[Git][security-tracker-team/security-tracker][master] 8 commits: LTS: add configobj to dla-needed.txt

Sun Apr 16 23:00:01 BST 2023


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d336af8c by Markus Koschany at 2023-04-16T23:59:39+02:00
LTS: add configobj to dla-needed.txt

- - - - -
adfdfed3 by Markus Koschany at 2023-04-16T23:59:40+02:00
CVE-2023-30630,dmidecode: Buster is no-dsa

Minor issue

- - - - -
c4f84a15 by Markus Koschany at 2023-04-16T23:59:42+02:00
CVE-2023-2004,freetype: Buster is postponed

Minor issue. Can be fixed later.

- - - - -
643484fc by Markus Koschany at 2023-04-16T23:59:42+02:00
LTS: add heimdal to dla-needed.txt

- - - - -
0be4c5da by Markus Koschany at 2023-04-16T23:59:42+02:00
LTS: add libxml2 to dla-needed.txt

- - - - -
35e1a85d by Markus Koschany at 2023-04-16T23:59:42+02:00
LTS: add asterisk to dla-needed.txt

- - - - -
13f2c762 by Markus Koschany at 2023-04-16T23:59:43+02:00
CVE-2022-48468,protobuf-c: Buster is no-dsa

Minor issue

- - - - -
22df26e1 by Markus Koschany at 2023-04-16T23:59:43+02:00
LTS: add python2.7 to dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -358,6 +358,7 @@ CVE-2023-30631
 CVE-2023-30630 (Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This  ...)
 	- dmidecode <unfixed> (bug #1034483)
 	[bullseye] - dmidecode <no-dsa> (Minor issue)
+	[buster] - dmidecode <no-dsa> (Minor issue)
 	NOTE: https://github.com/adamreiser/dmiwrite
 	NOTE: https://lists.nongnu.org/archive/html/dmidecode-devel/2023-03/msg00003.html
 	NOTE: https://git.savannah.nongnu.org/cgit/dmidecode.git/commit/?id=d8cfbc808f387e87091c25e7d5b8c2bb348bb206
@@ -639,6 +640,7 @@ CVE-2023-2012
 CVE-2022-48468 (protobuf-c before 1.4.1 has an unsigned integer overflow in parse_requ ...)
 	- protobuf-c 1.4.1-1
 	[bullseye] - protobuf-c <no-dsa> (Minor issue)
+	[buster] - protobuf-c <no-dsa> (Minor issue)
 	NOTE: https://github.com/protobuf-c/protobuf-c/commit/289f5c18b195aa43d46a619d1188709abbfa9c82 (v1.4.1)
 	NOTE: https://github.com/protobuf-c/protobuf-c/commit/0d1fd124a4e0a07b524989f6e64410ff648fba61 (v1.4.1)
 	NOTE: https://github.com/protobuf-c/protobuf-c/pull/513
@@ -799,6 +801,7 @@ CVE-2023-2005
 	RESERVED
 CVE-2023-2004 (An integer overflow vulnerability was discovered in Freetype in tt_hva ...)
 	- freetype <unfixed>
+	[buster] - freetype <postponed> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
 	NOTE: https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611 (VER-2-13-0)
 CVE-2023-2003


=====================================
data/dla-needed.txt
=====================================
@@ -26,6 +26,10 @@ apache2 (rouca)
   NOTE: 20230312: Special attention: Double check an update! Package is used by many customers and users!.
   NOTE: 20230326: VCS: https://salsa.debian.org/apache-team/apache2. Yadd is ok for using apache2 salsa tree
 --
+asterisk
+  NOTE: 20230416: Programming language: C.
+  NOTE: 20230416: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git
+--
 cairosvg (dleidert)
   NOTE: 20230323: Programming language: Python.
   NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert)
@@ -40,6 +44,10 @@ ceph
   NOTE: 20230102:   [buster] - ceph <not-affected> (ceph-crash service added in Ceph 14) (stefanor)
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git
 --
+configobj
+  NOTE: 20230416: Programming language: Python.
+  NOTE: 20230416: Special attention: Low priority but high popcon.
+--
 consul (Abhijith PA)
   NOTE: 20221031: Programming language: Go.
   NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail.
@@ -112,6 +120,11 @@ hdf5
   NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably
   NOTE: 20230318: sync w/ him. (utkarsh)
 --
+heimdal
+  NOTE: 20230416: Programming language: C.
+  NOTE: 20230416: VCS: https://salsa.debian.org/lts-team/packages/heimdal
+  NOTE: 20230416: Special attention: Do review patches, even those, coming from upstream..
+--
 jruby
   NOTE: 20230403: Programming language: Ruby, Java, C.
   NOTE: 20230403: Special attention: Not in bullseye
@@ -124,6 +137,10 @@ libapache2-mod-auth-openidc (Adrian Bunk)
   NOTE: 20230404: CVE-2022-23527 will be fixed in Debian 11.7 (#1026447)
   NOTE: 20230404: Also check if other postponed/open CVEs need to be fixed (Beuc/front-desk)
 --
+libxml2
+  NOTE: 20230416: Programming language: C.
+  NOTE: 20230416: VCS: https://salsa.debian.org/lts-team/packages/libxml2.git
+--
 linux (Ben Hutchings)
   NOTE: 20230111: Programming language: C
 --
@@ -214,6 +231,11 @@ python-oslo.privsep
   NOTE: 20221231: Programming language: Python.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/python-oslo.privsep.git
 --
+python2.7
+  NOTE: 20230416: Programming language: C, Python.
+  NOTE: 20230416: VCS: https://salsa.debian.org/lts-team/packages/python2.7.git
+  NOTE: 20230416: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/python.html
+--
 python3.7
   NOTE: 20230220: Programming language: Python.
   NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/python3.7.git



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1cc6b5e738b032d215296bb6bb948f0439baac9b...22df26e14c974a755876f3fbeff37edba6dc5a9b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1cc6b5e738b032d215296bb6bb948f0439baac9b...22df26e14c974a755876f3fbeff37edba6dc5a9b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230416/11a5f5ac/attachment-0001.htm>
