[Git][security-tracker-team/security-tracker][master] 3 commits: Remove bouncycastle from dla-needed.txt

Sat Dec 23 21:11:39 GMT 2023


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4a07c938 by Markus Koschany at 2023-12-23T22:00:07+01:00
Remove bouncycastle from dla-needed.txt

- - - - -
5775dc48 by Markus Koschany at 2023-12-23T22:09:43+01:00
CVE-2023-33202,bouncycastle: Buster is ignored

Buster is vulnerable. Just apply the test patch from

https://salsa.debian.org/java-team/bouncycastle/-/blob/buster/debian/patches/test-CVE-2023-33202.patch?ref_type=heads

to verify it. The ASN1 module has been completely reworked in newer releases
and the upstream patch cannot be applied as is. I know that the changes break
reverse-dependencies hence I am going to mark this issue as ignored in Buster.

- - - - -
15d84ba1 by Markus Koschany at 2023-12-23T22:10:43+01:00
Update squid notes. Claim asterisk in dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5765,6 +5765,7 @@ CVE-2023-33202 (Bouncy Castle for Java before 1.73 contains a potential Denial o
 	- bouncycastle 1.77-1 (bug #1056754)
 	[bookworm] - bouncycastle <no-dsa> (Minor issue)
 	[bullseye] - bouncycastle <no-dsa> (Minor issue)
+	[buster] - bouncycastle <ignored> (Minor issue)
 	NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33202
 	NOTE: Fixed by https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c (r1rv73)
 CVE-2023-43123 (On unix-like systems, the temporary directory is shared between all us ...)


=====================================
data/dla-needed.txt
=====================================
@@ -29,7 +29,7 @@ ansible (rouca)
   NOTE: 20231217: Begin to triage CVEs (rouca)
   NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca)
 --
-asterisk
+asterisk (Markus Koschany)
   NOTE: 20231210: Added by Front-Desk (ta)
 --
 bind9 (Thorsten Alteholz)
@@ -37,12 +37,6 @@ bind9 (Thorsten Alteholz)
   NOTE: 20231008: backporting patches
   NOTE: 20231217: almost done with testing
 --
-bouncycastle (Markus Koschany)
-  NOTE: 20231127: Added by Front-Desk (Beuc)
-  NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk)
-  NOTE: 20231128: I can't find changes in PEMParser.java related to CVE-2023-33202, maybe contact upstream (Beuc/front-desk)
-  NOTE: 20231218: Decision impending. (apo)
---
 cacti (Sylvain Beucler)
   NOTE: 20230906: Added by Front-Desk (lamby)
   NOTE: 20231205: Triaging CVEs backlog (Beuc)
@@ -217,6 +211,7 @@ samba
 squid (Markus Koschany)
   NOTE: 20231102: Added by Front-Desk (lamby)
   NOTE: 20231218: Investigating new CVE. (apo)
+  NOTE: 20231223: The update requires a few more tests. Intend to release after the holidays.
 --
 suricata (Adrian Bunk)
   NOTE: 20230620: Added by Front-Desk (Beuc)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/87fd535340305ac0bdabf6eb1c931776f0599262...15d84ba15106c190afd0ad7cdc8fe1d234b1a1b2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/87fd535340305ac0bdabf6eb1c931776f0599262...15d84ba15106c190afd0ad7cdc8fe1d234b1a1b2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231223/9b05be9c/attachment-0001.htm>
