[Git][security-tracker-team/security-tracker][master] Track proposed apache2 update via bullseye-pu

Sun Jan 22 19:50:24 GMT 2023


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3c381e8a by Salvatore Bonaccorso at 2023-01-22T20:48:57+01:00
Track proposed apache2 update via bullseye-pu

Maintainer proposed to update the package addressing the three CVEs via
bullseye-pu. Accordingly mark them (for now) no-dsa. We might reconsider
it if we think we still should issue a DSA.

- - - - -


3 changed files:

- data/CVE/list
- data/dsa-needed.txt
- data/next-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -34509,6 +34509,7 @@ CVE-2022-3072 (Cross-site Scripting (XSS) - Stored in GitHub repository francois
 	NOT-FOR-US: francoisjacquet/rosariosis
 CVE-2006-20001 (A carefully crafted If: request header can cause a memory read, or wri ...)
 	- apache2 2.4.55-1
+	[bullseye] - apache2 <no-dsa> (Minor update; update proposed via bullseye-pu)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/5
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2006-20001
 CVE-2022-XXXX [wordpress 6.0.3]
@@ -39236,6 +39237,7 @@ CVE-2022-37437 (When using Ingest Actions to configure a destination that reside
 	NOT-FOR-US: Splunk
 CVE-2022-37436 (Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the  ...)
 	- apache2 2.4.55-1
+	[bullseye] - apache2 <no-dsa> (Minor update; update proposed via bullseye-pu)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/7
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-37436
 CVE-2022-37435 (Apache ShenYu Admin has insecure permissions, which may allow low-priv ...)
@@ -41150,6 +41152,7 @@ CVE-2022-36761
 	RESERVED
 CVE-2022-36760 (Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling' ...)
 	- apache2 2.4.55-1
+	[bullseye] - apache2 <no-dsa> (Minor update; update proposed via bullseye-pu)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/6
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-36760
 CVE-2022-36759 (Online Food Ordering System v1.0 was discovered to contain a SQL injec ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -11,9 +11,6 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source package.
 
---
-apache2
-  Update to 2.4.55 should settle in unstable for a week, before considering an update
 --
 curl (jmm)
   Team asked maintainer to prepare updates


=====================================
data/next-point-update.txt
=====================================
@@ -88,3 +88,9 @@ CVE-2022-47952
 	[bullseye] - lxc 1:4.0.6-2+deb11u2
 CVE-2022-22728
 	[bullseye] - libapreq2 2.13-7+deb11u1
+CVE-2006-20001
+	[bullseye] - apache2 2.4.55-1~deb11u1
+CVE-2022-36760
+	[bullseye] - apache2 2.4.55-1~deb11u1
+CVE-2022-37436
+	[bullseye] - apache2 2.4.55-1~deb11u1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c381e8a8dbdd94e614a722b76886d867b6f15f1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c381e8a8dbdd94e614a722b76886d867b6f15f1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230122/5c77fce7/attachment-0001.htm>
