[Git][security-tracker-team/security-tracker][master] 3 commits: Claim openimageio in dla-needed.txt
Markus Koschany (@apo)
apo at debian.org
Tue Jul 25 18:42:28 BST 2023
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
1700aad1 by Markus Koschany at 2023-07-25T19:26:29+02:00
Claim openimageio in dla-needed.txt
- - - - -
6eaf8f4b by Markus Koschany at 2023-07-25T19:29:33+02:00
Remove sabnzbdplus from dla-needed.txt
- - - - -
aa1f07ca by Markus Koschany at 2023-07-25T19:30:36+02:00
CVE-2023-34237,sabnzbdplus: Buster is no-dsa
In Buster the vulnerable code is in the external_script function in
sabnzbd/newsunpack.py. It is possible to manipulate the parameters argument and
execute random programs with the privileges of the sabnzbd process provided
sabnzbd is accessible via the web interface and no username and password were
set. Upstream's idea is to modify the parameters only via environment variables
which would reduce the attack surface. We could also just disable passing
parameters to the external script but this could cause a regression for some use
cases. However, since there is a simple workaround available, setting a
username and a password and/or not making sabnzbd accessible via the web
interface, we can mark this as a minor issue and don't need to issue a DLA.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -5539,6 +5539,7 @@ CVE-2023-34237 (SABnzbd is an open source automated Usenet download tool. A desi
- sabnzbdplus 4.0.2+dfsg-1 (bug #1038949)
[bookworm] - sabnzbdplus <no-dsa> (Minor issue)
[bullseye] - sabnzbdplus <no-dsa> (Minor issue)
+ [buster] - sabnzbdplus <no-dsa> (Minor issue; simple workaround exists)
NOTE: https://github.com/sabnzbd/sabnzbd/commit/422b4fce7bfd56e95a315be0400cdfdc585df7cc (4.0.2RC2)
NOTE: https://github.com/sabnzbd/sabnzbd/commit/e3a722664819d1c7c8fab97144cc299b1c18b429 (4.0.2RC2)
NOTE: https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-hhgh-xgh3-985r
=====================================
data/dla-needed.txt
=====================================
@@ -95,7 +95,7 @@ nvidia-cuda-toolkit
NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html
NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi)
--
-openimageio
+openimageio (Markus Koschany)
NOTE: 20230406: Re-added due to regressions (apo)
NOTE: 20230612: Backporting is mostly done, but still some failures. (gladk)
--
@@ -152,9 +152,6 @@ ruby-rails-html-sanitizer
NOTE: 20221231: Added by Front-Desk (ola)
NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh)
--
-sabnzbdplus (Markus Koschany)
- NOTE: 20230618: Added by Front-Desk (opal)
---
salt
NOTE: 20220814: Added by Front-Desk (gladk)
NOTE: 20220814: I am not sure, whether it is possible to fix issues
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a98dd2aab243f1cbe249ac01f93236495fdb0284...aa1f07caf408682ca75bda191d6d8872eaabc665
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a98dd2aab243f1cbe249ac01f93236495fdb0284...aa1f07caf408682ca75bda191d6d8872eaabc665
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230725/75a48fc9/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list