[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2022-1897,CVE-2022-1898/vim: stretch postponed

Sylvain Beucler (@beuc) beuc at debian.org
Sat May 28 09:05:32 BST 2022 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
11747c06 by Sylvain Beucler at 2022-05-28T10:04:53+02:00
CVE-2022-1897,CVE-2022-1898/vim: stretch postponed

- - - - -
c39411f3 by Sylvain Beucler at 2022-05-28T10:04:54+02:00
CVE-2022-0544,CVE-2022-0545,CVE-2022-0546/blender: reference patches, fixed in unstable

- - - - -
ad71d603 by Sylvain Beucler at 2022-05-28T10:04:54+02:00
dla: add blender

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -175,12 +175,14 @@ CVE-2022-1898 (Use After Free in GitHub repository vim/vim prior to 8.2. ...)
 	- vim <unfixed>
 	[bullseye] - vim <no-dsa> (Minor issue)
 	[buster] - vim <no-dsa> (Minor issue)
+	[stretch] - vim <postponed> (Minor issue)
 	NOTE: https://huntr.dev/bounties/45aad635-c2f1-47ca-a4f9-db5b25979cea
 	NOTE: https://github.com/vim/vim/commit/e2fa213cf571041dbd04ab0329303ffdc980678a (v8.2.5024)
 CVE-2022-1897 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...)
 	- vim <unfixed>
 	[bullseye] - vim <no-dsa> (Minor issue)
 	[buster] - vim <no-dsa> (Minor issue)
+	[stretch] - vim <postponed> (Minor issue)
 	NOTE: https://huntr.dev/bounties/82c12151-c283-40cf-aa05-2e39efa89118
 	NOTE: https://github.com/vim/vim/commit/338f1fc0ee3ca929387448fe464579d6113fa76a (v8.2.5023)
 CVE-2022-1896
@@ -20285,19 +20287,24 @@ CVE-2022-0547 (OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication by
 	NOTE: https://github.com/OpenVPN/openvpn/commit/58ec3bb4aac77131118dbbc39a65181e7847adee (v2.4.12)
 	NOTE: https://github.com/OpenVPN/openvpn/commit/af3e382649d96ae77cc5e42be8270f355e5cfec5 (v2.5.6)
 CVE-2022-0546 (A missing bounds check in the image loader used in Blender 3.x and 2.9 ...)
-	- blender <unfixed>
+	- blender 3.1.2+dfsg-1
 	NOTE: Issue: https://developer.blender.org/T94572
 	NOTE: Patch: https://developer.blender.org/D11952
+	NOTE: https://developer.blender.org/rB77616082f44da5258faf9ec0d53618c721b88c62 (v3.1.0)
+	NOTE: https://developer.blender.org/rB1ee4e6bf31ff32f87f9cd1eafa548d6811794380 (v2.93.9)
 CVE-2022-0545 (An integer overflow in the processing of loaded 2D images leads to a w ...)
-	- blender <unfixed>
+	- blender 3.1.2+dfsg-1
 	NOTE: Issue: https://developer.blender.org/T94629
 	NOTE: Patch: https://developer.blender.org/D13744
+	NOTE: https://developer.blender.org/rB82858ca3f4e6dc6f840af9306c350900abd491fc (v3.1.0)
+	NOTE: https://developer.blender.org/rBe07f16776bca5e9494e6b143170f31d5eeb160ce (v2.93.8)
+	NOTE: https://developer.blender.org/rB63fdcbb5889e31b5f07d8d5c8e923cc57900fe1b (v2.83.19)
 CVE-2022-0544 (An integer underflow in the DDS loader of Blender leads to an out-of-b ...)
-	- blender <unfixed>
+	- blender 3.1.2+dfsg-1
 	NOTE: Issue: https://developer.blender.org/T94661
-	NOTE: https://developer.blender.org/rB0ac83d05d7cccec436bb939e0aa768f6a3d77d72
-	NOTE: https://developer.blender.org/rBbbad834f1c2a1f7030ed9741c486b23241e8885e
-	NOTE: https://developer.blender.org/rBd9dd8c287f57716a827483973c31bbb2face2816
+	NOTE: https://developer.blender.org/rBd9dd8c287f57716a827483973c31bbb2face2816 (v3.1.0)
+	NOTE: https://developer.blender.org/rBbbad834f1c2a1f7030ed9741c486b23241e8885e (v2.93.8)
+	NOTE: https://developer.blender.org/rB0ac83d05d7cccec436bb939e0aa768f6a3d77d72 (v2.83.19)
 CVE-2022-0543 (It was discovered, that redis, a persistent key-value database, due to ...)
 	{DSA-5081-1}
 	- redis 5:6.0.16-2 (bug #1005787)


=====================================
data/dla-needed.txt
=====================================
@@ -25,6 +25,10 @@ asterisk (Abhijith PA)
 avahi
   NOTE: 20220523: Follow buster: harmonize with with Debian 10.9 (1 Debian-specific CVE) (Beuc/front-desk)
 --
+blender
+  NOTE: 20220528: 3 CVEs now fixed in unstable, but maintainer never was approached to fix in stable/oldstable,
+  NOTE: 20220528: maybe coordinate with them (Beuc/front-desk)
+--
 cgal
   NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without uploading a new upstream release (Anton)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2e45b3adfe45f58ccb8617b66753e7b622dc8efc...ad71d603efae70eaa0601623f77dd230a7a5beec

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2e45b3adfe45f58ccb8617b66753e7b622dc8efc...ad71d603efae70eaa0601623f77dd230a7a5beec
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220528/c055250e/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list