[Git][security-tracker-team/security-tracker][master] Removed rabbitmq-server from dla-needed. Noted the related CVE as not-affected...

Ola Lundqvist (@opal) opal at debian.org
Wed Nov 2 21:52:05 GMT 2022 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
77e0c77f by Ola Lundqvist at 2022-11-02T22:51:43+01:00
Removed rabbitmq-server from dla-needed. Noted the related CVE as not-affected for buster. Also added a note that buster is in fact affected by a worse problem that the CVE described but that is still minor and therefore no extra CVE should be necessary for that.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -37683,6 +37683,9 @@ CVE-2022-31009 (wire-ios is an iOS client for the Wire secure messaging applicat
 	NOT-FOR-US: wire-ios
 CVE-2022-31008 (RabbitMQ is a multi-protocol messaging and streaming broker. In affect ...)
 	- rabbitmq-server 3.10.8-1
+	[buster] - rabbitmq-server <not-affected> (Vulnerable code introduced later)
+	NOTE: Buster do not have any log obfuscation code meaning that the issue described is worse. On the other
+	NOTE: hand the severity of that issue is minor so no additional CVE should be needed.
 	NOTE: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-v9gv-xp36-jgj8
 	NOTE: https://github.com/rabbitmq/rabbitmq-server/pull/4841
 	NOTE: obfuscation introduced in (built-in) Shovel plugin in: https://github.com/rabbitmq/rabbitmq-server/commit/6dbdc991c3111aa4ffa12a150b1402cf5c5e798e (v3.10.0-beta.2)


=====================================
data/dla-needed.txt
=====================================
@@ -211,12 +211,6 @@ r-cran-commonmark
   NOTE: 20221009: Programming language: R.
   NOTE: 20221009: Please synchronize with ghostwriter.
 --
-rabbitmq-server
-  NOTE: 20221031: Programming language: Erlang.
-  NOTE: 20221031: New configuration option. Should be studied further..
-  NOTE: 20221031: Potentially the outcome is to ignore the issue..
-  NOTE: 20221101: The package is not vulnerable to that URLs can be decoded because they are not even encoded. That is most likely a much worse problem, but requires some more investigations. Possible a new CVE is needed for that.
---
 rails (Abhijith PA)
   NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
   NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77e0c77f42b564151680e651a0d69fa5dd8514d8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77e0c77f42b564151680e651a0d69fa5dd8514d8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221102/aeafb6a3/attachment.htm>

More information about the debian-security-tracker-commits mailing list