[Git][security-tracker-team/security-tracker][master] 2 commits: semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky (@gladk)
gladk at debian.org
Sun May 29 21:40:45 BST 2022
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker
Commits:
572013b9 by Anton Gladky at 2022-05-29T22:32:15+02:00
semi-automatic unclaim after 2 weeks of inactivity
Signed-off-by: Anton Gladky <gladk at debian.org>
- - - - -
bf772f4c by Anton Gladky at 2022-05-29T22:40:34+02:00
LTS: add programming language to all packages in dla-needed
- - - - -
1 changed file:
- data/dla-needed.txt
Changes:
=====================================
data/dla-needed.txt
=====================================
@@ -14,38 +14,46 @@ rather than remove/replace existing ones.
--
389-ds-base
+ NOTE: 20220529: Programming language: Python.
NOTE: 20220516: Source code is vulnerable to CVE-2022-0996. The package do not have a large install base so the
NOTE: 20220516: priority of fixing is probably low.
--
amd64-microcode
+ NOTE: 20220529: Programming language: binary blob.
--
avahi
+ NOTE: 20220529: Programming language: C.
NOTE: 20220523: Follow buster: harmonize with with Debian 10.9 (1 Debian-specific CVE) (Beuc/front-desk)
--
blender
+ NOTE: 20220529: Programming language: C++.
NOTE: 20220528: 3 CVEs now fixed in unstable, but maintainer never was approached to fix in stable/oldstable,
NOTE: 20220528: maybe coordinate with them (Beuc/front-desk)
--
cgal
+ NOTE: 20220529: Programming language: C++.
NOTE: 20220421: many no-dsa issues, please check, whether it is possible to fix them without uploading a new upstream release (Anton)
--
ckeditor (Sylvain Beucler)
+ NOTE: 20220529: Programming language: JavaScript.
NOTE: 20220402: multiple pendings vulnerabilities (Beuc/front-desk)
NOTE: 20220510: no rdeps, no sponsors, most CVEs require following upstream stable 4.x,
NOTE: 20220510: considering either ignoring, or mass-bumping all dists,
NOTE: 20220510: waiting for ckeditor_3_ discussion to close up first (Beuc)
NOTE: 20220510: https://lists.debian.org/debian-lts/2022/05/msg00018.html
--
-clamav (Emilio)
- NOTE: 20220510: Programming language C. (apo)
+clamav
+ NOTE: 20220510: Programming language: C. (apo)
--
-curl (Emilio)
- NOTE: 20220510: Programming language C.
+curl
+ NOTE: 20220529: Programming language: C.
--
cyrus-imapd
+ NOTE: 20220529: Programming language: C.
NOTE: 20220523: Follow buster: harmonize with with DSA-4590-1 and Debian 10.11 (2 CVEs) (Beuc/front-desk)
--
debian-security-support (Utkarsh)
+ NOTE: 20220529: Programming language: text files.
NOTE: 20220402: need to update the list of unsupported packages (Beuc/front-desk)
NOTE: 20220402: check debian/README.source, sync with h01ger, and announce EOL'd packages (Beuc/front-desk)
NOTE: 20220402: context: https://lists.debian.org/debian-lts/2022/04/msg00000.html (Beuc/front-desk)
@@ -53,104 +61,132 @@ debian-security-support (Utkarsh)
NOTE: 20220516: in review, will also co-help Holger to maintain this. (utkarsh)
--
dpdk
+ NOTE: 20220529: Programming language: C.
NOTE: 20220523: Follow buster: harmonize with with Debian 10.7 (5 CVEs) (Beuc/front-desk)
--
exempi
+ NOTE: 20220529: Programming language: C++.
NOTE: 20220517: A lot of packages reverse depends on libexmpi8. Further analysis
NOTE: 20220517: is needed.
--
firmware-nonfree
+ NOTE: 20220529: Programming language: binary blob.
NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
NOTE: 20211207: Intend to release this week.
--
freerdp
+ NOTE: 20220529: Programming language: C.
NOTE: 20220525: ~40 minor CVEs, consider coordinating with maintainer and/or secteam to do the same in freerdp2/buster (Beuc/front-desk)
--
gerbv
+ NOTE: 20220529: Programming language: C.
NOTE: 20220321: WIP https://salsa.debian.org/lts-team/packages/gerbv (Anton)
NOTE: 20220326: CVE-2021-40401 is fixed https://salsa.debian.org/lts-team/packages/gerbv/-/blob/debian/stretch/debian/patches/CVE-2021-40401.patch (Anton)
NOTE: 20220326: CVE-2021-4040{0,2,3} do not have confirmed upstream fixes yet. (Anton)
--
glib2.0
+ NOTE: 20220529: Programming language: C.
