[Git][security-tracker-team/security-tracker][master] dla: precise 'Added by' lines
Sylvain Beucler (@beuc)
beuc at debian.org
Tue Jun 6 21:40:07 BST 2023
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3549eb52 by Sylvain Beucler at 2023-06-06T22:39:23+02:00
dla: precise 'Added by' lines
Make them closer to what the updated tool would add.
- - - - -
1 changed file:
- data/dla-needed.txt
Changes:
=====================================
data/dla-needed.txt
=====================================
@@ -20,33 +20,33 @@ rather than remove/replace existing ones.
--
c-ares (gladk)
- NOTE: 20230523: Added by Front-Desk
+ NOTE: 20230523: Added by Front-Desk (lamby)
--
cairosvg
- NOTE: 20230323: Added by Front-Desk
+ NOTE: 20230323: Added by Front-Desk (gladk)
NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert)
--
cinder
- NOTE: 20230525: Added by Front-Desk
+ NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
docker-registry
- NOTE: 20230525: Added by Front-Desk
+ NOTE: 20230525: Added by Front-Desk (lamby)
--
docker.io
- NOTE: 20230303: Added by Front-Desk
+ NOTE: 20230303: Added by Front-Desk (Beuc)
NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk)
NOTE: 20230424: Is in preparation. (gladk)
--
erlang (Markus Koschany)
- NOTE: 20221119: Added by Front-Desk
+ NOTE: 20221119: Added by Front-Desk (ta)
NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch)
--
firefox-esr (Emilio)
NOTE: 20230606: Added by pochu
--
fusiondirectory (Abhijith PA)
- NOTE: 20221203: Added by Front-Desk
+ NOTE: 20221203: Added by Front-Desk (gladk)
NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk).
NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk).
NOTE: 20221203: Also the package was removed from sid recently (gladk).
@@ -54,15 +54,15 @@ fusiondirectory (Abhijith PA)
NOTE: 20230523: Added upstream commit references to security tracker. Patched our version, testing (abhijith)
--
golang-go.crypto (Markus Koschany)
- NOTE: 20220915: Added by Front-Desk
+ NOTE: 20220915: Added by Front-Desk (Beuc)
NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk)
--
golang-yaml.v2 (sgmoore)
- NOTE: 20230125: Added by Front-Desk
+ NOTE: 20230125: Added by Front-Desk (gladk)
NOTE: 20230525: In review with utkarsh.
--
hdf5
- NOTE: 20230318: Added by Front-Desk
+ NOTE: 20230318: Added by Front-Desk (utkarsh)
NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh)
NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably
NOTE: 20230318: sync w/ him. (utkarsh)
@@ -74,21 +74,21 @@ hdf5
NOTE: 20230520: so giving up on the package. (tobi)
--
libcap2 (Abhijith PA)
- NOTE: 20230517: Added by Front-Desk
+ NOTE: 20230517: Added by Front-Desk (gladk)
--
libfastjson (Thorsten Alteholz)
- NOTE: 20230507: Added by Front-Desk
+ NOTE: 20230507: Added by Front-Desk (ta)
NOTE: 20230507: the CVE was fixed in json-c already
NOTE: 20230605: upload timing could be improved here
--
libreoffice
- NOTE: 20230530: Added by Front-Desk
+ NOTE: 20230530: Added by Front-Desk (pochu)
--
linux (Ben Hutchings)
- NOTE: 20230111: Added by Front-Desk
+ NOTE: 20230111: perma-added (bwh)
--
nova
- NOTE: 20230302: Added by Front-Desk
+ NOTE: 20230302: Re-add, request by maintainer (Beuc)
NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression
NOTE: 20230302: (it's meant to check whether a VMDK image has the "monoliticFlat" subtype, but in practice it breaks compute nodes);
NOTE: 20230302: cf. debian/patches/cve-2022-47951-nova-stable-rocky.patch, which depends on images_*.patch.
