[Git][security-tracker-team/security-tracker][master] Adjust version for protobuf version in experimental for CVE-2022-3171

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Oct 6 21:02:01 BST 2022



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c178c86a by Salvatore Bonaccorso at 2022-10-06T21:59:17+02:00
Adjust version for protobuf version in experimental for CVE-2022-3171

There is not version 3.21.7 upstream but upstream version 3.21.7 fixes
the CVE-2022-3171. 3.21.7-1 landed accordingly in experimental.

Link: https://tracker.debian.org/news/1370218/accepted-protobuf-3217-1-source-into-experimental/
Fixes: 22cdd6b06d59 ("Add CVE-2022-3171/protobuf")

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -5023,7 +5023,7 @@ CVE-2022-3172
 	NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here
 CVE-2022-3171 [potential denial of service issue in the Java Protobuf runtime]
 	RESERVED
-	[experimental] - protobuf 3.27.1-1
+	[experimental] - protobuf 3.21.7-1
 	- protobuf <unfixed>
 	NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
 CVE-2022-3170 (An out-of-bounds access issue was found in the Linux kernel sound subs ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c178c86afce4a3df2ffbbe6c4d507ab2ca4613e7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c178c86afce4a3df2ffbbe6c4d507ab2ca4613e7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221006/bfdd3562/attachment.htm>


More information about the debian-security-tracker-commits mailing list