[Git][security-tracker-team/security-tracker][master] 11 commits: Triage gpac for Buster as EOL.
Markus Koschany (@apo)
apo at debian.org
Sun Feb 19 23:30:22 GMT 2023
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0efe7456 by Markus Koschany at 2023-02-20T00:28:43+01:00
Triage gpac for Buster as EOL.
- - - - -
73e31c31 by Markus Koschany at 2023-02-20T00:28:43+01:00
LTS: add curl to dla-needed.txt
- - - - -
a035b7b9 by Markus Koschany at 2023-02-20T00:28:43+01:00
LTS: add sofia-sip to dla-needed.txt
- - - - -
ec9c34ea by Markus Koschany at 2023-02-20T00:28:43+01:00
LTS: add clamav to dla-needed.txt
- - - - -
e4b1027d by Markus Koschany at 2023-02-20T00:28:43+01:00
CVE-2023-23082,kodi: Buster is no-dsa
Minor issue
- - - - -
3c8575fd by Markus Koschany at 2023-02-20T00:28:44+01:00
CVE-2022-3560,pesign: Buster is no-dsa
Minor issue
- - - - -
503c323b by Markus Koschany at 2023-02-20T00:28:44+01:00
CVE-2023-22332,pgpool2: Buster is no-dsa
Minor issue
- - - - -
c35ede04 by Markus Koschany at 2023-02-20T00:28:44+01:00
CVE-2023-24607,qtbase-opensource-src: Buster is no-dsa
Minor issue
- - - - -
2cb655fd by Markus Koschany at 2023-02-20T00:28:44+01:00
CVE-2023-22799,ruby-globalid: Buster is no-dsa
Minor issue
- - - - -
7824121b by Markus Koschany at 2023-02-20T00:28:44+01:00
CVE-2023-23627,ruby-sanitize: Buster is no-dsa
Minor issue
- - - - -
39aeedb1 by Markus Koschany at 2023-02-20T00:28:44+01:00
Triage symfony CVE as no-dsa for Buster
Minor issues
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -431,6 +431,7 @@ CVE-2023-0867
CVE-2023-0866 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3 ...)
- gpac <unfixed>
[bullseye] - gpac <no-dsa> (Minor issue)
+ [buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/7d3c5792-d20b-4cb6-9c6d-bb14f3430d7f
NOTE: https://github.com/gpac/gpac/commit/b964fe4226f1424cf676d5822ef898b6b01f5937
CVE-2023-0865
@@ -844,16 +845,19 @@ CVE-2023-0820
CVE-2023-0819 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to v2. ...)
- gpac <unfixed>
[bullseye] - gpac <no-dsa> (Minor issue)
+ [buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/35793610-dccc-46c8-9f55-6a24c621e4ef
NOTE: https://github.com/gpac/gpac/commit/d067ab3ccdeaa340e8c045a0fd5bcfc22b809e8f
CVE-2023-0818 (Off-by-one Error in GitHub repository gpac/gpac prior to v2.3.0-DEV. ...)
- gpac <unfixed>
[bullseye] - gpac <no-dsa> (Minor issue)
+ [buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/038e7472-f3e9-46c2-9aea-d6dafb62a18a
NOTE: https://github.com/gpac/gpac/commit/377ab25f3e502db2934a9cf4b54739e1c89a02ff
CVE-2023-0817 (Buffer Over-read in GitHub repository gpac/gpac prior to v2.3.0-DEV. ...)
- gpac <unfixed>
[bullseye] - gpac <not-affected> (Vulnerable code not present)
+ [buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/cb730bc5-d79c-4de6-9e57-10e8c3ce2cf3
NOTE: https://github.com/gpac/gpac/commit/be9f8d395bbd196e3812e9cd80708f06bcc206f7
CVE-2023-25754
@@ -1377,6 +1381,7 @@ CVE-2023-0771 (SQL Injection in GitHub repository ampache/ampache prior to 5.5.7
CVE-2023-0770 (Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2. ...)
- gpac <unfixed>
[bullseye] - gpac <no-dsa> (Minor issue)
+ [buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/e0fdeee5-7909-446e-9bd0-db80fd80e8dd
NOTE: https://github.com/gpac/gpac/commit/c31941822ee275a35bc148382bafef1c53ec1c26
CVE-2023-0769
@@ -1467,6 +1472,7 @@ CVE-2023-0761
CVE-2023-0760 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to V2. ...)
- gpac <unfixed>
[bullseye] - gpac <no-dsa> (Minor issue)
+ [buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/d06223df-a473-4c82-96d0-23726b844b21
NOTE: https://github.com/gpac/gpac/commit/ea7395f39f601a7750d48d606e9d10ea0b7beefe
CVE-2023-0759 (Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2. ...)
@@ -4101,6 +4107,7 @@ CVE-2023-24607 [When using the Qt SQL ODBC driver plugin, then it is possible to
RESERVED
- qtbase-opensource-src <unfixed>
[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
+ [buster] - qtbase-opensource-src <no-dsa> (Minor issue)
- qt6-base <unfixed>
- qtbase-opensource-src-gles <unfixed>
[bullseye] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
@@ -6850,6 +6857,7 @@ CVE-2023-23628 (Metabase is an open source data analytics platform. Affected ver
CVE-2023-23627 (Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 ...)
- ruby-sanitize <unfixed> (bug #1030047)
[bullseye] - ruby-sanitize <no-dsa> (Minor issue)
+ [buster] - ruby-sanitize <no-dsa> (Minor issue)
NOTE: https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7
NOTE: https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22 (v6.0.1)
CVE-2023-23626 (go-bitfield is a simple bitfield package for the go language aiming to ...)
