[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Mar 7 14:55:46 GMT 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
76e65624 by Moritz Muehlenhoff at 2023-03-07T15:55:29+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -44948,7 +44948,7 @@ CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
 	- ghostwriter 2.1.6+ds-1 (unimportant)
 	- ruby-commonmarker <unfixed>
 	[buster] - ruby-commonmarker <no-dsa> (Minor issue)
-	- r-cran-commonmark <unfixed>
+	- r-cran-commonmark 1.8.1-1
 	[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
 	NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
 	NOTE: https://github.com/github/cmark-gfm/commit/cfcaa0068bf319974fdec283416fcee5035c2d70 (0.29.0.gfm.6)
@@ -47417,9 +47417,9 @@ CVE-2021-46834 (A permission bypass vulnerability in Huawei cross device task ma
 	NOT-FOR-US: Huawei
 CVE-2020-36599 (lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before  ...)
 	[experimental] - ruby-omniauth 2.0.4-1~exp1
-	- ruby-omniauth <unfixed>
+	- ruby-omniauth 2.0.4-2
 	[buster] - ruby-omniauth <no-dsa> (Minor issue)
-	NOTE: https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2 (v2.0.0-rc1)
+	NOTE: https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00 (v2.0.0-rc1)
 CVE-2020-36598
 	RESERVED
 CVE-2020-36597
@@ -69104,11 +69104,11 @@ CVE-2022-XXXX [RUSTSEC-2022-0022]
 	- rust-hyper 0.14.19-1
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0022.html
 CVE-2022-XXXX [RUSTSEC-2022-0021]
-	- rust-crossbeam-queue <unfixed>
+	- rust-crossbeam-queue 0.3.5-1
 	[bullseye] - rust-crossbeam-queue <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0021.html
 CVE-2022-XXXX [RUSTSEC-2022-0019]
-	- rust-crossbeam-channel <unfixed>
+	- rust-crossbeam-channel 0.4.4-1
 	[bullseye] - rust-crossbeam-channel <no-dsa> (Minor issue)
 	[buster] - rust-crossbeam-channel <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0019.html
@@ -137393,9 +137393,10 @@ CVE-2020-36327 (Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes
 	- bundler <removed>
 	[buster] - bundler <no-dsa> (Minor issue)
 	[stretch] - bundler <no-dsa> (Invasive change, hard to backport; chances of regression)
-	- rubygems <unfixed>
-	[bullseye] - rubygems <no-dsa> (Minor issue)
+	- rubygems 3.3.5-1
+	[bullseye] - rubygems <ignored> (Minor issue, too intrusive to backport)
 	NOTE: https://github.com/rubygems/rubygems/issues/3982
+	NOTE: https://github.com/rubygems/rubygems/pull/4609
 CVE-2021-3521 (There is a flaw in RPM's signature functionality. OpenPGP subkeys are  ...)
 	- rpm 4.18.0+dfsg-1 (bug #1014723)
 	[bullseye] - rpm <no-dsa> (Minor issue)
@@ -164120,7 +164121,8 @@ CVE-2019-25011 (NetBox through 2.6.2 allows an Authenticated User to conduct an
 	NOT-FOR-US: NetBox
 CVE-2019-25010 (An issue was discovered in the failure crate through 2019-11-13 for Ru ...)
 	- rust-failure <unfixed> (bug #969839)
-	[bullseye] - rust-failure <no-dsa> (Minor issue, unmaintained/deprecated upstream)
+	[bookworm] - rust-failure <ignored> (Minor issue, unmaintained/deprecated upstream)
+	[bullseye] - rust-failure <ignored> (Minor issue, unmaintained/deprecated upstream)
 	[buster] - rust-failure <no-dsa> (Minor issue, unmaintained/deprecated upstream)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0036.html
 CVE-2019-25009 (An issue was discovered in the http crate before 0.1.20 for Rust. The  ...)
@@ -186439,11 +186441,10 @@ CVE-2020-25574 (An issue was discovered in the http crate before 0.1.20 for Rust
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0033.html
 	NOTE: https://github.com/hyperium/http/issues/352
 CVE-2020-25575 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in the failure ...)
-	- rust-failure <unfixed> (bug #969839; low)
-	[bullseye] - rust-failure <ignored> (Minor issue; unmaintained upstream)
-	[buster] - rust-failure <ignored> (Minor issue; unmaintained upstream)
+	- rust-failure <unfixed> (unimportant; bug #969839)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0036.html
 	NOTE: https://github.com/rust-lang-nursery/failure/issues/336
+	NOTE: This CVE ID is merely for the fact that the crate is unmaintained
 CVE-2020-25202
 	RESERVED
 CVE-2020-25201 (HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a names ...)
@@ -227007,6 +227008,7 @@ CVE-2018-21034 (In Argo versions prior to v1.5.0-rc1, it was possible for authen
 	NOT-FOR-US: Argo
 CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext HTTP, a ...)
 	- lxc-templates <unfixed> (bug #988730)
+	[bookworm] - lxc-templates <ignored> (Minor issue)
 	[bullseye] - lxc-templates <ignored> (Minor issue)
 	[buster] - lxc-templates <ignored> (Minor issue)
 	- lxc 1:3.0.3-1 (low)
@@ -275582,13 +275584,15 @@ CVE-2019-11029 (Mirasys VMS before V7.6.1 and 8.x before V8.3.2 mishandles the D
 CVE-2019-11028 (GAT-Ship Web Module before 1.40 suffers from a vulnerability allowing  ...)
 	NOT-FOR-US: GAT-Ship Web Module
 CVE-2015-9284 (The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) is vuln ...)
-	- ruby-omniauth <unfixed> (bug #973384)
+	- ruby-omniauth 2.0.4-2 (bug #973384)
 	[bullseye] - ruby-omniauth <ignored> (Minor issue)
 	[buster] - ruby-omniauth <ignored> (Minor issue)
 	[stretch] - ruby-omniauth <no-dsa> (Minor issue)
 	[jessie] - ruby-omniauth <no-dsa> (Fix is in additional gem and needs CSRF protection in apps)
 	NOTE: https://github.com/omniauth/omniauth/pull/809
 	NOTE: https://www.openwall.com/lists/oss-security/2015/05/26/11
+	NOTE: Upstream considers this resolved with the change of the default config in the 2.0.0 release
+	NOTE: https://github.com/omniauth/omniauth/discussions/1017
 CVE-2019-11027 (Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable ...)
 	{DLA-1956-1}
 	- ruby-openid 2.9.2debian-1 (bug #930388)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76e65624ac91573d12d1254f77886dfa48b9e638

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76e65624ac91573d12d1254f77886dfa48b9e638
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230307/4574d35a/attachment.htm>

More information about the debian-security-tracker-commits mailing list