[Git][security-tracker-team/security-tracker][master] Reserve DLA-3157-1 for bluez

Sylvain Beucler (@beuc) beuc at debian.org
Mon Oct 24 10:40:13 BST 2022



Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
58c0d545 by Sylvain Beucler at 2022-10-24T11:39:55+02:00
Reserve DLA-3157-1 for bluez

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -57646,7 +57646,6 @@ CVE-2022-0205 (The YOP Poll WordPress plugin before 6.3.5 does not sanitise and
 CVE-2022-0204 (A heap overflow vulnerability was found in bluez in versions prior to  ...)
 	- bluez 5.64-1 (bug #1003712)
 	[bullseye] - bluez <no-dsa> (Minor issue)
-	[buster] - bluez <no-dsa> (Minor issue)
 	[stretch] - bluez <no-dsa> (Minor issue)
 	NOTE: https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q
 	NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=591c546c536b42bef696d027f64aa22434f8c3f0 (5.63)
@@ -71155,7 +71154,6 @@ CVE-2021-3929 (A DMA reentrancy issue was found in the NVM Express Controller (N
 CVE-2021-43400 (An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after- ...)
 	- bluez 5.62-1 (bug #998626)
 	[bullseye] - bluez <no-dsa> (Minor issue; can be fixed in point release)
-	[buster] - bluez <no-dsa> (Minor issue; can be fixed in point release)
 	[stretch] - bluez <ignored> (invasive patch, requires post-stretch revamps)
 	NOTE: Introduced by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=93b64d9ca8a2bb663e37904d4b2c702c58a36e4f (5.40)
 	NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=838c0dc7641e1c991c0f3027bf94bee4606012f8 (5.62)
@@ -78991,7 +78989,6 @@ CVE-2021-41229 (BlueZ is a Bluetooth protocol stack for Linux. In affected versi
 	{DLA-2827-1}
 	- bluez 5.62-2 (bug #1000262)
 	[bullseye] - bluez <no-dsa> (Minor issue)
-	[buster] - bluez <no-dsa> (Minor issue)
 	NOTE: https://github.com/bluez/bluez/security/advisories/GHSA-3fqg-r8j5-f5xq
 	NOTE: Introduced by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=d939483328489fb835bb425d36f7c7c73d52c388 (4.0)
 	NOTE: Fixed by: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=e79417ed7185b150a056d4eb3a1ab528b91d2fc0
@@ -247781,13 +247778,11 @@ CVE-2019-8923 (XAMPP through 5.6.8 and previous allows SQL injection via the cds
 CVE-2019-8922 (A heap-based buffer overflow was discovered in bluetoothd in BlueZ thr ...)
 	{DLA-2827-1}
 	- bluez 5.54-1
-	[buster] - bluez <no-dsa> (Minor issue)
 	NOTE: https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow/
 	NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=6c7243fb6ab90b7b855cead98c66394fedea135f (5.51)
 CVE-2019-8921 (An issue was discovered in bluetoothd in BlueZ through 5.48. The vulne ...)
 	{DLA-2827-1}
 	- bluez 5.54-1
-	[buster] - bluez <no-dsa> (Minor issue)
 	NOTE: https://ssd-disclosure.com/ssd-advisory-linux-bluez-information-leak-and-heap-overflow/
 	NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=7bf67b32709d828fafa26256b4c78331760c6e93 (5.51)
 CVE-2019-8920 (iart.php in XAMPP 1.7.0 has XSS, a related issue to CVE-2008-3569. ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[24 Oct 2022] DLA-3157-1 bluez - security update
+	{CVE-2019-8921 CVE-2019-8922 CVE-2021-41229 CVE-2021-43400 CVE-2022-0204 CVE-2022-39176 CVE-2022-39177}
+	[buster] - bluez 5.50-1.2~deb10u3
 [20 Oct 2022] DLA-3156-1 firefox-esr - security update
 	{CVE-2022-42927 CVE-2022-42928 CVE-2022-42929 CVE-2022-42932}
 	[buster] - firefox-esr 102.4.0esr-1~deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -20,10 +20,6 @@ asterisk (Markus Koschany)
   NOTE: 20221002: Done. Will ask for a public review tomorrow though. (apo)
   NOTE: 20221018: https://lists.debian.org/debian-lts/2022/10/msg00037.html
 --
-bluez (Sylvain Beucler)
-  NOTE: 20220902: Programming language: C.
-  NOTE: 20220902: Consider synchronizing with Stretch. (apo)
---
 clickhouse
   NOTE: 20221003: Programming language: C++.
   NOTE: 20221003: One pull request closes several CVEs.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58c0d54588f7ba2815d6db6cde270c88d131bb15

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58c0d54588f7ba2815d6db6cde270c88d131bb15
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221024/b7e72905/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list