NOTE: 20220523: Follow buster: harmonize with with Debian 10.10 (3 CVEs) (Beuc/front-desk)
--
golang-github-hashicorp-go-getter
+ NOTE: 20220529: Programming language: Go.
NOTE: 20220528: limited golang support in stretch (cf. stretch release notes)
NOTE: 20220528: no rdeps AFAICS so no need to rebuild other golang packages (Beuc/front-desk)
--
golang-go.crypto
+ NOTE: 20220529: Programming language: Go.
NOTE: 20220331: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1; also check buster status (Beuc/front-desk)
--
grunt
+ NOTE: 20220529: Programming language: JavaScript.
NOTE: 20220528: upcoming stable update (cf. #1010211) + 1 new CVE (Beuc/front-desk)
--
halibut (Anton)
- NOTE: 20220528: Programming language C.
+ NOTE: 20220528: Programming language: C.
--
haproxy (Markus Koschany)
+ NOTE: 20220529: Programming language: C.
NOTE: 20220523: Follow buster: harmonize with with Debian 10.0 and 10.6 (3 CVEs) (Beuc/front-desk)
--
horizon
+ NOTE: 20220529: Programming language: Python.
NOTE: 20220523: Follow buster: harmonize with with DSA-4820-1 (1 CVE) (Beuc/front-desk)
NOTE: 20220523: part of OpenStack (Beuc/front-desk)
--
icingaweb2 (Abhijith PA)
+ NOTE: 20220529: Programming language: PHP.
NOTE: https://people.debian.org/~abhijith/upload/mruby/icingaweb2_2.4.1-1+deb9u2.dsc (abhijith)
NOTE: 20220522: Pinged upstream for missing patches. Will write an detail
NOTE: 20220522: email about situation (abhijith)
--
intel-microcode
+ NOTE: 20220529: Programming language: binary blob.
NOTE: 20220213: please recheck
--
isync
+ NOTE: 20220528: Programming language: C.
NOTE: 20220523: Follow buster: harmonize with with Debian 10.10 and possibly 11.2 (3 CVEs) (Beuc/front-desk)
--
jupyter-notebook
+ NOTE: 20220529: Programming language: Python.
NOTE: 20220528: wrt CVE-2021-32798, caja is bundled (not external), cf. README.source (Beuc/front-desk)
--
kvmtool
+ NOTE: 20220529: Programming language: C.
NOTE: 20220402: stretch-specific, orphaned package (Beuc/front-desk)
NOTE: 20220402: CVE-2021-45464 looks critical, check with upstream for acknowledgments/fixes (Beuc/front-desk)
--
lemonldap-ng
+ NOTE: 20220529: Programming language: Perl.
NOTE: 20220523: Follow buster: harmonize with with Debian 10.4 (1 CVE) and 10.5 (regression fix) (Beuc/front-desk)
--
libdbi-perl
+ NOTE: 20220529: Programming language: Perl.
NOTE: 20220523: Follow buster: harmonize with with Debian 10.8 (CVE-2014-10402 is a follow-up to CVE-2014-10401
NOTE: 20220523: which was fixed before stretch, buster's debian/changelog is incorrect) (Beuc/front-desk)
--
libjpeg-turbo
+ NOTE: 20220529: Programming language: C.
NOTE: 20220523: Follow buster: harmonize with with Debian 10.7 (only 1 CVE but last
NOTE: 20220523: stretch update back in 2020 and possible RCE) (Beuc/front-desk)
--
liblouis
+ NOTE: 20220529: Programming language: C.
NOTE: 20220320: no patch available yet. Reproducible memory leaks with ASAN
NOTE: 20220320: and POC. Consider fixing CVE-2018-17294 too.
NOTE: 20220503: CVE-2022-26981 patch applied in salsa lts-team repo,
NOTE: 20220503: Patch not applied upstream yet.
--
libmatio
+ NOTE: 20220529: Programming language: C.
NOTE: 20220528: lots of postponed minor vulnerabilities, no past stretch security upload, supported package (Beuc/front-desk)
--
libvirt (Thorsten Alteholz)
+ NOTE: 20220529: Programming language: C.
NOTE: 20220522: testing package
--
linux (Ben Hutchings)
+ NOTE: 20220529: Programming language: C.
--
linux-4.19 (Ben Hutchings)
+ NOTE: 20220529: Programming language: C.
--
mailman
+ NOTE: 20220529: Programming language: C.
NOTE: 20220523: Follow buster: harmonize with with Debian 10.12 (3 CVEs, regression fixes) (Beuc/front-desk)
--
manila
+ NOTE: 20220529: Programming language: Python.
NOTE: 20220523: Follow buster: harmonize with with Debian 10.4 (1 CVE) (Beuc/front-desk)
NOTE: 20220523: part of OpenStack (Beuc/front-desk)
--
mariadb-10.1
+ NOTE: 20220529: Programming language: C.
