[Git][security-tracker-team/security-tracker][master] Reserve DLA-3695-1 for ansible

[Bastien Roucariès (@rouca)]

Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6f71a147 by Bastien Roucariès at 2023-12-28T17:31:59+00:00
Reserve DLA-3695-1 for ansible

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -79855,7 +79855,6 @@ CVE-2022-3698 (A denial of service vulnerability was reported in the Lenovo Hard
 CVE-2022-3697 (A flaw was found in Ansible in the amazon.aws collection when using th ...)
 	- ansible 7.0.0+dfsg-1
 	[bullseye] - ansible <no-dsa> (Minor issue)
-	[buster] - ansible <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2137664
 	NOTE: https://github.com/ansible-collections/amazon.aws/pull/1199
 CVE-2022-3696 (A post-auth code injection vulnerability allows admins to execute code ...)
@@ -176021,7 +176020,6 @@ CVE-2021-3620 (A flaw was found in Ansible Engine's ansible-connection module, w
 	- ansible-core 2.12.0-1
 	- ansible 5.4.0-1
 	[bullseye] - ansible <postponed> (Minor issue, revisit when/if fixed upstream)
-	[buster] - ansible <postponed> (Minor issue, revisit when/if fixed upstream)
 	[stretch] - ansible <end-of-life> (EOL'd for stretch)
 	- ansible-base <removed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975767
@@ -178863,7 +178861,6 @@ CVE-2021-3584 (A server side remote code execution vulnerability was found in Fo
 CVE-2021-3583 (A flaw was found in Ansible, where a user's controller is vulnerable t ...)
 	- ansible 5.4.0-1
 	[bullseye] - ansible <no-dsa> (Minor issue)
-	[buster] - ansible <no-dsa> (Minor issue)
 	[stretch] - ansible <end-of-life> (EOL'd for stretch)
 	- ansible-core 2.12.0-1
 	- ansible-base <removed>
@@ -193984,7 +193981,6 @@ CVE-2021-3448 (A flaw was found in dnsmasq in versions before 2.85. When configu
 	NOTE: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=74d4fcd756a85bc1823232ea74334f7ccfb9d5d2
 CVE-2021-3447 (A flaw was found in several ansible modules, where parameters containi ...)
 	- ansible 2.10.7+merged+base+2.10.8+dfsg-1 (bug #1014721)
-	[buster] - ansible <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939349
 	NOTE: Fedora announcement https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JBZ75MAMVQVZROPYHMRDQKPPVASP63DG/
 	NOTE: Fixed by: https://github.com/ansible/ansible/commit/9052b0e7f2d66aaec3420a5f6f678a22aab9fa8d (v2.9.20rc1)
@@ -216386,7 +216382,6 @@ CVE-2021-20192
 CVE-2021-20191 (A flaw was found in ansible. Credentials, such as secrets, are being d ...)
 	- ansible 5.4.0-1 (bug #985753)
 	[bullseye] - ansible <no-dsa> (Minor issue)
-	[buster] - ansible <no-dsa> (Minor issue)
 	[stretch] - ansible <end-of-life> (EOL'd for stretch)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1916813
 	NOTE: https://github.com/ansible-collections/cisco.nxos/pull/227
@@ -216437,7 +216432,6 @@ CVE-2021-20179 (A flaw was found in pki-core. An attacker who has successfully c
 CVE-2021-20178 (A flaw was found in ansible module where credentials are disclosed in  ...)
 	- ansible 5.4.0-1 (bug #985753)
 	[bullseye] - ansible <no-dsa> (Minor issue)
-	[buster] - ansible <no-dsa> (Minor issue)
 	[stretch] - ansible <end-of-life> (EOL'd for stretch)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1914774
 	NOTE: https://github.com/ansible-collections/community.general/pull/1621


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[28 Dec 2023] DLA-3695-1 ansible - security update
+	{CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620 CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115}
+	[buster] - ansible 2.7.7+dfsg-1+deb10u2
 [25 Dec 2023] DLA-3694-1 openssh - security update
 	{CVE-2021-41617 CVE-2023-48795 CVE-2023-51385}
 	[buster] - openssh 1:7.9p1-10+deb10u4


=====================================
data/dla-needed.txt
=====================================
@@ -20,14 +20,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 To make it easier to see the entire history of an update, please append notes
 rather than remove/replace existing ones.
 
---
-ansible (rouca)
-  NOTE: 20231202: Added by Front-Desk (Beuc)
-  NOTE: 20231202: Supported package, but there's a CVE backlog, and no updates since 2021
-  NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an opportunity to
-  NOTE: 20231202: assess/fix the situation.
-  NOTE: 20231217: Begin to triage CVEs (rouca)
-  NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca)
 --
 asterisk (Markus Koschany)
   NOTE: 20231210: Added by Front-Desk (ta)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f71a147a67d59c50b18a2daae81a5a2dc4eab02

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f71a147a67d59c50b18a2daae81a5a2dc4eab02
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231228/ed2eac80/attachment-0001.htm>