[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Jun 20 13:59:57 BST 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
05fb674b by Moritz Muehlenhoff at 2023-06-20T14:59:40+02:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3184,6 +3184,7 @@ CVE-2023-2481 (Compiler removal of buffer clearing in     sli_se_opaque_import_k
 CVE-2023-33204 (sysstat through 12.7.2 allows a multiplication integer overflow in che ...)
 	{DLA-3434-1}
 	- sysstat <unfixed> (bug #1036294)
+	[bookworm] - sysstat <no-dsa> (Minor issue)
 	[bullseye] - sysstat <not-affected> (Incomplete fix for CVE-2022-39377 not applied)
 	NOTE: https://github.com/sysstat/sysstat/pull/360
 	NOTE: https://github.com/sysstat/sysstat/commit/6f8dc568e6ab072bb8205b732f04e685bf9237c0
@@ -9848,6 +9849,7 @@ CVE-2023-29405 (The go command may execute arbitrary code at build time when usi
 	- golang-1.19 1.19.10-2
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support)
 	NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924
@@ -9862,6 +9864,7 @@ CVE-2023-29404 (The go command may execute arbitrary code at build time when usi
 	- golang-1.19 1.19.10-2
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support)
 	NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924
@@ -9873,6 +9876,7 @@ CVE-2023-29403 (On Unix platforms, the Go runtime does not behave differently wh
 	[experimental] - golang-1.19 1.19.10-1
 	- golang-1.19 1.19.10-2
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <no-dsa> (Limited support)
 	NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924
@@ -9884,6 +9888,7 @@ CVE-2023-29402 (The go command may generate unexpected code at build time when u
 	[experimental] - golang-1.19 1.19.10-1
 	- golang-1.19 1.19.10-2
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support)
 	NOTE: https://groups.google.com/g/golang-announce/c/q5135a9d924
@@ -9892,6 +9897,8 @@ CVE-2023-29402 (The go command may generate unexpected code at build time when u
 	NOTE: https://github.com/golang/go/commit/c160b49b6d328c86bd76ca2fff9009a71347333f (go.1.19.10)
 CVE-2023-29401 (The filename parameter of the Context.FileAttachment function is not p ...)
 	- golang-github-gin-gonic-gin <unfixed> (bug #1037530)
+	[bookworm] - golang-github-gin-gonic-gin <no-dsa> (Minor issue)
+	[bullseye] - golang-github-gin-gonic-gin <no-dsa> (Minor issue)
 	[buster] - golang-github-gin-gonic-gin <no-dsa> (Minor issue)
 	NOTE: https://github.com/gin-gonic/gin/issues/3555
 	NOTE: https://github.com/gin-gonic/gin/commit/2d4bbec941551479b1fdf1e54ece03e6e82a7e72 (v1.9.1)
@@ -9902,6 +9909,7 @@ CVE-2023-29400 (Templates containing actions in unquoted HTML attributes (e.g. "
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	[bullseye] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
@@ -24843,6 +24851,7 @@ CVE-2023-24540 (Not all valid JavaScript whitespace characters are considered to
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	[bullseye] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
@@ -24856,6 +24865,7 @@ CVE-2023-24539 (Angle brackets (<>) are not considered dangerous characters when
 	[bookworm] - golang-1.19 <no-dsa> (Minor issue)
 	[bullseye] - golang-1.19 <no-dsa> (Minor issue)
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
@@ -24867,6 +24877,7 @@ CVE-2023-24538 (Templates do not properly consider backticks (`) as Javascript s
 	[experimental] - golang-1.19 1.19.8-1
 	- golang-1.19 1.19.8-2
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
@@ -24878,6 +24889,7 @@ CVE-2023-24537 (Calling any of the Parse functions on Go source code which conta
 	[experimental] - golang-1.19 1.19.8-1
 	- golang-1.19 1.19.8-2
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
@@ -24890,6 +24902,7 @@ CVE-2023-24536 (Multipart form parsing can consume large amounts of CPU and memo
 	[experimental] - golang-1.19 1.19.8-1
 	- golang-1.19 1.19.8-2
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
@@ -24903,6 +24916,7 @@ CVE-2023-24534 (HTTP and MIME header parsing can allocate large amounts of memor
 	[experimental] - golang-1.19 1.19.8-1
 	- golang-1.19 1.19.8-2
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://groups.google.com/g/golang-announce/c/Xdv6JL9ENs8
@@ -39782,6 +39796,8 @@ CVE-2022-46166 (Spring boot admins is an open source administrative user interfa
 	NOT-FOR-US: Spring boot admins
 CVE-2022-46165 (Syncthing is an open source, continuous file synchronization program.  ...)
 	- syncthing <unfixed> (bug #1037432)
+	[bookworm] - syncthing <no-dsa> (Minor issue)
+	[bullseye] - syncthing <no-dsa> (Minor issue)
 	NOTE: https://github.com/syncthing/syncthing/security/advisories/GHSA-9rp6-23gf-4c3h
 	NOTE: https://github.com/syncthing/syncthing/commit/73c52eafb6566435dffd979c3c49562b6d5a4238 (v1.23.5)
 CVE-2022-46164 (NodeBB is an open source Node.js based forum software. Due to a plain  ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source package.
 
+--
+aom/oldstable
 --
 asterisk/oldstable
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05fb674b81bc54eac35f5b441e9a21d3a1a06968

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05fb674b81bc54eac35f5b441e9a21d3a1a06968
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230620/4282e038/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list