NOTE: 20220222: Can be risky. Please consider backporting mariadb-10.3. See discussion https://lists.debian.org/debian-lts/2022/02/msg00005.html and coordinate with maintainer (Anton)
--
mbedtls (Utkarsh)
+ NOTE: 20220529: Programming language: C.
NOTE: 20220404: update prepared, needs testing. (utkarsh)
NOTE: 20220419: waiting for a quick feedback from carnil. (utkarsh)
NOTE: 20220502: will upload with 1 fix and mark the other one
@@ -159,31 +195,39 @@ mbedtls (Utkarsh)
NOTE: 20220516: be squeezed in. waiting on -pu. (utkarsh)
--
modsecurity-crs
+ NOTE: 20220529: Programming language: C.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 and 10.11 (2 CVEs) (Beuc/front-desk)
--
ncurses
+ NOTE: 20220529: Programming language: C.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.2 (2-3 CVEs + some non-CVE'd issues) (Beuc/front-desk)
--
ntfs-3g
+ NOTE: 20220529: Programming language: C.
NOTE: 20220515: Please recheck. There are currently not enough information
NOTE: available. (apo)
--
nvidia-cuda-toolkit
- NOTE: 20220331: package is in non-free but also in packages-to-support (Beuc/front-desk)
+ NOTE: 20220529: Programming language: C.
+ NOTE: 20220331: package is in non-free but also in packages-to-support (Beuc/front-desk)
--
nvidia-graphics-drivers
+ NOTE: 20220529: Programming language: binary blob.
NOTE: 20220203: package is in non-free but also in packages-to-support (Beuc/front-desk)
NOTE: 20220209: monitor nvidia-graphics-drivers-legacy-390xx for a potential
NOTE: 20220209: backport (apo)
--
openscad
+ NOTE: 20220529: Programming language: C++.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.12 (1 CVE) (Beuc/front-desk)
NOTE: 20220524: vulnerable code for CVE-2020-28599 is in src/import.cc (Beuc/front-desk)
--
pam-u2f
+ NOTE: 20220529: Programming language: C.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.1 (2 CVEs + some non-CVE'd fixes) (Beuc/front-desk)
--
pdns
+ NOTE: 20220529: Programming language: C++.
NOTE: 20220402: harmonize with buster/10.8 (Beuc/front-desk)
NOTE: 20220506: buster patches backported in https://salsa.debian.org/enrico/pdns/-/tree/stretch
NOTE: 20220506: and #debian-dns notified (enrico)
@@ -193,34 +237,44 @@ pdns
NOTE: 20220506: know-how for testing manually (enrico)
--
pidgin (Andreas Rönnquist)
+ NOTE: 20220529: Programming language: C.
--
pjproject (Abhijith PA)
+ NOTE: 20220529: Programming language: C.
NOTE: 20220527: Same CVE asterisk (abhijith)
--
plinth
+ NOTE: 20220529: Programming language: Python.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.7 and 10.10 (2 CVEs) (Beuc/front-desk)
--
postgresql-9.6
+ NOTE: 20220529: Programming language: C.
NOTE: 20220523: cf. DSA-5135-1/DSA-5136-1 (Beuc/front-desk)
NOTE: 20220523: 9.6 is EOL'd upstream (Beuc/front-desk)
NOTE: 20220523: Christoph Berg won't handle this update (Beuc/front-desk)
NOTE: 20220523: https://lists.debian.org/debian-lts/2022/05/msg00054.html
--
puppet-module-puppetlabs-firewall
+ NOTE: 20220529: Programming language: Ruby.
NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc/front-desk)
--
pyjwt
+ NOTE: 20220529: Programming language: Python.
--
pypdf2
+ NOTE: 20220529: Programming language: Python.
--
qemu (Abhijith PA)
+ NOTE: 20220529: Programming language: C.
NOTE: 20220527: a few new CVEs since last DLA, and buster got no updates since 2 years,
NOTE: 20220527: so maybe coordinate to start anticipating the next LTS (Beuc/front-desk)
--
request-tracker4
+ NOTE: 20220529: Programming language: pm?.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.11 (1 CVE) (Beuc/front-desk)
--
ring
+ NOTE: 20220529: Programming language: C++.
NOTE: 20220314: https://people.debian.org/~abhijith/upload/vda/ring_20161221.2.7bd7d91~dfsg1-1+deb9u2.dsc
NOTE: 20220404: package in archive is faulty. New regs can't be done due (abhijith)
NOTE: 20220404: a network error (abhijith)
@@ -228,39 +282,49 @@ ring
NOTE: 20220526: Re pinged Debian maintainer and Pinged upstream for help. (abhijith)
--
ros-ros-comm
+ NOTE: 20220529: Programming language: Python.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.7 and 10.12 (2 CVEs) (Beuc/front-desk)
--
ruby-devise-two-factor
+ NOTE: 20220529: Programming language: Ruby.
