[Git][security-tracker-team/security-tracker][master] 3 commits: Triaged cmark-gfm for LTS (buster) and concluded CVE-2022-24724 and...
Ola Lundqvist (@opal)
opal at debian.org
Mon Oct 31 11:45:34 GMT 2022
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker
Commits:
9e691a37 by Ola Lundqvist at 2022-10-31T12:39:58+01:00
Triaged cmark-gfm for LTS (buster) and concluded CVE-2022-24724 and CVE-2022-39209 to be minor issues. Same conclusion as for similar packages.
- - - - -
9ecf7397 by Ola Lundqvist at 2022-10-31T12:43:48+01:00
Added protobuf to dla-needed.
- - - - -
7ab81f4b by Ola Lundqvist at 2022-10-31T12:45:14+01:00
Added consul to dla-needed.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -14488,6 +14488,7 @@ CVE-2022-39210 (Nextcloud android is the official Android client for the Nextclo
NOT-FOR-US: Nextcloud android
CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...)
- cmark-gfm 0.29.0.gfm.6-2 (bug #1020588)
+ [buster] - cmark-gfm <no-dsa> (Minor issue)
- python-cmarkgfm <unfixed>
- ghostwriter <unfixed> (unimportant)
- ruby-commonmarker <unfixed>
@@ -55594,6 +55595,7 @@ CVE-2022-24725 (Shescape is a shell escape package for JavaScript. An issue in v
NOT-FOR-US: Node shescape
CVE-2022-24724 (cmark-gfm is GitHub's extended version of the C reference implementati ...)
- cmark-gfm 0.29.0.gfm.3-3 (bug #1006756)
+ [buster] - cmark-gfm <no-dsa> (Minor issue)
- ghostwriter <unfixed> (bug #1006757)
[bullseye] - ghostwriter <not-affected> (Vulnerable code not present)
[buster] - ghostwriter <not-affected> (Vulnerable code not present)
=====================================
data/dla-needed.txt
=====================================
@@ -25,6 +25,10 @@ clickhouse (Tobias Frost)
NOTE: 20221003: One pull request closes several CVEs.
NOTE: 20221003: Please evaluate, whether it can be applied.
--
+consul
+ NOTE: 20221031: Programming language: Go.
+ NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail.
+--
curl (Emilio)
NOTE: 20220901: Programming language: C.
NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git
@@ -158,6 +162,10 @@ python3.7 (Stefano Rivera)
NOTE: 20221031: Programming language: C.
NOTE: 20221031: Special attention: urgent.
--
+protobuf
+ NOTE: 20221031: Programming language: Several.
+ NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf.
+--
python-django
NOTE: 20221031: Programming language: Python.
NOTE: 20221031: VCS: https://salsa.debian.org/lts-team/packages/python-django.git
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/edf4189a63cb7a47cf1acd41f9682aab7a0d3db4...7ab81f4b68492e6834031c728c226c4fc40b6116
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/edf4189a63cb7a47cf1acd41f9682aab7a0d3db4...7ab81f4b68492e6834031c728c226c4fc40b6116
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221031/bf00a1a4/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list