@@ -8429,6 +8437,7 @@ CVE-2023-23083
CVE-2023-23082 (A heap buffer overflow vulnerability in Kodi Home Theater Software up ...)
- kodi 2:20.0+dfsg-2 (bug #1031048)
[bullseye] - kodi <no-dsa> (Minor issue)
+ [buster] - kodi <no-dsa> (Minor issue)
NOTE: https://github.com/xbmc/xbmc/issues/22377
NOTE: https://github.com/xbmc/xbmc/commit/00fec1dbdd1df827872c7b55ad93059636dfc076
NOTE: https://github.com/xbmc/xbmc/commit/7e5f9fbf9aaa3540aab35e7504036855b23dcf60
@@ -9524,6 +9533,7 @@ CVE-2023-22800
CVE-2023-22799 (A ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could ...)
- ruby-globalid <unfixed> (bug #1029851)
[bullseye] - ruby-globalid <no-dsa> (Minor issue)
+ [buster] - ruby-globalid <no-dsa> (Minor issue)
NOTE: https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127
NOTE: https://github.com/rails/globalid/commit/3bc4349422e60f2235876a59dd415e98b072eb2b (v1.1.0)
CVE-2023-22798 (Prior to commit 51867e0d15a6d7f80d5b714fd0e9976b9c160bb0, https://gith ...)
@@ -11473,6 +11483,7 @@ CVE-2023-22333 (Cross-site scripting vulnerability in EasyMail 2.00.130 and earl
CVE-2023-22332 (Information disclosure vulnerability exists in Pgpool-II 4.4.0 to 4.4. ...)
- pgpool2 <unfixed> (bug #1030048)
[bullseye] - pgpool2 <no-dsa> (Minor issue)
+ [buster] - pgpool2 <no-dsa> (Minor issue)
NOTE: https://www.pgpool.net/mediawiki/index.php/Main_Page#News
CVE-2023-22324 (SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5. ...)
NOT-FOR-US: CONPROSYS
@@ -18275,6 +18286,7 @@ CVE-2022-4203 [openssl: X.509 Name Constraints Read Buffer Overflow]
CVE-2022-4202 (A vulnerability, which was classified as problematic, was found in GPA ...)
- gpac <unfixed>
[bullseye] - gpac <no-dsa> (Minor issue)
+ [buster] - gpac <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2333
NOTE: https://github.com/gpac/gpac/commit/b3d821c4ae9ba62b3a194d9dcb5e99f17bd56908
CVE-2021-46856 (The multi-screen collaboration module has a path traversal vulnerabili ...)
@@ -30177,6 +30189,7 @@ CVE-2022-3561 (Cross-site Scripting (XSS) - Generic in GitHub repository librenm
CVE-2022-3560 (A flaw was found in pesign. The pesign package provides a systemd serv ...)
- pesign <unfixed> (bug #1030168)
[bullseye] - pesign <no-dsa> (Minor issue)
+ [buster] - pesign <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/01/31/6
NOTE: https://www.openwall.com/lists/oss-security/2023/02/01/2
NOTE: https://github.com/rhboot/pesign/commit/d8a8c259994d0278c59b30b41758a8dd0abff998 (116)
@@ -80973,11 +80986,13 @@ CVE-2022-24896 (Tuleap is a Free & Open Source Suite to manage software deve
CVE-2022-24895 (Symfony is a PHP framework for web and console applications and a set ...)
- symfony 5.4.20+dfsg-1
[bullseye] - symfony <no-dsa> (Minor issue)
+ [buster] - symfony <no-dsa> (Minor issue)
NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m
NOTE: https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4
CVE-2022-24894 (Symfony is a PHP framework for web and console applications and a set ...)
- symfony 5.4.20+dfsg-1
[bullseye] - symfony <no-dsa> (Minor issue)
+ [buster] - symfony <no-dsa> (Minor issue)
NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv
NOTE: https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb
CVE-2022-24893 (ESP-IDF is the official development framework for Espressif SoCs. In E ...)
=====================================
data/dla-needed.txt
=====================================
@@ -45,11 +45,22 @@ ceph
NOTE: 20221130: https://lists.debian.org/debian-lts/2022/11/msg00025.html (zigo/maintainer)
NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ceph.git
--
+clamav
+ NOTE: 20230220: Programming language: C.
+ NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/clamav.git
+ NOTE: 20230220: Testsuite: https://lists.debian.org/debian-lts/2019/04/msg00117.html
+--
consul
NOTE: 20221031: Programming language: Go.
NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail.
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git
--
+curl
+ NOTE: 20230220: Programming language: C.
+ NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/curl.git
+ NOTE: 20230220: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/curl.html
+ NOTE: 20230220: Special attention: High popcon! Roberto has some experience with the package..
+--
erlang
NOTE: 20221119: Programming language: Erlang.
NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch)
@@ -331,6 +342,10 @@ snakeyaml
NOTE: 20230120: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/snakeyaml.git
--
+sofia-sip
+ NOTE: 20230220: Programming language: C.
+ NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/sofia-sip.git
+--
spip
NOTE: 20230206: Programming language: PHP.
NOTE: 20230206: Special attention: Please contact maintainer regarding VCS usage
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b3e1ae1a031ccb1a8fa0dd6aab7e85fb75a6bc68...39aeedb1ddfe0c6bfd5efe0e459dbf900ccb0393
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b3e1ae1a031ccb1a8fa0dd6aab7e85fb75a6bc68...39aeedb1ddfe0c6bfd5efe0e459dbf900ccb0393
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230219/b5aa52c1/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list