NOTE: 20220427: Patch does not apply cleanly to LTS version, may be due to this being the result
NOTE: 20220427: of an incomplete fix to CVE-2015-7225. Will require some investigation. (lamby)
NOTE: 20220502: should be marked as no-dsa; will send more details on the list. (utkarsh)
--
salt
+ NOTE: 20220529: Programming language: Python.
--
samba
+ NOTE: 20220529: Programming language: C.
NOTE: 20211128: WIP https://salsa.debian.org/lts-team/packages/samba/
NOTE: 20211212: Fix is too large, coordination with ELTS-upload (anton)
NOTE: 20220110: fix applied, but will need a second opinion. (utkarsh)
NOTE: 20220125: ftbfs, wip. (utkarsh)
--
sleuthkit
+ NOTE: 20220529: Programming language: C++.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.0 and 10.7 (2 CVEs) (Beuc/front-desk)
--
slurm-llnl
+ NOTE: 20220529: Programming language: C.
NOTE: 20220516: Checking the code it looks like the patches will apply so the code is clearly vulnerable.
--
snapd
+ NOTE: 20220529: Programming language: Go.
NOTE: 20220308: seems vulnerable at least to setup_private_mount,
NOTE: 20220308: but double check (pochu)
--
sox
+ NOTE: 20220529: Programming language: C.
NOTE: 20220326: CVE-2019-13590 is fixed in git (Anton)
NOTE: 20220326: https://salsa.debian.org/lts-team/packages/sox
NOTE: 20220326: fix for CVE-2021-40426 is not yet available (Anton)
--
spip
+ NOTE: 20220529: Programming language: PHP.
--
subversion (Roberto C. Sánchez)
+ NOTE: 20220529: Programming language: C.
NOTE: 20220422: Upstream's patch for CVE-2021-28544 does not cleanly apply (eg. "copyfrom_path = apr_pstrdup(...)" assignment)
NOTE: 20220422: and, once applied manually, appears to break multiple and possibly unrelated parts of the testsuite. (lamby)
NOTE: 20220501: Done some analysis, worked on a patch, cannot find a way to test it, mailed results to Roberto C. Sánchez (enrico)
@@ -269,15 +333,18 @@ subversion (Roberto C. Sánchez)
NOTE: 20220525: I have asked Enrico to replicate my findings (roberto)
--
systemd
+ NOTE: 20220529: Programming language: C.
NOTE: 20220524: CVE-2020-1712 marked for update but didn't make it to 9.13
NOTE: 20220524: nor DLA-2715-1; the issue looks somewhat invasive to fix but at the
NOTE: 20220524: same time is severe and was fixed in other old distros (Beuc/front-desk)
--
thunderbird
+ NOTE: 20220529: Programming language: C++.
NOTE: 20220527: DSA-5141-1 & DLA-3020-1 were just released, but thunderbird
NOTE: 20220527: is back in dsa-needed.txt with 2 new CVEs (Beuc/front-desk)
--
tiff (Utkarsh)
+ NOTE: 20220529: Programming language: C.
NOTE: 20220404: jessie upload at https://salsa.debian.org/lts-team/packages/tiff.
NOTE: 20220404: if that works out well, I'll roll the same for stretch. (utkarsh)
NOTE: 20220419: new CVE reported; waiting to see if there are more. (utkarsh)
@@ -286,13 +353,16 @@ tiff (Utkarsh)
NOTE: 20220513: that are already applied and tested and re-add tiff here. (utkarsh)
--
ublock-origin
+ NOTE: 20220529: Programming language: JavaScript.
NOTE: 20220524: Follow buster: harmonize with with Debian 10.11 (1 CVE) (Beuc/front-desk)
--
unzip
+ NOTE: 20220529: Programming language: C.
NOTE: 20220319: no patches yet but reproducible (apo)
NOTE: 20220429: CVE-2022-0530: reported #1010355 with a proposed patch (enrico)
NOTE: 20220429: CVE-2022-0529: sent a proposed patch to sanvila and team at s.d.o (enrico)
--
vlc
+ NOTE: 20220529: Programming language: C.
NOTE: 20220524: Consider bumping to 3.12 (or later) as in DSA-4834-1 (Beuc/front-desk)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/786c47a5dcedfdb4cd13e02d812fc1a202aed457...bf772f4c72e26abcc90638a4d9690ea88cad162d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/786c47a5dcedfdb4cd13e02d812fc1a202aed457...bf772f4c72e26abcc90638a4d9690ea88cad162d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220529/12c5c5ca/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list