[Git][security-tracker-team/security-tracker][master] Reserve DLA-3393-1 for protobuf

Tue Apr 18 08:04:03 BST 2023


Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ad65f979 by Helmut Grohne at 2023-04-18T09:03:41+02:00
Reserve DLA-3393-1 for protobuf

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -170504,7 +170504,6 @@ CVE-2021-22570 (Nullptr dereference when a null char is present in a proto symbo
 	[experimental] - protobuf 3.17.1-1
 	- protobuf 3.21.9-3
 	[bullseye] - protobuf <no-dsa> (Minor issue)
-	[buster] - protobuf <no-dsa> (Minor issue)
 	[stretch] - protobuf <postponed> (Minor issue; clean crash / Dos; patch needs to be isolated)
 	NOTE: Fixed upstream in v3.15.0: https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
 	NOTE: Fixed in merge commit https://github.com/protocolbuffers/protobuf/a00125024e9231d76746bd394fef8876f5cc15e2
@@ -170513,7 +170512,6 @@ CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of com.google
 	[experimental] - protobuf 3.19.3-1
 	- protobuf 3.21.9-3
 	[bullseye] - protobuf <no-dsa> (Minor issue)
-	[buster] - protobuf <no-dsa> (Minor issue)
 	[stretch] - protobuf <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2022/01/12/4
 	NOTE: https://cloud.google.com/support/bulletins#gcp-2022-001


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[18 Apr 2023] DLA-3393-1 protobuf - security update
+	{CVE-2021-22569 CVE-2021-22570 CVE-2022-1941}
+	[buster] - protobuf 3.6.1.3-2+deb10u1
 [17 Apr 2023] DLA-3392-1 ruby-rack - security update
 	{CVE-2023-27530 CVE-2023-27539}
 	[buster] - ruby-rack 2.0.6-3+deb10u3


=====================================
data/dla-needed.txt
=====================================
@@ -222,11 +222,6 @@ pluxml
   NOTE: 20220913: Special attention: orphaned package.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/pluxml.git
 --
-protobuf (Helmut Grohne)
-  NOTE: 20221031: Programming language: Several.
-  NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf.
-  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/protobuf.git
---
 puppet-module-puppetlabs-mysql
   NOTE: 20221107: Programming language: Puppet, Ruby.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/puppet-module-puppetlabs-mysql.git



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad65f9796ca0a39e10dcadc212513d040387ecb3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad65f9796ca0a39e10dcadc212513d040387ecb3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230418/67edb4f0/attachment-0001.htm>
