[Git][security-tracker-team/security-tracker][master] 4 commits: Marked golang-1.11 CVEs as no-dsa for buster following bullseye.

Ola Lundqvist (@opal) opal at debian.org
Sun Jun 18 21:01:12 BST 2023 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2bc45273 by Ola Lundqvist at 2023-06-18T21:46:34+02:00
Marked golang-1.11 CVEs as no-dsa for buster following bullseye.

- - - - -
22287c80 by Ola Lundqvist at 2023-06-18T21:49:11+02:00
Marked golang-1.11 CVE-29403 as no-dsa in buster due to limited support.

- - - - -
b6da7d0e by Ola Lundqvist at 2023-06-18T21:51:30+02:00
Marked golang-1.11 CVEs as postponed due to limited support.

- - - - -
077def48 by Ola Lundqvist at 2023-06-18T22:00:40+02:00
Marked node-matrix-js-sdk as postponed for buster.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9601,6 +9601,7 @@ CVE-2023-29405 (The go command may execute arbitrary code at build time when usi
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <postponed> (Limited support)
 	NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924
 	NOTE: https://github.com/golang/go/issues/60306
 	NOTE: https://github.com/golang/go/commit/fa60c381ed06c12f9c27a7b50ca44c5f84f7f0f4 (go1.20.5)
@@ -9614,6 +9615,7 @@ CVE-2023-29404 (The go command may execute arbitrary code at build time when usi
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <postponed> (Limited support)
 	NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924
 	NOTE: https://github.com/golang/go/issues/60305
 	NOTE: https://github.com/golang/go/commit/356a419e2f811b65d227abcea1a346f8dcb154e0 (go1.20.5)
@@ -9624,6 +9626,7 @@ CVE-2023-29403 (On Unix platforms, the Go runtime does not behave differently wh
 	- golang-1.19 1.19.10-2
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Limited support)
 	NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924
 	NOTE: https://github.com/golang/go/issues/60272
 	NOTE: https://github.com/golang/go/commit/36144ba429ef2650940c72e7a0b932af3612d420 (go1.20.5)
@@ -9634,6 +9637,7 @@ CVE-2023-29402 (The go command may generate unexpected code at build time when u
 	- golang-1.19 1.19.10-2
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <postponed> (Limited support)
 	NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924
 	NOTE: https://github.com/golang/go/issues/60167
 	NOTE: https://github.com/golang/go/commit/c0ed873cd8259f16d0da67eee783fda49f45ef61 (go1.20.5)
@@ -9651,6 +9655,7 @@ CVE-2023-29400 (Templates containing actions in unquoted HTML attributes (e.g. "
 	[bullseye] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
 	NOTE: https://github.com/golang/go/issues/59722
 	NOTE: https://github.com/golang/go/commit/9db0e74f606b8afb28cc71d4b1c8b4ed24cabbf5 (go1.19.9)
@@ -24585,6 +24590,7 @@ CVE-2023-24540 (Not all valid JavaScript whitespace characters are considered to
 	[bullseye] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
 	NOTE: https://github.com/golang/go/issues/59721
 	NOTE: https://github.com/golang/go/commit/ce7bd33345416e6d8cac901792060591cafc2797 (go1.19.9)
@@ -24597,6 +24603,7 @@ CVE-2023-24539 (Angle brackets (<>) are not considered dangerous characters when
 	[bullseye] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
 	NOTE: https://github.com/golang/go/issues/59720
 	NOTE: https://github.com/golang/go/commit/e49282327b05192e46086bf25fd3ac691205fe80 (go1.19.9)
@@ -61025,16 +61032,19 @@ CVE-2022-39252 (matrix-rust-sdk is an implementation of a Matrix client-server l
 	NOT-FOR-US: matrix-rust-sdk
 CVE-2022-39251 (Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript.  ...)
 	- node-matrix-js-sdk <unfixed> (bug #1021136)
+	[buster] - node-matrix-js-sdk <postponed> (Can wait for next update)
 	NOTE: https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c
 	NOTE: https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
 	NOTE: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
 CVE-2022-39250 (Matrix JavaScript SDK is the Matrix Client-Server software development ...)
 	- node-matrix-js-sdk <unfixed> (bug #1021136)
+	[buster] - node-matrix-js-sdk <postponed> (Can wait for next update)
 	NOTE: https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf
 	NOTE: https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
 	NOTE: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
 CVE-2022-39249 (Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript.  ...)
 	- node-matrix-js-sdk <unfixed> (bug #1021136)
+	[buster] - node-matrix-js-sdk <postponed> (Can wait for next update)
 	NOTE: https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg
 	NOTE: https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
 	NOTE: https://github.com/matrix-org/matrix-spec-proposals/pull/3061
@@ -61075,6 +61085,7 @@ CVE-2022-39237 (syslabs/sif is the Singularity Image Format (SIF) reference impl
 	NOTE: https://github.com/sylabs/sif/commit/a854038ce1f18237b81d505a1c3be6a60505db52 (v2.8.1)
 CVE-2022-39236 (Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript.  ...)
 	- node-matrix-js-sdk <unfixed> (bug #1021136)
+	[buster] - node-matrix-js-sdk <postponed> (Minor issue)
 	NOTE: https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x
 	NOTE: https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
 	NOTE: https://github.com/matrix-org/matrix-spec-proposals/pull/3488



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/00d9ac0a31fd26db3ef729e75113317349fa51dd...077def48d552c9589362dbc35fd97d8679d74065

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/00d9ac0a31fd26db3ef729e75113317349fa51dd...077def48d552c9589362dbc35fd97d8679d74065
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230618/230e020a/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list