[Git][security-tracker-team/security-tracker][master] Added firmware-nonfree to dla-needed and at the same time removed some CVEs...

Ola Lundqvist (@opal) opal at debian.org
Tue Sep 6 21:57:50 BST 2022 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5b6a4a2b by Ola Lundqvist at 2022-09-06T22:57:34+02:00
Added firmware-nonfree to dla-needed and at the same time removed some CVEs with non-free not supported for buster since firmware-nonfree is now an exception in LTS. Some CVEs got their no-dsa description adjusted instead.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -143481,7 +143481,6 @@ CVE-2020-24588 (The 802.11 standard that underpins Wi-Fi Protected Access (WPA,
 	[experimental] - firmware-nonfree 20210716-1~exp1
 	- firmware-nonfree 20210818-1
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
-	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://papers.mathyvanhoef.com/usenix2021.pdf
 	NOTE: https://www.fragattacks.com/
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html
@@ -143501,7 +143500,6 @@ CVE-2020-24587 (The 802.11 standard that underpins Wi-Fi Protected Access (WPA,
 	[experimental] - firmware-nonfree 20210716-1~exp1
 	- firmware-nonfree 20210818-1
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
-	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://papers.mathyvanhoef.com/usenix2021.pdf
 	NOTE: https://www.fragattacks.com/
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html
@@ -143518,7 +143516,6 @@ CVE-2020-24586 (The 802.11 standard that underpins Wi-Fi Protected Access (WPA,
 	[experimental] - firmware-nonfree 20210716-1~exp1
 	- firmware-nonfree 20210818-1
 	[bullseye] - firmware-nonfree <no-dsa> (Non-free not supported)
-	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: https://papers.mathyvanhoef.com/usenix2021.pdf
 	NOTE: https://www.fragattacks.com/
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html
@@ -172071,7 +172068,7 @@ CVE-2020-12364 (Null pointer reference in some Intel(R) Graphics Drivers for Win
 	[bullseye] - linux <ignored> (Too intrusive to backport)
 	[buster] - linux <ignored> (Too intrusive to backport)
 	- firmware-nonfree 20210208-1
-	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[buster] - firmware-nonfree <no-dsa> (Minor issue, too intrusive to fix since kernel patch is needed)
 	[stretch] - firmware-nonfree <ignored> (Minor issue, too intrusive to fix since kernel patch is needed)
 	NOTE: Short of details: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html
 	NOTE: Per Intel, this was fixed by a firmware update. v49.0.1 of the
@@ -172085,7 +172082,7 @@ CVE-2020-12363 (Improper input validation in some Intel(R) Graphics Drivers for
 	[bullseye] - linux <ignored> (Too intrusive to backport)
 	[buster] - linux <ignored> (Too intrusive to backport)
 	- firmware-nonfree 20210208-1
-	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
+	[buster] - firmware-nonfree <no-dsa> (Minor issue, too intrusive to fix since kernel patch is needed)
 	[stretch] - firmware-nonfree <ignored> (Minor issue, too intrusive to fix since kernel patch is needed)
 	NOTE: Short of details: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html
 	NOTE: Per Intel, this was fixed by a firmware update. v49.0.1 of the


=====================================
data/dla-needed.txt
=====================================
@@ -45,6 +45,9 @@ exiv2
   NOTE: 20220819: Programming language: C++.
   NOTE: 20220819: https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292 does not directly apply, but a very quick glance suggests the earlier code may be equally vulnerable. (Chris Lamb)
 --
+firmware-nonfree
+  NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it.
+--
 glib2.0
   NOTE: 20220901: Programming language: C.
   NOTE: 20220901: Special attention: High Popcon!.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b6a4a2b319a12f21f9ee0df727ff661be018e2b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b6a4a2b319a12f21f9ee0df727ff661be018e2b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220906/1c7d81ef/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list