[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Mon Jul 31 13:20:55 BST 2023


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8fd8ff2d by Moritz Muehlenhoff at 2023-07-31T14:20:22+02:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -940,6 +940,8 @@ CVE-2023-35134 (Weintek Weincloud v0.13.6   could allow an attacker to reset a p
 	NOT-FOR-US: Weincloud
 CVE-2023-34478 (Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a  ...)
 	- shiro <unfixed>
+	[bookworm] - shiro <no-dsa> (Minor issue)
+	[bullseye] - shiro <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/07/24/4
 CVE-2023-34429 (Weintek Weincloud v0.13.6     could allow an attacker to cause a denia ...)
 	NOT-FOR-US: Weincloud
@@ -60322,6 +60324,7 @@ CVE-2022-41725 (A denial of service is possible from excessive resource consumpt
 	[experimental] - golang-1.19 1.19.6-1
 	- golang-1.19 1.19.6-2
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
@@ -60331,6 +60334,7 @@ CVE-2022-41724 (Large handshake records may cause panics in crypto/tls. Both cli
 	[experimental] - golang-1.19 1.19.6-1
 	- golang-1.19 1.19.6-2
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://groups.google.com/g/golang-announce/c/V0aBFqaFs_E
 	NOTE: https://go.dev/issue/58001
@@ -60342,6 +60346,7 @@ CVE-2022-41723 (A maliciously crafted HTTP/2 stream could cause excessive CPU co
 	[experimental] - golang-1.19 1.19.6-1
 	- golang-1.19 1.19.6-2
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	- golang-golang-x-net 1:0.7.0+dfsg-1
@@ -60381,6 +60386,7 @@ CVE-2022-41717 (An attacker can cause excessive memory growth in a Go server acc
 	- golang-1.19 1.19.4-1
 	- golang-1.18 1.18.9-1
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	- golang-golang-x-net 1:0.4.0+dfsg-1


=====================================
data/dsa-needed.txt
=====================================
@@ -21,6 +21,8 @@ cinder/oldstable
 frr (aron)
   maintainer proposed to update to 8.4.4 for bookworm, which might be a good idea
 --
+librsvg
+--
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v5.10.y and 6.1.y versions
@@ -42,7 +44,10 @@ ntpsec (carnil)
 openjdk-11/oldstable (jmm)
   needs asmtools backport in bullseye
 --
+openjdk-17/oldstable (jmm)
+--
 orthanc (jmm)
+  needs ca-certificates-java fix for bookworm
 --
 php-cas/oldstable
 --
@@ -87,7 +92,9 @@ sox
   all issues unfixed upstream
   for CVE-2023-34432, rest can be ignored
 --
-wpewebkit
+tiff
+--
+wpewebkit/oldstable
 --
 xrdp/oldstable
   needs some additional clarification, tentatively DSA worthy



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fd8ff2d62d95782afe0e51e5835d12f9cfc63bc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fd8ff2d62d95782afe0e51e5835d12f9cfc63bc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230731/b9953174/attachment-0001.htm>
