[Git][security-tracker-team/security-tracker][master] Triage bind9 issues for buster

Tue Jan 31 17:33:04 GMT 2023


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
12b86abf by Emilio Pozuelo Monfort at 2023-01-31T18:32:38+01:00
Triage bind9 issues for buster

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -18030,6 +18030,7 @@ CVE-2022-3925 (The buddybadges WordPress plugin through 1.0.0 does not sanitise
 CVE-2022-3924 (This issue can affect BIND 9 resolvers with `stale-answer-enable yes;` ...)
 	{DSA-5329-1}
 	- bind9 1:9.18.11-1
+	[buster] - bind9 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://kb.isc.org/docs/cve-2022-3924
 CVE-2022-3923 (The ActiveCampaign for WooCommerce WordPress plugin through 1.9.6 does ...)
 	NOT-FOR-US: WordPress plugin
@@ -22559,6 +22560,7 @@ CVE-2022-43959 (Insufficiently Protected Credentials in the AD/LDAP server setti
 CVE-2022-3736 (BIND 9 resolver can crash when stale cache and stale answers are enabl ...)
 	{DSA-5329-1}
 	- bind9 1:9.18.11-1
+	[buster] - bind9 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://kb.isc.org/docs/cve-2022-3736
 CVE-2022-3735 (A vulnerability was found in seccome Ehoney. It has been rated as crit ...)
 	NOT-FOR-US: seccome Ehoney
@@ -36318,6 +36320,7 @@ CVE-2022-3095 (The implementation of backslash parsing in the Dart URI class for
 CVE-2022-3094 (Sending a flood of dynamic DNS updates may cause `named` to allocate l ...)
 	{DSA-5329-1}
 	- bind9 1:9.18.11-1
+	[buster] - bind9 <ignored> (Upstream considers this a minor issue before 9.16)
 	NOTE: https://kb.isc.org/docs/cve-2022-3094
 CVE-2022-39197 (An XSS (Cross Site Scripting) vulnerability was found in HelpSystems C ...)
 	NOT-FOR-US: Cobalt Strike


=====================================
data/dla-needed.txt
=====================================
@@ -26,11 +26,6 @@ asterisk (Lee Garrett)
   NOTE: 20221211: Programming language: C.
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git
 --
-bind9 (Emilio)
-  NOTE: 20230126: Programming language: C.
-  NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/bind9.git
-  NOTE: 20230126: Special attention: Package is used in many cases. Please be very carefull with fix and upload!.
---
 ceph
   NOTE: 20221031: Programming language: C++.
   NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12b86abf2d091b7106d0abf2b622dfff7a3bad98

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/12b86abf2d091b7106d0abf2b622dfff7a3bad98
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230131/6fb6f394/attachment.htm>
