[Git][security-tracker-team/security-tracker][master] 9 commits: Add cjose to dla-needed.txt

Sun Jul 30 23:16:10 BST 2023


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
498f5f3b by Markus Koschany at 2023-07-31T00:15:47+02:00
Add cjose to dla-needed.txt

- - - - -
c9994c81 by Markus Koschany at 2023-07-31T00:15:48+02:00
CVE-2023-3748,frr: Buster is not affected

The vulnerable code was introduced later

- - - - -
eb450498 by Markus Koschany at 2023-07-31T00:15:48+02:00
Add nodejs to dla-needed.txt

- - - - -
44a1f513 by Markus Koschany at 2023-07-31T00:15:48+02:00
Add orthanc to dla-needed.txt

- - - - -
f0ea15f3 by Markus Koschany at 2023-07-31T00:15:49+02:00
CVE-2021-37819,libitext-java: buster is no-dsa

Minor issue

- - - - -
78172fc4 by Markus Koschany at 2023-07-31T00:15:50+02:00
CVE-2023-35946,CVE-2023-35947,gradle: Buster is no-dsa

Minor issues because Debian uses local system libraries to build packages. The
paths won't contain any special characters and an attacker will not have
control over the dependencies which are located in /usr/share/java or
/usr/share/maven-repo. This would require root access.

- - - - -
2d040c41 by Markus Koschany at 2023-07-31T00:15:51+02:00
Add open-vm-tools to dla-needed.txt

- - - - -
38ab281e by Markus Koschany at 2023-07-31T00:15:51+02:00
Add openssl to dla-needed.txt

- - - - -
a4571d12 by Markus Koschany at 2023-07-31T00:15:51+02:00
Add amd64-microcode to dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1037,6 +1037,7 @@ CVE-2023-3750 (A flaw was found in libvirt. The virStoragePoolObjListSearch func
 	NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/9a47442366fcf8a7b6d7422016d7bbb6764a1098
 CVE-2023-3748 (A flaw was found in FRRouting when parsing certain babeld unicast hell ...)
 	- frr <unfixed> (bug #1042473)
+	[buster] - frr <not-affected> (The vulnerable code was introduced later)
 	NOTE: https://github.com/FRRouting/frr/issues/11808
 	NOTE: https://github.com/FRRouting/frr/pull/12950
 	NOTE: https://github.com/FRRouting/frr/pull/12952
@@ -3541,6 +3542,7 @@ CVE-2023-35947 (Gradle is a build tool with a focus on build automation and supp
 	- gradle <unfixed> (bug #1041424)
 	[bookworm] - gradle <no-dsa> (Minor issue)
 	[bullseye] - gradle <no-dsa> (Minor issue)
+	[buster] - gradle <no-dsa> (Minor issue)
 	NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842
 	NOTE: https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879 (v8.2.0-RC3)
 	NOTE: https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91 (v8.2.0-RC3)
@@ -3548,6 +3550,7 @@ CVE-2023-35946 (Gradle is a build tool with a focus on build automation and supp
 	- gradle <unfixed> (bug #1041424)
 	[bookworm] - gradle <no-dsa> (Minor issue)
 	[bullseye] - gradle <no-dsa> (Minor issue)
+	[buster] - gradle <no-dsa> (Minor issue)
 	NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v
 	NOTE: https://github.com/gradle/gradle/commit/859eae2b2acf751ae7db3c9ffefe275aa5da0d5d (v8.2.0-RC3)
 	NOTE: https://github.com/gradle/gradle/commit/b07e528feb3a5ffa66bdcc358549edd73e4c8a12 (v8.2.0-RC3)
@@ -144630,6 +144633,7 @@ CVE-2021-37819 (PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite
 	- libitext-java <unfixed>
 	[bookworm] - libitext-java <no-dsa> (Minor issue)
 	[bullseye] - libitext-java <no-dsa> (Minor issue)
+	[buster] - libitext-java <no-dsa> (Minor issue)
 	- libitext1-java <unfixed>
 	[bookworm] - libitext1-java <no-dsa> (Minor issue)
 	[bullseye] - libitext1-java <no-dsa> (Minor issue)


=====================================
data/dla-needed.txt
=====================================
@@ -24,6 +24,9 @@ rather than remove/replace existing ones.
 amanda (Thorsten Alteholz)
   NOTE: 20230730: Added by Front-Desk (apo)
 --
+amd64-microcode
+  NOTE: 20230731: Added by Front-Desk (apo)
+--
 cairosvg (gladk)
   NOTE: 20230323: Added by Front-Desk (gladk)
   NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive)
@@ -36,6 +39,9 @@ cinder
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
 --
+cjose
+  NOTE: 20230730: Added by Front-Desk (apo)
+--
 docker.io (rouca)
   NOTE: 20230303: Added by Front-Desk (Beuc)
   NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)
@@ -82,6 +88,9 @@ libreoffice (Abhijith PA)
 linux (Ben Hutchings)
   NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
 --
+nodejs
+  NOTE: 20230731: Added by Front-Desk (apo)
+--
 nova
   NOTE: 20230302: Re-add, request by maintainer (Beuc)
   NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression
@@ -101,6 +110,9 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi)
 --
+open-vm-tools
+  NOTE: 20230731: Added by Front-Desk (apo)
+--
 openimageio (Markus Koschany)
   NOTE: 20230406: Re-added due to regressions (apo)
   NOTE: 20230612: Backporting is mostly done, but still some failures. (gladk)
@@ -111,6 +123,12 @@ openjdk-11 (Emilio)
   NOTE: 20230612: sid updated, preparing backport (pochu)
   NOTE: 20230717: waiting for DSA, might wait for next CPU (pochu)
 --
+openssl
+  NOTE: 20230731: Added by Front-Desk (apo)
+--
+orthanc
+  NOTE: 20230731: Added by Front-Desk (apo)
+--
 python-glance-store
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fa588a70f24cb5fe4a07a24ed76ebbcd74806f66...a4571d126c6c7bd236cdcd2ba668a527821209a6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fa588a70f24cb5fe4a07a24ed76ebbcd74806f66...a4571d126c6c7bd236cdcd2ba668a527821209a6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230730/a4a33235/attachment-0001.htm>
