[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: Add VCS information into the packages
Anton Gladky (@gladk)
gladk at debian.org
Mon Feb 6 06:18:42 GMT 2023
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker
Commits:
66cc402e by Anton Gladky at 2023-02-06T07:08:35+01:00
LTS: Add VCS information into the packages
- - - - -
642644cf by Anton Gladky at 2023-02-06T07:08:52+01:00
semi-automatic unclaim after 2 weeks of inactivity
Signed-off-by: Anton Gladky <gladk at debian.org>
- - - - -
1 changed file:
- data/dla-needed.txt
Changes:
=====================================
data/dla-needed.txt
=====================================
@@ -16,6 +16,7 @@ rather than remove/replace existing ones.
389-ds-base
NOTE: 20221231: Programming language: C.
NOTE: 20221231: Few users. Low prio. (opal).
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/389-ds-base.git
--
apache2 (Lee Garrett)
NOTE: 20221227: Programming language: C.
@@ -38,6 +39,7 @@ ceph
consul
NOTE: 20221031: Programming language: Go.
NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail.
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git
--
erlang
NOTE: 20221119: Programming language: Erlang.
@@ -57,6 +59,7 @@ fusiondirectory
NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk).
NOTE: 20221203: Also the package was removed from sid recently (gladk)..
NOTE: 20221203: Feel free to marke both CVEs as <ignored>, if they are not too serious (gladk).
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/fusiondirectory.git
--
golang-1.11
NOTE: 20220916: Programming language: Go.
@@ -64,10 +67,12 @@ golang-1.11
NOTE: 20220916: Harmonize with bullseye and stretch: 9 CVEs fixed in Debian 11.2 & 11.3 + 2 CVEs fixed in stretch-lts (Beuc/front-desk)
NOTE: 20220916: CVE-2020-28367 CVE-2021-33196 CVE-2021-36221 CVE-2021-39293 CVE-2021-41771 CVE-2021-44716 CVE-2021-44717 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24921
NOTE: 20230111: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/golang.html
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/golang-1.11.git
--
golang-github-nats-io-jwt
NOTE: 20221109: Programming language: Go.
NOTE: 20221109: Special attention: limited support, cf. buster release notes; not in bullseye
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/golang-github-nats-io-jwt.git
--
golang-go.crypto
NOTE: 20220915: Programming language: Go.
@@ -75,11 +80,13 @@ golang-go.crypto
NOTE: 20220915: Special attention: limited support, cf. buster release notes
NOTE: 20220915: Special attention: rebuild reverse-dependencies if needed, e.g. DLA-2402-1 -> DLA-2453-1/DLA-2454-1/DLA-2455-1
NOTE: 20220915: Special attention: also check bullseye status
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/golang-go.crypto.git
--
golang-websocket
NOTE: 20220915: Programming language: Go.
NOTE: 20220915: 1 CVE fixed in stretch and bullseye (golang-github-gorilla-websocket) (Beuc/front-desk)
NOTE: 20220915: Special attention: limited support; requires rebuilding reverse dependencies
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/golang-websocket.git
--
golang-yaml.v2
NOTE: 20230125: Programming language: Go.
@@ -88,6 +95,7 @@ golang-yaml.v2
--
graphite-web (Chris Lamb)
NOTE: 20221229: Programming language: Python.
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/graphite-web.git
--
imagemagick (Roberto C. Sánchez)
NOTE: 20220904: Programming language: C.
@@ -98,10 +106,12 @@ imagemagick (Roberto C. Sánchez)
kopanocore
NOTE: 20220801: Programming language: C++.
NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) (gusnan/retired)
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/kopanocore.git
--
libapache2-mod-auth-mellon (Utkarsh)
NOTE: 20230105: Programming language: C.
NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-mellon.git
--
libgit2 (gladk)
NOTE: 20230126: Programming language: C.
@@ -115,6 +125,7 @@ libreoffice
libsdl2 (Markus Koschany)
NOTE: 20221111: Programming language: C.
NOTE: 20221111: Sync with jessie/stretch/bullseye (Beuc/front-desk)
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/libsdl2.git
--
linux (Ben Hutchings)
NOTE: 20230111: Programming language: C
@@ -123,6 +134,7 @@ man2html (gladk)
NOTE: 20221004: Programming language: C.
NOTE: 20221004: It looks like not patch is available.
NOTE: 20221004: Please evalulate, whether the issue can be marked as <ignored>.
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/man2html.git
--
netatalk
NOTE: 20220816: Programming language: C.
@@ -137,24 +149,29 @@ nextcloud-desktop
--
nheko (Abhijith PA)
NOTE: 20230101: Programming language: C++.
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/nheko.git
--
node-css-what
NOTE: 20221031: Programming language: Javascript.
NOTE: 20230130: Module has been rewritten in Typescript since Buster released (guilhem).
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-css-what.git
--
node-got
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.4 (Beuc/front-desk)
NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby).
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-got.git
--
node-nth-check
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby).
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-nth-check.git
--
node-url-parse (guilhem)
NOTE: 20221111: Programming language: JavaScript.
NOTE: 20221111: Follow fixes from bullseye 11.4 + check postponed issues (Beuc/front-desk)
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-url-parse.git
--
nodejs
NOTE: 20221105: Programming language: Javascript, C/C++, Python
@@ -179,6 +196,7 @@ openimageio
--
openjdk-11 (Emilio)
NOTE: 20230123: Programming language: Java.
