[Git][security-tracker-team/security-tracker][master] identify actual fixes for two protobuf issues

Helmut Grohne (@helmutg) helmutg at debian.org
Thu Apr 6 11:46:40 BST 2023 


Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8f6c6e61 by Helmut Grohne at 2023-04-06T12:46:24+02:00
identify actual fixes for two protobuf issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -71048,6 +71048,7 @@ CVE-2022-1941 (A parsing vulnerability for the MessageSet type in the ProtocolBu
 	NOTE: https://www.openwall.com/lists/oss-security/2022/09/27/1
 	NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-8gq9-2x98-w8hf
 	NOTE: https://github.com/protocolbuffers/protobuf/commit/806d7e4ce6f1fd0545cae226b94cb0249ea495c7 (v3.20.2)
+	NOTE: main commit 7764c864bd5acdf60230a7b8fd29816170d0d04e
 CVE-2022-1940 (A Stored Cross-Site Scripting vulnerability in Jira integration in Git ...)
 	- gitlab <not-affected> (Vulnerable code introduced later)
 	NOTE: https://about.gitlab.com/releases/2022/06/01/critical-security-release-gitlab-15-0-1-released/
@@ -166631,6 +166632,7 @@ CVE-2021-22570 (Nullptr dereference when a null char is present in a proto symbo
 	[buster] - protobuf <no-dsa> (Minor issue)
 	[stretch] - protobuf <postponed> (Minor issue; clean crash / Dos; patch needs to be isolated)
 	NOTE: Fixed upstream in v3.15.0: https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
+	NOTE: Fixed in merge commit a00125024e9231d76746bd394fef8876f5cc15e2 in src/google/protobuf/descriptor.cc
 CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of com.google.proto ...)
 	[experimental] - protobuf 3.19.3-1
 	- protobuf 3.21.9-3



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f6c6e61ae78d3ffc64f1ed51d590585c9e1044d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f6c6e61ae78d3ffc64f1ed51d590585c9e1044d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230406/0809bc17/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list