[Git][security-tracker-team/security-tracker][master] Reserve DLA-3385-1 for trafficserver
Markus Koschany (@apo)
apo at debian.org
Wed Apr 5 22:58:25 BST 2023
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
37314e97 by Markus Koschany at 2023-04-05T23:58:12+02:00
Reserve DLA-3385-1 for trafficserver
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -71078,7 +71078,6 @@ CVE-2022-31779 (Improper Input Validation vulnerability in HTTP/2 header parsing
CVE-2022-31778 (Improper Input Validation vulnerability in handling the Transfer-Encod ...)
{DSA-5206-1}
- trafficserver 9.1.3+ds-1
- [buster] - trafficserver <ignored> (Minor issue, intrusive to backport)
NOTE: https://lists.apache.org/thread/rc64lwbdgrkv674koc3zl1sljr9vwg21
CVE-2022-31777 (A stored cross-site scripting (XSS) vulnerability in Apache Spark 3.2. ...)
NOT-FOR-US: Apache Spark
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[05 Apr 2023] DLA-3385-1 trafficserver - security update
+ {CVE-2022-31778 CVE-2022-31779 CVE-2022-32749 CVE-2022-37392}
+ [buster] - trafficserver 8.1.6+ds-1~deb10u1
[05 Apr 2023] DLA-3384-1 tomcat9 - security update
{CVE-2022-42252 CVE-2023-28708}
[buster] - tomcat9 9.0.31-1~deb10u8
=====================================
data/dla-needed.txt
=====================================
@@ -293,16 +293,6 @@ tinymce
NOTE: 20221227: Programming language: PHP.
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git
--
-trafficserver (Markus Koschany)
- NOTE: 20230202: Programming language: C.
- NOTE: 20230202: Note recent DLA-3279-1 update. Removed notes (2d9f50586010) suggest CVE-2022-31779 may have already been investigated. (lamby)
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/trafficserver.git
- NOTE: 20230209: <tobi> very difficult to identify exact patches and on top significant refactoring, especially CVE-2022-31778
- NOTE: 20230209; CVE-2022-32749 is possibly https://github.com/apache/trafficserver/pull/9243, (see security tracker)
- NOTE: 20230209: CVE-2022-37392 mihgt be https://github.com/apache/trafficserver/commit/3b9cbf873a77bb7f9297f2b16496a290e0cf7de1
- NOTE: 20230209: could find informatin for CVE-2022-31779, might be the same fix as CVE-2022-31778 (marked as to be ignored), but no proof on that…
- NOTE: 20230209: not sure, maybe the safest way would be to update to 8.1.6. </tobi>
---
udisks2 (tobi)
NOTE: 20230404: Programming language: C, Python.
NOTE: 20230404: CVE-2021-3802 (kernel panic) fixed in all other dists (Debian 11.2, DLA-2809-1 for stretch) (Beuc/front-desk)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37314e97462db45e1a7cf8b9e1e14c73c2cb9870
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37314e97462db45e1a7cf8b9e1e14c73c2cb9870
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230405/0320851f/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list