[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-32731/grpc: precise links + buster not-affected

Mon Jul 31 16:22:15 BST 2023


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5ee54b17 by Sylvain Beucler at 2023-07-31T17:07:55+02:00
CVE-2023-32731/grpc: precise links + buster not-affected

- - - - -
f320dc28 by Sylvain Beucler at 2023-07-31T17:21:02+02:00
CVE-2023-32732/grpc: mention CVE possible confusion + buster postponed

- - - - -
5f8c6de5 by Sylvain Beucler at 2023-07-31T17:21:38+02:00
dla: drop grpc (no more open issues)

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5910,13 +5910,16 @@ CVE-2023-32732 (gRPC contains a vulnerability whereby a client can cause a termi
 	- grpc <unfixed>
 	[bookworm] - grpc <no-dsa> (Minor issue)
 	[bullseye] - grpc <no-dsa> (Minor issue)
+	[buster] - grpc <postponed> (Minor issue; request smuggling; recheck if fixed or introduced by #32309 when CVE description is updated)
 	NOTE: https://github.com/grpc/grpc/pull/32309
+	NOTE: CVE description and fix are sensible, but there seem to be confusion: https://github.com/grpc/grpc/pull/32309#issuecomment-1589703522
 CVE-2023-32731 (When gRPC HTTP2 stack raised a header size exceeded error, it skipped  ...)
 	- grpc <unfixed>
 	[bookworm] - grpc <no-dsa> (Minor issue)
 	[bullseye] - grpc <no-dsa> (Minor issue)
-	NOTE: https://github.com/grpc/grpc/pull/32309
-	NOTE: https://github.com/grpc/grpc/pull/33005
+	[buster] - grpc <not-affected> (Vulnerable code introduced later)
+	NOTE: Introduced by: https://github.com/grpc/grpc/pull/32309#issuecomment-1589561295 (v1.53.0-pre1)
+	NOTE: Fixed by: https://github.com/grpc/grpc/commit/65a2a895afaf1d2072447b9baf246374b182a946 (v1.56.0-pre1)
 CVE-2023-32312 (UmbracoIdentityExtensions is an Umbraco add-on package that enables ea ...)
 	NOT-FOR-US: UmbracoIdentityExtensions
 CVE-2023-3177 (A vulnerability has been found in SourceCodester Lost and Found Inform ...)


=====================================
data/dla-needed.txt
=====================================
@@ -57,10 +57,6 @@ glib2.0 (santiago)
   NOTE: 20230710: WIP (santiago)
   NOTE: 20230724: buster should be ready. need if it's possible to run same reporter's fuzz test
 --
-grpc (Sylvain Beucler)
-  NOTE: 20230614: Added by Front-Desk (opal)
-  NOTE: 20230618: CVE-2023-32731 fix will need a massive rewrite (rouca)
---
 hdf5
   NOTE: 20230318: Added by Front-Desk (utkarsh)
   NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9261a21b181ab264e7006e65a5e39c3f147cccba...5f8c6de5a54b2bd8c687cb7dfd51f42afa2f0c86

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9261a21b181ab264e7006e65a5e39c3f147cccba...5f8c6de5a54b2bd8c687cb7dfd51f42afa2f0c86
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230731/c5ad336e/attachment-0001.htm>
