[Git][security-tracker-team/security-tracker][master] 2 commits: golang*: fix a few buster triage

Sylvain Beucler (@beuc) beuc at debian.org
Wed Nov 9 17:08:04 GMT 2022



Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
69c04ad5 by Sylvain Beucler at 2022-11-09T18:07:33+01:00
golang*: fix a few buster triage

- - - - -
133342c6 by Sylvain Beucler at 2022-11-09T18:07:33+01:00
dla: add golang-github-nats-io-jwt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -36628,6 +36628,7 @@ CVE-2022-32150
 	RESERVED
 CVE-2022-32149 (An attacker may cause a denial of service by crafting an Accept-Langua ...)
 	- golang-golang-x-text 0.3.8-1 (bug #1021785)
+	- golang-x-text <removed>
 	NOTE: https://groups.google.com/g/golang-dev/c/qfPIly0X7aU
 	NOTE: https://go.dev/issue/56152
 	NOTE: https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c (v0.3.8)
@@ -140203,7 +140204,7 @@ CVE-2021-20207
 	REJECTED
 CVE-2021-20206 (An improper limitation of path name flaw was found in containernetwork ...)
 	- golang-github-appc-cni 0.8.1-1 (bug #983659)
-	[buster] - golang-github-appc-cni <no-dsa> (Minor issue; can be fixed via point release)
+	[buster] - golang-github-appc-cni <postponed> (Limited support, minor issue)
 	[stretch] - golang-github-appc-cni <no-dsa> (Minor issue)
 	NOTE: https://github.com/containernetworking/cni/pull/808
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1919391
@@ -180436,7 +180437,7 @@ CVE-2020-15217 (In GLPI before version 9.5.2, there is a leakage of user informa
 	- glpi <removed>
 CVE-2020-15216 (In goxmldsig (XML Digital Signatures implemented in pure Go) before ve ...)
 	- golang-github-russellhaering-goxmldsig 1.1.0-1 (bug #971615)
-	[buster] - golang-github-russellhaering-goxmldsig <postponed> (Limited support, minor issue, no build rdeps, follow bullseye DSAs/point-releases)
+	[buster] - golang-github-russellhaering-goxmldsig <postponed> (Limited support, minor issue, no build rdeps)
 	NOTE: https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
 	NOTE: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
 CVE-2020-15215 (Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vuln ...)


=====================================
data/dla-needed.txt
=====================================
@@ -70,6 +70,10 @@ golang-1.11
   NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk)
   NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921
 --
+golang-github-nats-io-jwt
+  NOTE: 20221109: Programming language: Go.
+  NOTE: 20221109: Special attention: limited support, cf. buster release notes; not in bullseye
+--
 golang-go.crypto
   NOTE: 20220915: Programming language: Go.
   NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ea2c44aecc8a086ac63fb5e5316adc8718c4522f...133342c6b0f1b4767eb217c24695a0b6b2e7a874

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ea2c44aecc8a086ac63fb5e5316adc8718c4522f...133342c6b0f1b4767eb217c24695a0b6b2e7a874
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221109/235b8bd2/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list