[Git][security-tracker-team/security-tracker][master] mark protobuf as ignored
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Thu Apr 13 14:27:59 BST 2023
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f530ed3b by Moritz Muehlenhoff at 2023-04-13T15:26:31+02:00
mark protobuf as ignored
we use unimportant for issues with negligble impact or non issue, here
there is some impact, but we can't meaningfully address it with a
backport, so mark as <ignored>
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -43934,12 +43934,14 @@ CVE-2022-3511 (The Awesome Support WordPress plugin before 6.1.2 does not ensure
NOT-FOR-US: WordPress plugin
CVE-2022-3510 (A parsing issue similar to CVE-2022-3171, but with Message-Type Extens ...)
[experimental] - protobuf 3.21.7-1
- - protobuf 3.21.9-3 (unimportant)
+ - protobuf 3.21.9-3
+ [bullseye] - protobuf <ignored> (Too intrusive to backport, requires significant refactoring via CVE-2022-3171)
NOTE: https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48
NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171
CVE-2022-3509 (A parsing issue similar to CVE-2022-3171, but with textformat in proto ...)
[experimental] - protobuf 3.21.7-1
- - protobuf 3.21.9-3 (unimportant)
+ - protobuf 3.21.9-3
+ [bullseye] - protobuf <ignored> (Too intrusive to backport, requires significant refactoring via CVE-2022-3171)
NOTE: https://github.com/protocolbuffers/protobuf/commit/a3888f53317a8018e7a439bac4abeb8f3425d5e9 (v21.7, v3.21.7)
NOTE: CPU DoS in protobuf-java, requires significant refactoring via CVE-2022-3171
CVE-2022-3508
@@ -50863,7 +50865,8 @@ CVE-2022-3172
NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here
CVE-2022-3171 (A parsing issue with binary data in protobuf-java core and lite versio ...)
[experimental] - protobuf 3.21.7-1
- - protobuf 3.21.9-3 (unimportant)
+ - protobuf 3.21.9-3
+ [bullseye] - protobuf <ignored> (Too intrusive to backport, requires significant refactoring via CVE-2022-3171)
NOTE: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-h4h5-3hr4-j3g2
NOTE: https://github.com/protocolbuffers/protobuf/pull/10664
NOTE: https://github.com/protocolbuffers/protobuf/pull/10665
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f530ed3b79332ddeec147aa7e4a5d72ac589039c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f530ed3b79332ddeec147aa7e4a5d72ac589039c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230413/c47b2326/attachment.htm>
More information about the debian-security-tracker-commits
mailing list