@@ -100,52 +100,52 @@ nova
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
nvidia-cuda-toolkit
- NOTE: 20230514: Added by Front-Desk
+ NOTE: 20230514: Added by Front-Desk (utkarsh)
NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have
NOTE: 20230514: piled up. (utkarsh)
--
openimageio (gladk)
- NOTE: 20230406: Added by Front-Desk
+ NOTE: 20230406: Re-added due to regressions (apo)
NOTE: 20230508: WIP
--
openjdk-11 (Emilio)
- NOTE: 20230419: Added by Front-Desk
+ NOTE: 20230419: Added by Front-Desk (ola)
NOTE: 20230522: waiting for sid/bullseye update (pochu)
--
openssl (Sylvain Beucler)
- NOTE: 20230531: Added by Front-Desk
+ NOTE: 20230531: Added by Front-Desk (pochu)
NOTE: 20230531: also handle no-dsa issues (pochu)
--
owslib (Adrian Bunk)
- NOTE: 20230514: Added by Front-Desk
+ NOTE: 20230514: Added by Front-Desk (utkarsh)
NOTE: 20230514: also in dsa-needed. (utkarsh)
--
php-cas
- NOTE: 20221105: Added by Front-Desk
+ NOTE: 20221105: Added by Front-Desk (ola)
NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola)
NOTE: 20221107: php-cas only has 2 reverse-deps in buster (fusiondirectory, ocsinventory-reports),
NOTE: 20221107: consider fixing all 3 packages; also check situation in ELTS for reference (Beuc/front-desk)
NOTE: 20221110: a DSA is planned (Beuc/front-desk)
--
python-glance-store
- NOTE: 20230525: Added by Front-Desk
+ NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
python-os-brick
- NOTE: 20230525: Added by Front-Desk
+ NOTE: 20230525: Added by Front-Desk (lamby)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
--
python-oslo.privsep
- NOTE: 20221231: Added by Front-Desk
+ NOTE: 20221231: Added by Front-Desk (ola)
NOTE: 20230525: CVE-2022-38065 has been marked as Won't-fix/Hardening opportunity.
NOTE: 20230525: It was mentioned the fix was easy but tedious. It is consumer design flaw issue.
--
python3.7 (Adrian Bunk)
- NOTE: 20230220: Added by Front-Desk
+ NOTE: 20230220: Added by Front-Desk (ola)
NOTE: 20230228: Waiting for actual upstream fix for CVE-2023-24329. (bunk)
--
rails
- NOTE: 20220909: Added by Front-Desk
+ NOTE: 20220909: Re-added due to regression (abhijith)
NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)
NOTE: 20220909: https://lists.debian.org/debian-lts/2022/09/msg00004.html (abhijith)
@@ -158,27 +158,27 @@ rails
NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh)
--
ring (Thorsten Alteholz)
- NOTE: 20221120: Added by Front-Desk
+ NOTE: 20221120: Added by Front-Desk (ta)
NOTE: 20230507: testing package
NOTE: 20230605: upload timing could be improved here
--
ruby-loofah
- NOTE: 20221231: Added by Front-Desk
+ NOTE: 20221231: Added by Front-Desk (ola)
NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby)
NOTE: 20230403: See "RFC: ruby-loofah 2.2.3-1+deb10u2" thread on debian-lts list. (lamby)
NOTE: 20230403: Everything ready, just waiting for ruby-rails-html-sanitizer/utkarsh (dleidert)
--
-ruby-rails-html-sanitizer
- NOTE: 20221231: Added by Front-Desk
+ruby-rails-html-sanitizer (ola)
+ NOTE: 20221231: Added by Front-Desk (ola)
NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with appropriate methods. (utkarsh)
--
salt
- NOTE: 20220814: Added by Front-Desk
+ NOTE: 20220814: Added by Front-Desk (gladk)
NOTE: 20220814: I am not sure, whether it is possible to fix issues
NOTE: 20220814: without backporting a newer verion. (Anton)
--
samba (Lee Garrett)
- NOTE: 20220904: Added by Front-Desk
+ NOTE: 20220904: Added by Front-Desk (apo)
NOTE: 20220904: Many postponed or open CVE in general. (apo)
NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee)
--
@@ -186,7 +186,7 @@ thunderbird (Emilio)
NOTE: 20230606: Added by pochu
--
webkit2gtk (Emilio)
- NOTE: 20230512: Added by Front-Desk
+ NOTE: 20230512: Re-added (pochu)
NOTE: 20230512: checking if upgrade to 2.40.x is possible, otherwise we'll have to EOL webkit (pochu)
NOTE: 20230529: made some progress on the backport, but there are still some blockers,
NOTE: 20230529: particularly around (the lack of) C++20 support. (pochu)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3549eb52aceb1302d93b3a07e262f09a1593e4d7
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3549eb52aceb1302d93b3a07e262f09a1593e4d7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230606/8996f803/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list