[Git][security-tracker-team/security-tracker][master] Reserve DLA-3362-1 for qemu

[Sylvain Beucler (@beuc)]

Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d08acceb by Sylvain Beucler at 2023-03-14T20:25:36+01:00
Reserve DLA-3362-1 for qemu

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -79523,7 +79523,6 @@ CVE-2022-1051 (The WPQA Builder Plugin WordPress plugin before 5.2, used as a co
 CVE-2022-1050 (A flaw was found in the QEMU implementation of VMWare's paravirtual RD ...)
 	- qemu 1:7.1+dfsg-2 (bug #1014589)
 	[bullseye] - qemu <no-dsa> (Minor issue)
-	[buster] - qemu <not-affected> (pvrdma disabled in [1:3.1+dfsg-4, 1:4.1-1[)
 	[stretch] - qemu <not-affected> (rdma devices introduced in v2.12)
 	NOTE: https://gitlab.com/qemu-project/qemu/-/commit/31c4b6fb0293e359f9ef8a61892667e76eea4c99 (master, after v7.2.0)
 	NOTE: PVRDMA support not enabled in the binary packages until 1:3.1+dfsg-3, disabled again in 1:3.1+dfsg-4 until 1:4.1-1
@@ -93728,7 +93727,6 @@ CVE-2022-0218 (The WP HTML Mail WordPress plugin is vulnerable to unauthorized a
 CVE-2022-0216 (A use-after-free vulnerability was found in the LSI53C895A SCSI Host B ...)
 	- qemu 1:7.1+dfsg-1 (bug #1014590)
 	[bullseye] - qemu <no-dsa> (Minor issue)
-	[buster] - qemu <postponed> (Minor issue, DoS, fix along with next DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2036953
 	NOTE: https://starlabs.sg/advisories/22/22-0216/
 	NOTE: https://gitlab.com/qemu-project/qemu/-/issues/972
@@ -131949,7 +131947,6 @@ CVE-2021-3595 (An invalid pointer initialization issue was found in the SLiRP ne
 	- libslirp 4.6.1-1 (bug #989996)
 	[bullseye] - libslirp 4.4.0-1+deb11u2
 	- qemu 1:4.1-2
-	[buster] - qemu <postponed> (Minor issue, fix along with next DLA, fixed in stretch-lts)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/3f17948137155f025f7809fdc38576d5d2451c3d (v4.6.0)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/990163cf3ac86b7875559f49602c4d76f46f6f30 (v4.6.0)
@@ -131959,7 +131956,6 @@ CVE-2021-3594 (An invalid pointer initialization issue was found in the SLiRP ne
 	- libslirp 4.6.1-1 (bug #989995)
 	[bullseye] - libslirp 4.4.0-1+deb11u2
 	- qemu 1:4.1-2
-	[buster] - qemu <postponed> (Minor issue, fix along with next DLA, fixed in stretch-lts)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/74572be49247c8c5feae7c6e0b50c4f569ca9824 (v4.6.0)
 	NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
@@ -131968,7 +131964,6 @@ CVE-2021-3593 (An invalid pointer initialization issue was found in the SLiRP ne
 	- libslirp 4.6.1-1 (bug #989994)
 	[bullseye] - libslirp 4.4.0-1+deb11u2
 	- qemu 1:4.1-2
-	[buster] - qemu <postponed> (Minor issue, fix along with next DLA, fixed in stretch-lts)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/de71c15de66ba9350bf62c45b05f8fbff166517b (v4.6.0)
 	NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
@@ -131976,7 +131971,6 @@ CVE-2021-3592 (An invalid pointer initialization issue was found in the SLiRP ne
 	- libslirp 4.6.1-1 (bug #989993)
 	[bullseye] - libslirp 4.4.0-1+deb11u2
 	- qemu 1:4.1-2
-	[buster] - qemu <postponed> (Minor issue, fix along in next DLA if doesn't introduce #994080)
 	[stretch] - qemu <ignored> (Introduces a regression. See Debian bug #994080. Reverted in DLA-2753-2)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/93e645e72a056ec0b2c16e0299fc5c6b94e4ca17 (v4.6.0)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/f13cad45b25d92760bb0ad67bec0300a4d7d5275 (v4.6.0)
@@ -174705,7 +174699,6 @@ CVE-2020-29130 (slirp.c in libslirp through 4.3.1 has a buffer over-read because
