[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Jun 29 15:05:50 BST 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5936ceab by Moritz Muehlenhoff at 2023-06-29T16:04:51+02:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -65052,6 +65052,7 @@ CVE-2021-46834 (A permission bypass vulnerability in Huawei cross device task ma
 CVE-2020-36599 (lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before  ...)
 	[experimental] - ruby-omniauth 2.0.4-1~exp1
 	- ruby-omniauth 2.0.4-2
+	[bullseye] - ruby-omniauth <no-dsa> (Minor issue)
 	[buster] - ruby-omniauth <no-dsa> (Minor issue)
 	NOTE: https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00 (v2.0.0-rc1)
 CVE-2020-36598
@@ -72262,6 +72263,7 @@ CVE-2022-2401 (Unrestricted information disclosure of all users in Mattermost ve
 	- mattermost-server <itp> (bug #823556)
 CVE-2022-2400 (External Control of File Name or Path in GitHub repository dompdf/domp ...)
 	- php-dompdf 2.0.2+dfsg-1 (bug #1015874)
+	[bullseye] - php-dompdf <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/a6da5e5e-86be-499a-a3c3-2950f749202a
 	NOTE: https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a
 CVE-2022-2399 (Use after free in WebGPU in Google Chrome prior to 100.0.4896.88 allow ...)
@@ -82198,6 +82200,7 @@ CVE-2022-1962 (Uncontrolled recursion in the Parse functions in go/parser before
 	- golang-1.18 1.18.4-1
 	- golang-1.17 1.17.13-1
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, follow bullseye DSAs/point-releases)
 	NOTE: https://go.dev/issue/53616
@@ -86689,6 +86692,7 @@ CVE-2022-1705 (Acceptance of some invalid Transfer-Encoding headers in the HTTP/
 	- golang-1.18 1.18.4-1
 	- golang-1.17 1.17.13-1
 	- golang-1.15 <removed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <not-affected> (Introduced in 1.15)
 	NOTE: https://go.dev/issue/53188
 	NOTE: https://github.com/golang/go/commit/e5017a93fcde94f09836200bca55324af037ee5f (go1.19rc1)
@@ -92740,7 +92744,7 @@ CVE-2022-1227 (A privilege escalation flaw was found in Podman. This flaw allows
 	- libpod 3.4.7+ds1-1
 	[bullseye] - libpod 3.0.1+dfsg1-3+deb11u2
 	- golang-github-containers-psgo 1.7.1+ds1-1 (bug #1020907)
-	[bullseye] - golang-github-containers-psgo 1.5.2-2~deb11u1
+	[bullseye] - golang-github-containers-psgo 1.5.2-1+deb11u1
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2070368
 	NOTE: https://github.com/containers/psgo/pull/92
 	NOTE: https://github.com/containers/psgo/commit/d9467da9f563a9de1ece79dcae86b37b1db75443 (v1.7.2)
@@ -126108,6 +126112,7 @@ CVE-2021-42853 (It was discovered that the SteelCentral AppInternals Dynamic Sam
 CVE-2021-3902
 	RESERVED
 	- php-dompdf 2.0.2+dfsg-1
+	[bullseye] - php-dompdf <no-dsa> (Minor issue)
 	NOTE: https://github.com/dompdf/dompdf/issues/2564
 	NOTE: https://huntr.dev/bounties/a6071c07-806f-429a-8656-a4742e4191b1
 CVE-2021-3901 (firefly-iii is vulnerable to Cross-Site Request Forgery (CSRF))
@@ -130261,6 +130266,7 @@ CVE-2021-41770 (Ping Identity PingFederate before 10.3.1 mishandles pre-parsing
 CVE-2021-3838
 	RESERVED
 	- php-dompdf 2.0.2+dfsg-1
+	[bullseye] - php-dompdf <no-dsa> (Minor issue)
 	NOTE: https://github.com/dompdf/dompdf/issues/2564
 	NOTE: https://huntr.dev/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e
 CVE-2021-41769 (A vulnerability has been identified in SIPROTEC 5 6MD85 devices (CPU v ...)
@@ -160782,6 +160788,7 @@ CVE-2021-29924
 CVE-2021-29923 (Go before 1.17 does not properly consider extraneous zero characters a ...)
 	- golang-1.16 <unfixed>
 	- golang-1.15 <unfixed>
+	[bullseye] - golang-1.15 <no-dsa> (Minor issue)
 	- golang-1.11 <removed>
 	[buster] - golang-1.11 <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
 	- golang-1.8 <removed>


=====================================
data/dsa-needed.txt
=====================================
@@ -22,6 +22,12 @@ ghostscript (carnil)
 --
 gpac/oldstable (jmm)
 --
+gst-plugins-base1.0 (jmm)
+--
+gst-plugins-bad1.0 (jmm)
+--
+gst-plugins-bad1.0 (jmm)
+--
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v5.10.y versions



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5936ceabfeaa1226e6dc1e82e854a848f2260327

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5936ceabfeaa1226e6dc1e82e854a848f2260327
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230629/122279e0/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list