[Git][security-tracker-team/security-tracker][master] 2 commits: Remove no-dsa tags for haproxy/Stretch

Mon May 30 17:10:41 BST 2022


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7613b81b by Markus Koschany at 2022-05-30T18:06:22+02:00
Remove no-dsa tags for haproxy/Stretch

- - - - -
eb8dd853 by Markus Koschany at 2022-05-30T18:10:30+02:00
Reserve DLA-3034-1 for haproxy

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -184834,7 +184834,6 @@ CVE-2019-18278 (When executing VideoLAN VLC media player 3.0.8 with libqt on Win
 CVE-2019-18277 (A flaw was found in HAProxy before 2.0.6. In legacy mode, messages fea ...)
 	- haproxy 2.0.6-1
 	[buster] - haproxy 1.8.19-1+deb10u3
-	[stretch] - haproxy <no-dsa> (Minor issue)
 	[jessie] - haproxy <no-dsa> (Minor issue)
 	NOTE: https://git.haproxy.org/?p=haproxy-2.0.git;a=commit;h=196a7df44d8129d1adc795da020b722614d6a581
 	NOTE: https://nathandavison.com/blog/haproxy-http-request-smuggling
@@ -233201,12 +233200,10 @@ CVE-2018-20104
 	RESERVED
 CVE-2018-20103 (An issue was discovered in dns.c in HAProxy through 1.8.14. In the cas ...)
 	- haproxy 1.8.15-1 (bug #916307)
-	[stretch] - haproxy <no-dsa> (Minor issue; can be fixed via point release)
 	[jessie] - haproxy <not-affected> (Vulnerable code not present)
 	NOTE: http://git.haproxy.org/?p=haproxy.git;a=commit;h=58df5aea0a0c926b2238f65908f5e9f83d1cca25
 CVE-2018-20102 (An out-of-bounds read in dns_validate_dns_response in dns.c was discov ...)
 	- haproxy 1.8.15-1 (bug #916308)
-	[stretch] - haproxy <no-dsa> (Minor issue; can be fixed via point release)
 	[jessie] - haproxy <not-affected> (Vulnerable code not present)
 	NOTE: http://git.haproxy.org/?p=haproxy.git;a=commit;h=efbbdf72992cd20458259962346044cafd9331c0
 CVE-2018-20101 (The codection "Import users from CSV with meta" plugin before 1.12.1 f ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[30 May 2022] DLA-3034-1 haproxy - security update
+	{CVE-2018-20102 CVE-2018-20103 CVE-2019-18277}
+	[stretch] - haproxy 1.7.5-2+deb9u1
 [29 May 2022] DLA-3033-1 smarty3 - security update
 	{CVE-2022-29221}
 	[stretch] - smarty3 3.1.31+20161214.1.c7d42e4+selfpack1-2+deb9u6


=====================================
data/dla-needed.txt
=====================================
@@ -108,10 +108,6 @@ grunt
 halibut (Anton)
   NOTE: 20220528: Programming language: C.
 --
-haproxy (Markus Koschany)
-  NOTE: 20220529: Programming language: C.
-  NOTE: 20220523: Follow buster: harmonize with with Debian 10.0 and 10.6 (3 CVEs) (Beuc/front-desk)
---
 horizon
   NOTE: 20220529: Programming language: Python.
   NOTE: 20220523: Follow buster: harmonize with with DSA-4820-1 (1 CVE) (Beuc/front-desk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c3ccadfb594a1aaac3d2d371be7eb8287f7a7bb6...eb8dd853c952fe7deda8e075c35486e5401e68ee

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c3ccadfb594a1aaac3d2d371be7eb8287f7a7bb6...eb8dd853c952fe7deda8e075c35486e5401e68ee
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220530/ee3370b1/attachment-0001.htm>
