[Git][security-tracker-team/security-tracker][master] Reserve DLA-3108-1 for pcs

Wed Sep 14 22:51:22 BST 2022


Valentin Vidic pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b31594f7 by Valentin Vidic at 2022-09-14T23:51:09+02:00
Reserve DLA-3108-1 for pcs

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -35552,7 +35552,6 @@ CVE-2022-1050 (A flaw was found in the QEMU implementation of VMWare's paravirtu
 CVE-2022-1049 (A flaw was found in the Pacemaker configuration tool (pcs). The pcs da ...)
 	{DSA-5226-1}
 	- pcs 0.11.3-1
-	[buster] - pcs <no-dsa> (Minor issue)
 	[stretch] - pcs <not-affected> (Vulnerable code introduced later, ./pcs/daemon/ not present)
 	NOTE: https://huntr.dev/bounties/7aa921fc-a568-4fd8-96f4-7cd826246aa5
 	NOTE: https://github.com/ClusterLabs/pcs/commit/fb860005117dc9e092649687dfa1304fb423efc5


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[14 Sep 2022] DLA-3108-1 pcs - security update
+	{CVE-2022-1049}
+	[buster] - pcs 0.10.1-2+deb10u1
 [13 Sep 2022] DLA-3107-1 sqlite3 - security update
 	{CVE-2020-35525 CVE-2020-35527 CVE-2021-20223}
 	[buster] - sqlite3 3.27.2-3+deb10u2


=====================================
data/dla-needed.txt
=====================================
@@ -114,15 +114,6 @@ openexr
 openvswitch
   NOTE: 20220911: No known patch for this problem.
 --
-pcs (Valentin Vidic)
-  NOTE: 20220905: Programming language: Python.
-  NOTE: 20220905: Local access needed to get exploit the vulnerability.
-  NOTE: 20220905: One could argue that the vulnerability is in Thin::Backends::UnixServer:connect
-  NOTE: 20220905: since the solution is to override that function with a new umask.
-  NOTE: 20220905: https://lists.debian.org/debian-lts/2022/09/msg00007.html
-  NOTE: 20220908: CVE-2022-2735 not-affected: Vulnerable code not present, see #1018930.
-  NOTE: 20220908: CVE-2022-1049 vulnerable
---
 php-phpseclib
   NOTE: 20220909: Programming language: PHP.
   NOTE: 20220909: Note the discussion whether 2.0 is in fact affected by the CVE or not. It looks like it is affected by a small part of it that is best to fix..



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b31594f766d64ae5e3da7050217be1148d84c313

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b31594f766d64ae5e3da7050217be1148d84c313
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220914/95d6e71d/attachment-0001.htm>
