[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Feb 21 12:29:42 GMT 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e24005dd by Moritz Muehlenhoff at 2023-02-21T10:30:07+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -20278,6 +20278,7 @@ CVE-2022-45749
 	RESERVED
 CVE-2022-45748 (An issue was discovered with assimp 5.1.4, a use after free occurred i ...)
 	- assimp <unfixed> (bug #1029833)
+	[bookworm] - assimp <no-dsa> (Minor issue)
 	[bullseye] - assimp <no-dsa> (Minor issue)
 	[buster] - assimp <no-dsa> (Minor issue)
 	NOTE: https://github.com/assimp/assimp/issues/4286
@@ -42679,6 +42680,7 @@ CVE-2022-38529 (tinyexr commit 0647fb3 was discovered to contain a heap-buffer o
 	NOTE: https://github.com/syoyo/tinyexr/commit/82984a37d1dba67000a35b083b26df5e57a2bb72
 CVE-2022-38528 (Open Asset Import Library (assimp) commit 3c253ca was discovered to co ...)
 	- assimp <unfixed> (bug #1021018)
+	[bookworm] - assimp <no-dsa> (Minor issue)
 	[bullseye] - assimp <no-dsa> (Minor issue)
 	[buster] - assimp <no-dsa> (Minor issue)
 	NOTE: https://github.com/assimp/assimp/issues/4662
@@ -93759,6 +93761,7 @@ CVE-2021-45341 (A buffer overflow vulnerability in CDataMoji of the jwwlib compo
 	NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/f3502963eaf379a429bc9da73c1224c5db649997
 CVE-2021-45340 (In Libsixel prior to and including v1.10.3, a NULL pointer dereference ...)
 	- libsixel <unfixed> (bug #1004377)
+	[bookworm] - libsixel <no-dsa> (Minor issue)
 	[bullseye] - libsixel <no-dsa> (Minor issue)
 	[buster] - libsixel <no-dsa> (Minor issue)
 	[stretch] - libsixel <no-dsa> (Minor issue)
@@ -131741,6 +131744,7 @@ CVE-2021-32295
 	RESERVED
 CVE-2021-32294 (An issue was discovered in libgig through 20200507. A heap-buffer-over ...)
 	- libgig <unfixed> (bug #1014777)
+	[bookworm] - libgig <ignored> (Minor issue)
 	[bullseye] - libgig <ignored> (Minor issue)
 	[buster] - libgig <ignored> (Minor issue)
 	[stretch] - libgig <postponed> (Minor issue, revisit when/if fixed upstream)
@@ -159072,11 +159076,13 @@ CVE-2020-36121
 	RESERVED
 CVE-2020-36120 (Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsix ...)
 	- libsixel <unfixed> (bug #988159)
-	[bullseye] - libsixel <no-dsa> (Minor issue)
+	[bookworm] - libsixel <no-dsa> (Minor issue, fix modifies the API)
+	[bullseye] - libsixel <ignored> (Minor issue, fix modifies the API)
 	[buster] - libsixel <no-dsa> (Minor issue)
 	[stretch] - libsixel <postponed> (Minor issue; can be fixed in next update)
-	NOTE: https://github.com/saitoha/libsixel/issues/143
+	NOTE: https://github.com/saitoha/libsixel/issues/143 (old/defunct repo)
 	NOTE: https://github.com/libsixel/libsixel/issues/46
+	NOTE: https://github.com/libsixel/libsixel/pull/47
 CVE-2020-36119
 	RESERVED
 CVE-2020-36118
@@ -333036,6 +333042,7 @@ CVE-2017-18227 (TitanHQ WebTitan Gateway has incorrect certificate validation fo
 	NOT-FOR-US: TitanHQ WebTitan Gateway
 CVE-2017-18226 (The Gentoo net-im/jabberd2 package through 2.6.1 sets the ownership of ...)
 	- jabberd2 <unfixed> (low; bug #902783)
+	[bookworm] - jabberd2 <ignored> (Minor issue, default init system not affected)
 	[bullseye] - jabberd2 <ignored> (Minor issue, default init system not affected)
 	[buster] - jabberd2 <ignored> (Minor issue, default init system not affected)
 	[stretch] - jabberd2 <ignored> (Minor issue, default init system not affected)
@@ -434175,11 +434182,7 @@ CVE-2016-1587 (The Snapweb interface before version 0.21.2 was exposing controls
 CVE-2016-1586 (A malicious webview could install long-lived unload handlers that re-u ...)
 	NOT-FOR-US: Oxide
 CVE-2016-1585 (In all versions of AppArmor mount rules are accidentally widened when  ...)
-	- apparmor <unfixed> (low; bug #929990)
-	[bullseye] - apparmor <ignored> (Minor overall security impact)
-	[buster] - apparmor <ignored> (Minor overall security impact)
-	[stretch] - apparmor <ignored> (Minor overall security impact)
-	[jessie] - apparmor <ignored> (Minor overall security impact)
+	- apparmor <unfixed> (unimportant; bug #929990)
 	NOTE: https://bugs.launchpad.net/apparmor/+bug/1597017
 	NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=995594
 	NOTE: Introduced around AppArmor 2.8 upstream.
@@ -434188,6 +434191,7 @@ CVE-2016-1585 (In all versions of AppArmor mount rules are accidentally widened
 	NOTE: by default before buster, in particular not with mount rules), 2. libvirtd
 	NOTE: but the profile is not meant to be a strong security boundary.
 	NOTE: https://bugs.launchpad.net/apparmor/+bug/1597017/comments/6
+	NOTE: Negligible security impact / known limitation
 CVE-2016-1584 (In all versions of Unity8 a running but not active application on a la ...)
 	- unity <itp> (bug #609278)
 CVE-2016-1583 (The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e24005ddd6defa84189f9ba753f4dd0d48820b39

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e24005ddd6defa84189f9ba753f4dd0d48820b39
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230221/49e599a4/attachment.htm>

More information about the debian-security-tracker-commits mailing list