[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Mar 2 20:12:14 GMT 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ec9c2e6e by Moritz Muehlenhoff at 2023-03-02T21:11:57+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -90052,6 +90052,7 @@ CVE-2022-23438 (An improper neutralization of input during web page generation (
 	NOT-FOR-US: Fortinet
 CVE-2022-23437 (There's a vulnerability within the Apache Xerces Java (XercesJ) XML pa ...)
 	- libxerces2-java <unfixed> (bug #1016975)
+	[bookworm] - libxerces2-java <postponed> (revisit when/if fix is complete)
 	[bullseye] - libxerces2-java <postponed> (revisit when/if fix is complete)
 	[buster] - libxerces2-java <postponed> (revisit when/if fix is complete)
 	[stretch] - libxerces2-java <postponed> (revisit when/if fix is complete)
@@ -117782,8 +117783,9 @@ CVE-2021-3715 (A flaw was found in the "Routing decision" classifier in the Linu
 	NOTE: https://www.openwall.com/lists/oss-security/2021/09/07/1
 	NOTE: https://git.kernel.org/linus/ef299cc3fa1a9e1288665a9fdc8bff55629fd359 (5.6)
 CVE-2021-3714 (A flaw was found in the Linux kernels memory deduplication mechanism.  ...)
-	- linux <unfixed>
+	- linux <unfixed> (unimportant)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1931327
+	NOTE: Inherent design limitation, can be avoided by not using KSM
 CVE-2021-39245 (Hardcoded .htaccess Credentials for getlogs.cgi exist on Altus Nexto,  ...)
 	NOT-FOR-US: Altus
 CVE-2021-39244 (Authenticated Semi-Blind Command Injection (via Parameter Injection) e ...)
@@ -131810,6 +131812,7 @@ CVE-2021-33565
 	RESERVED
 CVE-2016-20011 (libgrss through 0.7.0 fails to perform TLS certificate verification wh ...)
 	- libgrss <unfixed> (bug #989149)
+	[bookworm] - libgrss <ignored> (Minor issue)
 	[bullseye] - libgrss <ignored> (Minor issue)
 	[buster] - libgrss <ignored> (Minor issue)
 	[stretch] - libgrss <ignored> (Minor issue)
@@ -181932,18 +181935,14 @@ CVE-2020-26562
 CVE-2020-26561 (** UNSUPPORTED WHEN ASSIGNED ** Belkin LINKSYS WRT160NL 1.0.04.002_US_ ...)
 	NOT-FOR-US: Belkin
 CVE-2020-26560 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0. ...)
-	- bluez <unfixed> (bug #1006406)
-	[bullseye] - bluez <no-dsa> (Minor issue)
-	[buster] - bluez <no-dsa> (Minor issue)
-	[stretch] - bluez <not-affected> (Mesh support introduced later)
+	NOT-FOR-US: Bluetooth
+	NOTE: There's no indication that any Bluetooth software in Debian is affected
 	NOTE: https://kb.cert.org/vuls/id/799380
 	NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/impersonation-mesh/
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1959994
 CVE-2020-26559 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0. ...)
-	- bluez <unfixed> (bug #1006406)
-	[bullseye] - bluez <no-dsa> (Minor issue)
-	[buster] - bluez <no-dsa> (Minor issue)
-	[stretch] - bluez <not-affected> (Mesh support introduced later)
+	NOT-FOR-US: Bluetooth
+	NOTE: There's no indication that any Bluetooth software in Debian is affected
 	NOTE: https://kb.cert.org/vuls/id/799380
 	NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/authvalue-leak/
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960011
@@ -181959,10 +181958,8 @@ CVE-2020-26558 (Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specifi
 	NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00517.html
 	NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738
 CVE-2020-26557 (Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may perm ...)
-	- bluez <unfixed> (bug #1006406)
-	[bullseye] - bluez <no-dsa> (Minor issue)
-	[buster] - bluez <no-dsa> (Minor issue)
-	[stretch] - bluez <not-affected> (Mesh support introduced later)
+	NOT-FOR-US: Bluetooth
+	NOTE: There's no indication that any Bluetooth software in Debian is affected
 	NOTE: https://kb.cert.org/vuls/id/799380
 	NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/predicatable-authvalue/
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960009
@@ -435368,6 +435365,7 @@ CVE-2016-2142 (Red Hat OpenShift Enterprise 3.1 uses world-readable permissions
 	NOT-FOR-US: OpenShift
 CVE-2016-2141 (JGroups before 4.0 does not require the proper headers for the ENCRYPT ...)
 	- libjgroups-java <unfixed> (low; bug #867493)
+	[bookworm] - libjgroups-java <ignored> (Minor issue, only used as build dep)
 	[bullseye] - libjgroups-java <ignored> (Minor issue, only used as build dep)
 	[buster] - libjgroups-java <ignored> (Minor issue, only used as build dep)
 	[stretch] - libjgroups-java <ignored> (Minor issue, only used as build dep)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec9c2e6e3ff15665a2c22e849bad4d0066eda69d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec9c2e6e3ff15665a2c22e849bad4d0066eda69d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230302/9c1a9205/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list