[Git][security-tracker-team/security-tracker][master] 3 commits: Triaged cmark-gfm for LTS (buster) and concluded CVE-2022-24724 and...

Ola Lundqvist (@opal) opal at debian.org
Mon Oct 31 11:45:34 GMT 2022 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9e691a37 by Ola Lundqvist at 2022-10-31T12:39:58+01:00
Triaged cmark-gfm for LTS (buster) and concluded CVE-2022-24724 and CVE-2022-39209 to be minor issues. Same conclusion as for similar packages.

- - - - -
9ecf7397 by Ola Lundqvist at 2022-10-31T12:43:48+01:00
Added protobuf to dla-needed.

- - - - -
7ab81f4b by Ola Lundqvist at 2022-10-31T12:45:14+01:00
Added consul to dla-needed.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -14488,6 +14488,7 @@ CVE-2022-39210 (Nextcloud android is the official Android client for the Nextclo
 	NOT-FOR-US: Nextcloud android
 CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...)
 	- cmark-gfm 0.29.0.gfm.6-2 (bug #1020588)
+	[buster] - cmark-gfm <no-dsa> (Minor issue)
 	- python-cmarkgfm <unfixed>
 	- ghostwriter <unfixed> (unimportant)
 	- ruby-commonmarker <unfixed>
@@ -55594,6 +55595,7 @@ CVE-2022-24725 (Shescape is a shell escape package for JavaScript. An issue in v
 	NOT-FOR-US: Node shescape
 CVE-2022-24724 (cmark-gfm is GitHub's extended version of the C reference implementati ...)
 	- cmark-gfm 0.29.0.gfm.3-3 (bug #1006756)
+	[buster] - cmark-gfm <no-dsa> (Minor issue)
 	- ghostwriter <unfixed> (bug #1006757)
 	[bullseye] - ghostwriter <not-affected> (Vulnerable code not present)
 	[buster] - ghostwriter <not-affected> (Vulnerable code not present)


=====================================
data/dla-needed.txt
=====================================
@@ -25,6 +25,10 @@ clickhouse (Tobias Frost)
   NOTE: 20221003: One pull request closes several CVEs.
   NOTE: 20221003: Please evaluate, whether it can be applied.
 --
+consul
+  NOTE: 20221031: Programming language: Go.
+  NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail.
+--
 curl (Emilio)
   NOTE: 20220901: Programming language: C.
   NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git
@@ -158,6 +162,10 @@ python3.7 (Stefano Rivera)
   NOTE: 20221031: Programming language: C.
   NOTE: 20221031: Special attention: urgent.
 --
+protobuf
+  NOTE: 20221031: Programming language: Several.
+  NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf.
+--
 python-django
   NOTE: 20221031: Programming language: Python.
   NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/python-django.git



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/edf4189a63cb7a47cf1acd41f9682aab7a0d3db4...7ab81f4b68492e6834031c728c226c4fc40b6116

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/edf4189a63cb7a47cf1acd41f9682aab7a0d3db4...7ab81f4b68492e6834031c728c226c4fc40b6116
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221031/bf00a1a4/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list