[Git][security-tracker-team/security-tracker][master] Reserve DLA-3548-1 for qpdf

Tue Aug 29 22:01:38 BST 2023


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5ffdf337 by Thorsten Alteholz at 2023-08-29T23:00:36+02:00
Reserve DLA-3548-1 for qpdf

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -151410,7 +151410,6 @@ CVE-2021-36979 (Unicorn Engine 1.0.2 has an out-of-bounds write in tb_flush_arme
 	NOT-FOR-US: Unicorn Engine
 CVE-2021-36978 (QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer ...)
 	- qpdf 10.1.0-1
-	[buster] - qpdf <no-dsa> (Minor issue)
 	[stretch] - qpdf <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28262
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qpdf/OSV-2020-2245.yaml
@@ -338377,7 +338376,6 @@ CVE-2012-6710 (ext_find_user in eXtplorer through 2.1.2 allows remote attackers
 	- extplorer <removed>
 CVE-2018-18020 (In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and ...)
 	- qpdf 9.0.0-1
-	[buster] - qpdf <no-dsa> (Minor issue)
 	[stretch] - qpdf <no-dsa> (Minor issue)
 	[jessie] - qpdf <no-dsa> (Minor issue)
 	NOTE: https://github.com/qpdf/qpdf/issues/243


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[29 Aug 2023] DLA-3548-1 qpdf - security update
+	{CVE-2018-18020 CVE-2021-25786 CVE-2021-36978}
+	[buster] - qpdf 8.4.0-2+deb10u1
 [29 Aug 2023] DLA-3547-1 tryton-server - security update
 	[buster] - tryton-server 5.0.4-2+deb10u2
 [28 Aug 2023] DLA-3546-1 opendmarc - security update


=====================================
data/dla-needed.txt
=====================================
@@ -160,9 +160,6 @@ python2.7
   NOTE: 20230826: and wasn't fixed in Debian, but the extra patch is now available and can be fixed now. (utkarsh)
   NOTE: 20230826: contact Utkarsh in case you're unable to find the supplementary patch. (utkarsh)
 --
-qpdf (Thorsten Alteholz)
-  NOTE: 20230820: Added by Front-Desk (ta)
---
 qt4-x11
   NOTE: 20230822: Re-added for one remaining open CVE (roberto)
   NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, fix or remove entry from this file (roberto)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ffdf33738fbbee2ad47c0774e58cc1609cdc4ba

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ffdf33738fbbee2ad47c0774e58cc1609cdc4ba
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230829/0b843a10/attachment-0001.htm>