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/openjdk-11.git
--
php-cas
NOTE: 20221105: Programming language: PHP.
@@ -186,30 +204,37 @@ php-cas
NOTE: 20221107: php-cas only has 2 reverse-deps in buster (fusiondirectory, ocsinventory-reports),
NOTE: 20221107: consider fixing all 3 packages; also check situation in ELTS for reference (Beuc/front-desk)
NOTE: 20221110: upcoming DSA (Beuc/front-desk)
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/php-cas.git
--
pluxml
NOTE: 20220913: Programming language: PHP.
NOTE: 20220913: Special attention: orphaned package.
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/pluxml.git
--
protobuf
NOTE: 20221031: Programming language: Several.
NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf.
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/protobuf.git
--
puppet-module-puppetlabs-mysql
NOTE: 20221107: Programming language: Puppet, Ruby.
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/puppet-module-puppetlabs-mysql.git
--
python-oslo.privsep
NOTE: 20221231: Programming language: Python.
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/python-oslo.privsep.git
--
qemu
NOTE: 20221108: Programming language: C.
NOTE: 20221108: I updated the status of all opened (minor) CVEs to more clearly state whether we can fix or are waiting for a patch,
NOTE: 20221108: there's about half of them that can be fixed now (or definitely ignored if backporting is too risky/complex) (Beuc/front-desk)
NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/qemu.html
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/qemu.git
--
r-cran-commonmark
NOTE: 20221009: Programming language: R.
NOTE: 20221009: Please synchronize with ghostwriter.
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/r-cran-commonmark.git
--
rails
NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
@@ -224,6 +249,7 @@ rails
NOTE: 20221209: Programming language: Ruby.
NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/rails.html
NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh)
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/rails.git
--
rainloop
NOTE: 20220913: Programming language: PHP, JavaScript.
@@ -232,6 +258,7 @@ rainloop
NOTE: 20220913: a "SnappyMail" fork exists and may have patches we can use,
NOTE: 20220913: also there's an unofficial one for CVE-2022-29360;
NOTE: 20220913: Evaluate the situation and decide whether we should support or EOL this package (Beuc/front-desk)
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/rainloop.git
--
ring
NOTE: 20221120: Programming language: C.
@@ -239,6 +266,7 @@ ring
--
ruby-loofah
NOTE: 20221231: Programming language: Ruby.
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/ruby-loofah.git
--
ruby-rails-html-sanitizer
NOTE: 20221231: Programming language: Ruby.
@@ -247,10 +275,12 @@ ruby-rails-html-sanitizer
ruby-sidekiq (Utkarsh)
NOTE: 20221231: Programming language: Ruby.
NOTE: 20221231: CVE-2022-23837 was fixed in stretch so should be fixed in buster for consistency even though it is not that severe. (opal).
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/ruby-sidekiq.git
--
runc (Sylvain Beucler)
NOTE: 20220905: Programming language: Go.
NOTE: 20220905: Special attention: Sync with Bullseye.
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/runc.git
--
salt
NOTE: 20220814: Programming language: Python.
@@ -258,6 +288,7 @@ salt
NOTE: 20220814: Also, I am not sure, whether it is possible to fix issues
NOTE: 20220814: without backporting a newer verion. (Anton)
NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/salt.html
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/salt.git
--
samba
NOTE: 20220904: Programming language: C.
@@ -269,8 +300,9 @@ snakeyaml
NOTE: 20230101: Programming language: Java.
NOTE: 20230120: There is ongoing upstream discussion at
NOTE: 20230120: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/snakeyaml.git
--
-snort (Markus Koschany)
+snort
NOTE: 20220905: Requires further triaging to conclude exactly which CVEs to be fixed or ignored.
NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/snort.git
NOTE: 20230111: Programming language: C
@@ -295,6 +327,7 @@ thunderbird (Emilio)
--
tinymce
NOTE: 20221227: Programming language: PHP.
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git
--
tmux (Utkarsh)
NOTE: 20230129: Programming language: C.
@@ -303,9 +336,11 @@ tmux (Utkarsh)
trafficserver
NOTE: 20230202: Programming language: C.
NOTE: 20230202: Note recent DLA-3279-1 update. Removed notes (2d9f50586010) suggest CVE-2022-31779 may have already been investigated. (lamby)
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/trafficserver.git
--
webkit2gtk
NOTE: 20230203: Programming language: C+
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/webkit2gtk.git
--
wireshark (tobi)
NOTE: 20230123: Programming language: C.
@@ -315,8 +350,9 @@ wireshark (tobi)
xfig (gladk)
NOTE: 20230105: Programming language: C.
NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/xfig.git
--
-xrdp (Abhijith PA)
+xrdp
NOTE: 20221225: Programming language: C.
NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git
NOTE: 20230117: Fixed 6 out 10 CVEs. Testing (abhijith)
@@ -325,4 +361,5 @@ zabbix (Adrian Bunk)
NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too.
NOTE: 20221209: Programming language: C.
NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/zabbix.html
+ NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/zabbix.git
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7ac9c6face6c87a086c16d80672fea83be2c18cd...642644cfd3d942e5471192518a9a1a109e6bad1a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7ac9c6face6c87a086c16d80672fea83be2c18cd...642644cfd3d942e5471192518a9a1a109e6bad1a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230206/cbda2d69/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list