 	{DLA-2560-1}
 	- libslirp 4.4.0-1
 	- qemu 1:4.1-2
-	[buster] - qemu <postponed> (Fix along with next DLA, fixed in stretch-lts)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f (v4.4.0)
 	NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as fixed.
 	NOTE: https://github.com/rootless-containers/slirp4netns/security/advisories/GHSA-2j37-w439-87q3
@@ -188252,7 +188245,6 @@ CVE-2020-25086 (Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in
 CVE-2021-3409 (The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffectiv ...)
 	{DLA-2623-1}
 	- qemu 1:5.2+dfsg-10 (bug #986795)
-	[buster] - qemu <not-affected> (CVE-2020-17380 wasn't backported to Buster)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
 	NOTE: https://www.openwall.com/lists/oss-security/2021/03/09/1
 	NOTE: New patch series: https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html
@@ -204858,7 +204850,6 @@ CVE-2020-17381 (An issue was discovered in Ghisler Total Commander 9.51. Due to
 CVE-2020-17380 (A heap-based buffer overflow was found in QEMU through 5.0.0 in the SD ...)
 	{DLA-2623-1}
 	- qemu 1:5.2+dfsg-10 (bug #970937)
-	[buster] - qemu <postponed> (Minor issue, fix along with next DLA, fixed in stretch-lts)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1862167
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01175.html
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=dfba99f17feb6d4a129da19d38df1bcd8579d1c3
@@ -212412,7 +212403,6 @@ CVE-2020-14395
 CVE-2020-14394 (An infinite loop flaw was found in the USB xHCI controller emulation o ...)
 	- qemu 1:7.1+dfsg-1 (bug #979677)
 	[bullseye] - qemu <postponed> (Minor issue)
-	[buster] - qemu <postponed> (Minor issue, privileged local DoS, low CVSS, fix along with next DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1908004
 	NOTE: https://gitlab.com/qemu-project/qemu/-/issues/646
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/effaf5a240e03020f4ae953e10b764622c3e87cc (v7.1.0-rc3)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[14 Mar 2023] DLA-3362-1 qemu - security update
+	{CVE-2020-14394 CVE-2020-17380 CVE-2020-29130 CVE-2021-3409 CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 CVE-2022-0216 CVE-2022-1050}
+	[buster] - qemu 1:3.1+dfsg-8+deb10u10
 [13 Mar 2023] DLA-3361-1 redis - security update
 	{CVE-2022-36021}
 	[buster] - redis 5:5.0.14-1+deb10u3


=====================================
data/dla-needed.txt
=====================================
@@ -219,13 +219,6 @@ python3.7 (Adrian Bunk)
   NOTE: 20230220: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/python.html
   NOTE: 20230228: Waiting for actual upstream fix for CVE-2023-24329. (bunk)
 --
-qemu (Sylvain Beucler)
-  NOTE: 20221108: Programming language: C.
-  NOTE: 20221108: I updated the status of all opened (minor) CVEs to more clearly state whether we can fix or are waiting for a patch,
-  NOTE: 20221108: there's about half of them that can be fixed now (or definitely ignored if backporting is too risky/complex) (Beuc/front-desk)
-  NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/qemu.html
-  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/qemu.git
---
 r-cran-commonmark
   NOTE: 20221009: Programming language: R.
   NOTE: 20221009: Please synchronize with ghostwriter.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d08acceb0e496ad4354718824eac402f68c68f9a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d08acceb0e496ad4354718824eac402f68c68f9a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230314/164cf842/attachment-0001.htm>