not enough information
@@ -166,11 +170,11 @@ nvidia-graphics-drivers
   NOTE: 20220209: backport (apo)
 --
 openscad
-  NOTE: 20220524: Harmonize with Debian 10.12 (1 CVE) (Beuc/front-desk)
+  NOTE: 20220524: Follow buster: harmonize with with Debian 10.12 (1 CVE) (Beuc/front-desk)
   NOTE: 20220524: vulnerable code for CVE-2020-28599 is in src/import.cc (Beuc/front-desk)
 --
 pam-u2f
-  NOTE: 20220524: Harmonize with Debian 10.1 (2 CVEs + some non-CVE'd fixes) (Beuc/front-desk)
+  NOTE: 20220524: Follow buster: harmonize with with Debian 10.1 (2 CVEs + some non-CVE'd fixes) (Beuc/front-desk)
 --
 pdns
   NOTE: 20220402: harmonize with buster/10.8 (Beuc/front-desk)
@@ -185,10 +189,10 @@ pjproject (Abhijith PA)
   NOTE: 20220527: Same CVE asterisk (abhijith)
 --
 plinth
-  NOTE: 20220524: Harmonize with Debian 10.7 and 10.10 (2 CVEs) (Beuc/front-desk)
+  NOTE: 20220524: Follow buster: harmonize with with Debian 10.7 and 10.10 (2 CVEs) (Beuc/front-desk)
 --
 pngcheck
-  NOTE: 20220524: Harmonize with Debian 10.8 (1 CVE) (Beuc/front-desk)
+  NOTE: 20220524: Follow buster: harmonize with with Debian 10.8 (1 CVE) (Beuc/front-desk)
 --
 postgresql-9.6
   NOTE: 20220523: cf. DSA-5135-1/DSA-5136-1 (Beuc/front-desk)
@@ -204,7 +208,7 @@ qemu
   NOTE: 20220527: so maybe coordinate to start anticipating the next LTS (Beuc/front-desk)
 --
 request-tracker4
-  NOTE: 20220524: Harmonize with Debian 10.11 (1 CVE) (Beuc/front-desk)
+  NOTE: 20220524: Follow buster: harmonize with with Debian 10.11 (1 CVE) (Beuc/front-desk)
 --
 ring
   NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc
@@ -214,7 +218,7 @@ ring
   NOTE: 20220526: Re pinged Debian maintainer and Pinged upstream for help. (abhijith)
 --
 ros-ros-comm
-  NOTE: 20220524: Harmonize with Debian 10.7 and 10.12 (2 CVEs) (Beuc/front-desk)
+  NOTE: 20220524: Follow buster: harmonize with with Debian 10.7 and 10.12 (2 CVEs) (Beuc/front-desk)
 --
 ruby-devise-two-factor
   NOTE: 20220427: Patch does not apply cleanly to LTS version, may be due to this being the result
@@ -230,7 +234,7 @@ samba
   NOTE: 20220125: ftbfs, wip. (utkarsh)
 --
 sleuthkit
-  NOTE: 20220524: Harmonize with Debian 10.0 and 10.7 (2 CVEs) (Beuc/front-desk)
+  NOTE: 20220524: Follow buster: harmonize with with Debian 10.0 and 10.7 (2 CVEs) (Beuc/front-desk)
 --
 slurm-llnl (Thorsten Alteholz)
   NOTE: 20220516: Checking the code it looks like the patches will apply so the code is clearly vulnerable.
@@ -276,7 +280,7 @@ tiff (Utkarsh)
   NOTE: 20220513: that are already applied and tested and re-add tiff here. (utkarsh)
 --
 ublock-origin
-  NOTE: 20220524: Harmonize with Debian 10.11 (1 CVE) (Beuc/front-desk)
+  NOTE: 20220524: Follow buster: harmonize with with Debian 10.11 (1 CVE) (Beuc/front-desk)
 --
 unzip
   NOTE: 20220319: no patches yet but reproducible (apo)
@@ -286,6 +290,3 @@ unzip
 vlc
   NOTE: 20220524: Consider bumping to 3.12 (or later) as in DSA-4834-1 (Beuc/front-desk)
 --
-zipios++ (Thorsten Alteholz)
-  NOTE: 20220524: Harmonize with Debian 10.5 (1 CVE) (Beuc/front-desk)
---



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f4ddfb3d425e9109125cf0b0d94582f241de93ab...5c60ad709349cfbbc56a225f15063a41801a7694

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f4ddfb3d425e9109125cf0b0d94582f241de93ab...5c60ad709349cfbbc56a225f15063a41801a7694
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220528/c9eaf4dc/attachment-0001.htm>
