[Git][security-tracker-team/security-tracker][master] Reverse DLA-3280-1 for libde265.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0b157ca9 by Tobias Frost at 2023-01-24T23:00:49+01:00
Reverse DLA-3280-1 for libde265.

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -184482,19 +184482,16 @@ CVE-2020-21599 (libde265 v1.0.4 contains a heap buffer overflow in the de265_ima
 CVE-2020-21598 (libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unw ...)
 	- libde265 1.0.9-1 (bug #1004963)
 	[bullseye] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
-	[buster] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
 	[stretch] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/strukturag/libde265/issues/237
 CVE-2020-21597 (libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma funct ...)
 	- libde265 1.0.9-1 (bug #1014999)
 	[bullseye] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
-	[buster] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
 	[stretch] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/strukturag/libde265/issues/238
 CVE-2020-21596 (libde265 v1.0.4 contains a global buffer overflow in the decode_CABAC_ ...)
 	- libde265 <unfixed> (bug #1029397)
 	[bullseye] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
-	[buster] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
 	[stretch] - libde265 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://github.com/strukturag/libde265/issues/236
 CVE-2020-21595 (libde265 v1.0.4 contains a heap buffer overflow in the mc_luma functio ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[24 Jan 2023] DLA-3280-1 libde265 - security update
+	{CVE-2020-21596 CVE-2020-21597 CVE-2020-21598 CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43243 CVE-2022-43244 CVE-2022-43245 CVE-2022-43248 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252 CVE-2022-43253 CVE-2022-47655}
+	[buster] - libde265 1.0.3-1+deb10u3
 [23 Jan 2023] DLA-3279-1 trafficserver - security update
 	{CVE-2021-37150 CVE-2022-25763 CVE-2022-28129 CVE-2022-31780}
 	[buster] - trafficserver 8.0.2+ds-1+deb10u7


=====================================
data/dla-needed.txt
=====================================
@@ -122,13 +122,6 @@ libapache2-mod-auth-mellon
   NOTE: 20230105: Programming language: C.
   NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
 --
-libde265 (tobi)
-  NOTE: 20221107: Programming language: C++.
-  NOTE: 20221107: Most vulnerabilities unfixed upstream, but a handful are fixed, and v1.0.9 (2022-10) is a security release (Beuc/front-desk)
-  NOTE: 20221107: No prior DSA/DLA/ELA afaics (Beuc/front-desk)
-  NOTE: 20221215: CVE-2020-21599 CVE-2021-35452 CVE-2021-36408 CVE-2021-36409 CVE-2021-36410 CVE-2021-36411 adressed, remaining CVEs are unfixed upstream. (I've proposed a patch upstream, waiting for feeback) (tobi)
-  NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libde265.git
---
 libreoffice
   NOTE: 20221012: Programming language: C++.
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b157ca978070e7bc0d634bd01cd0aae3c001222

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b157ca978070e7bc0d634bd01cd0aae3c001222
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230124/1b5e7993/attachment-0001.htm>