[Git][security-tracker-team/security-tracker][master] Add fixed versions for protobuf via unstable for serveral CVEs

[László Böszörményi (@gcs)]

László Böszörményi pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a2270498 by Laszlo Boszormenyi (GCS) at 2022-11-21T22:06:45+01:00
Add fixed versions for protobuf via unstable for serveral CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -10577,7 +10577,7 @@ CVE-2022-3510 (A parsing issue similar to CVE-2022-3171, but with Message-Type E
 	NOTE: https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48
 CVE-2022-3509 (A parsing issue similar to CVE-2022-3171, but with textformat in proto ...)
 	[experimental] - protobuf 3.21.7-1
-	- protobuf <unfixed>
+	- protobuf 3.21.9-3
 	NOTE: https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9 (v21.7, v3.21.7)
 CVE-2022-3508
 	RESERVED
@@ -17067,7 +17067,7 @@ CVE-2022-3172
 	NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here
 CVE-2022-3171 (A parsing issue with binary data in protobuf-java core and lite versio ...)
 	[experimental] - protobuf 3.21.7-1
-	- protobuf <unfixed>
+	- protobuf 3.21.9-3
 	NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
 CVE-2022-3170 (An out-of-bounds access issue was found in the Linux kernel sound subs ...)
 	- linux <not-affected> (Vulnerable code not present)
@@ -39806,7 +39806,7 @@ CVE-2022-1942 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to
 	NOTE: https://github.com/vim/vim/commit/71223e2db87c2bf3b09aecb46266b56cda26191d (v8.2.5043)
 CVE-2022-1941 (A parsing vulnerability for the MessageSet type in the ProtocolBuffers ...)
 	[experimental] - protobuf 3.20.2-1
-	- protobuf <unfixed>
+	- protobuf 3.21.9-3
 	NOTE: https://www.openwall.com/lists/oss-security/2022/09/27/1
 	NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
 	NOTE: https://github.com/protocolbuffers/protobuf/commit/806d7e4ce6f1fd0545cae226b94cb0249ea495c7 (v3.20.2)
@@ -135105,14 +135105,14 @@ CVE-2021-22571 (A local attacker could read files from some other users' SA360 r
 	NOT-FOR-US: SA360 reports
 CVE-2021-22570 (Nullptr dereference when a null char is present in a proto symbol. The ...)
 	[experimental] - protobuf 3.17.1-1
-	- protobuf <unfixed>
+	- protobuf 3.21.9-3
 	[bullseye] - protobuf <no-dsa> (Minor issue)
 	[buster] - protobuf <no-dsa> (Minor issue)
 	[stretch] - protobuf <postponed> (Minor issue; clean crash / Dos; patch needs to be isolated)
 	NOTE: Fixed upstream in v3.15.0: https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
 CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of com.google.proto ...)
 	[experimental] - protobuf 3.19.3-1
-	- protobuf <unfixed>
+	- protobuf 3.21.9-3
 	[bullseye] - protobuf <no-dsa> (Minor issue)
 	[buster] - protobuf <no-dsa> (Minor issue)
 	[stretch] - protobuf <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2270498bbea7f4047b6c9bc42592834f6dccf65

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2270498bbea7f4047b6c9bc42592834f6dccf65
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221121/7b1ec9bd/attachment.htm>