[Git][security-tracker-team/security-tracker][master] 8 commits: Mark CVE-2023-{0358,2314{3-5}}/gpac as EOL for buster

Sun Jan 22 21:33:27 GMT 2023


Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2514409c by Utkarsh Gupta at 2023-01-23T02:29:57+05:30
Mark CVE-2023-{0358,2314{3-5}}/gpac as EOL for buster

- - - - -
3848b103 by Utkarsh Gupta at 2023-01-23T02:52:41+05:30
Mark CVE-2022-46176/cargo as no-dsa in buster

- - - - -
9719f3b6 by Utkarsh Gupta at 2023-01-23T02:55:28+05:30
Add git to dla-needed

- - - - -
2dd36d80 by Utkarsh Gupta at 2023-01-23T02:58:08+05:30
Add openjdk-11 to dla-needed

- - - - -
929f4e49 by Utkarsh Gupta at 2023-01-23T02:59:44+05:30
Add swift to dla-needed

- - - - -
e98afa9d by Utkarsh Gupta at 2023-01-23T03:01:30+05:30
Mark CVE-2022-4{4617,6285,883}/libxpm as no-dsa for buster

- - - - -
a6054f0c by Utkarsh Gupta at 2023-01-23T03:02:18+05:30
Mark CVE-2020-17354/lilypond as ignored for buster; follow bullseye

- - - - -
1e28fe4b by Utkarsh Gupta at 2023-01-23T03:02:58+05:30
Mark CVE-2022-48279/modsecurity as no-dsa for buster

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -261,6 +261,7 @@ CVE-2022-48279 (In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart
 	[bullseye] - modsecurity-apache <no-dsa> (Minor issue)
 	- modsecurity 3.0.8-1
 	[bullseye] - modsecurity <no-dsa> (Minor issue)
+	[buster] - modsecurity <no-dsa> (Minor issue)
 	NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
 	NOTE: https://github.com/SpiderLabs/ModSecurity/pull/2795
 	NOTE: Fixed by: https://github.com/SpiderLabs/ModSecurity/commit/d6c10885e08779e99e76efcd5ad65802104cda14 (v3.0.8)
@@ -869,6 +870,7 @@ CVE-2023-0359
 	RESERVED
 CVE-2023-0358 (Use After Free in GitHub repository gpac/gpac prior to 2.3.0-DEV. ...)
 	- gpac <unfixed>
+	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	NOTE: https://huntr.dev/bounties/93e128ed-253f-4c42-81ff-fbac7fd8f355
 	NOTE: https://github.com/gpac/gpac/commit/9971fb125cf91cefd081a080c417b90bbe4a467b
 CVE-2023-0357
@@ -2577,12 +2579,15 @@ CVE-2023-23146
 	RESERVED
 CVE-2023-23145 (GPAC version 2.2-rev0-gab012bbfb-master was discovered to contain a me ...)
 	- gpac <unfixed>
+	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	NOTE: https://github.com/gpac/gpac/commit/4ade98128cbc41d5115b97a41ca2e59529c8dd5f
 CVE-2023-23144 (Integer overflow vulnerability in function Q_DecCoordOnUnitSphere file ...)
 	- gpac <unfixed>
+	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	NOTE: https://github.com/gpac/gpac/commit/3a2458a49b3e6399709d456d7b35e7a6f50cfb86
 CVE-2023-23143 (Buffer overflow vulnerability in function avc_parse_slice in file medi ...)
 	- gpac <unfixed>
+	[buster] - gpac <end-of-life> (EOL in buster LTS)
 	NOTE: https://github.com/gpac/gpac/commit/af6a5e7a96ee01a139cce6c9e4edfc069aad17a6
 CVE-2023-23142
 	RESERVED
@@ -3497,6 +3502,7 @@ CVE-2022-4883
 	RESERVED
 	- libxpm 1:3.5.12-1.1
 	[bullseye] - libxpm <no-dsa> (Minor issue)
+	[buster] - libxpm <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/2
 	NOTE: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/515294bb8023a45ff916696d0a14308ff4f3a376 (libXpm-3.5.15)
 	NOTE: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/8178eb0834d82242e1edbc7d4fb0d1b397569c68 (libXpm-3.5.15)
@@ -3548,12 +3554,14 @@ CVE-2022-46285
 	RESERVED
 	- libxpm 1:3.5.12-1.1
 	[bullseye] - libxpm <no-dsa> (Minor issue)
+	[buster] - libxpm <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/2
 	NOTE: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/a3a7c6dcc3b629d765014816c566c63165c63ca8 (libXpm-3.5.15)
 CVE-2022-44617
 	RESERVED
 	- libxpm 1:3.5.12-1.1
 	[bullseye] - libxpm <no-dsa> (Minor issue)
+	[buster] - libxpm <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/2
 	NOTE: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/f80fa6ae47ad4a5beacb287c0030c9913b046643 (libXpm-3.5.15)
 	NOTE: https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/c5ab17bcc34914c0b0707d2135dbebe9a367c5f0 (libXpm-3.5.15)
@@ -12867,6 +12875,7 @@ CVE-2022-46177 (Discourse is an option source discussion platform. Prior to vers
 CVE-2022-46176 (Cargo is a Rust package manager. The Rust Security Response WG was not ...)
 	- cargo 0.66.0+ds1-1
 	[bullseye] - cargo <no-dsa> (Minor issue)
+	[buster] - cargo <no-dsa> (Minor issue)
 	- rust-cargo 0.66.0-1
 	[bullseye] - rust-cargo <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/01/10/3
@@ -192382,6 +192391,7 @@ CVE-2020-17354
 	RESERVED
 	- lilypond 2.22.1-1
 	[bullseye] - lilypond <ignored> (Unfixable, marked as insecure in later uploads)
+	[buster] - lilypond <ignored> (Unfixable, marked as insecure in later uploads)
 	NOTE: https://phabricator.wikimedia.org/T259210
 	NOTE: https://phabricator.wikimedia.org/T257062
 	NOTE: https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory


=====================================
data/dla-needed.txt
=====================================
@@ -74,6 +74,10 @@ fusiondirectory
   NOTE: 20221203: Also the package was removed from sid recently (gladk).
   NOTE: 20221203: Feel free to marke both CVEs as <ignored>, if they are not too serious (gladk).
 --
+git
+  NOTE: 20230122: Programming language: C.
+  NOTE: 20230122: VCS: https://salsa.debian.org/lts-team/packages/git.git
+--
 golang-1.11
   NOTE: 20220916: Programming language: Go.
   NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't)
@@ -227,6 +231,9 @@ openimageio
   NOTE: 20221225: Programming language: C.
   NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git
 --
+openjdk-11
+  NOTE: 20230123: Programming language: Java.
+--
 php-cas
   NOTE: 20221105: Programming language: PHP.
   NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola)
@@ -329,6 +336,10 @@ sox
   NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith)
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/sox.git
 --
+swift
+  NOTE: 20230123: Programming language: Python.
+  NOTE: 20230123: Thomas already uploaded the package; discussion on #debian-lts. (utkarsh)
+--
 thunderbird (Emilio)
 --
 tinymce



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6268e0295f455bf57290b092b9edb81daca938d4...1e28fe4bb1032925e2ac6eb78ea27209012d73c4

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6268e0295f455bf57290b092b9edb81daca938d4...1e28fe4bb1032925e2ac6eb78ea27209012d73c4
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230122/c50898fc/attachment-0001.htm>
