[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Mar 21 15:51:43 GMT 2023 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
36906343 by Moritz Muehlenhoff at 2023-03-21T16:51:11+01:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1147,6 +1147,7 @@ CVE-2023-28340
 	RESERVED
 CVE-2023-28339 (OpenDoas through 6.8.2, when TIOCSTI is available, allows privilege es ...)
 	- doas <removed>
+	[bullseye] - doas <no-dsa> (Minor issue)
 	- opendoas <unfixed>
 	NOTE: https://github.com/Duncaen/OpenDoas/issues/106
 	NOTE: https://www.openwall.com/lists/oss-security/2023/03/14/4
@@ -1717,6 +1718,7 @@ CVE-2023-1371
 	RESERVED
 CVE-2023-1370 ([Json-smart](https://netplex.github.io/json-smart/) is a performance f ...)
 	- json-smart <unfixed>
+	[bullseye] - json-smart <no-dsa> (Minor issue)
 	NOTE: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
 	NOTE: https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a (2.4.9)
 CVE-2023-1369 (A vulnerability was found in TG Soft Vir.IT eXplorer 9.4.86.0. It has  ...)
@@ -1829,6 +1831,7 @@ CVE-2023-28145
 	RESERVED
 CVE-2023-28144 (KDAB Hotspot 1.3.x and 1.4.x through 1.4.1, in a non-default configura ...)
 	- hotspot <unfixed>
+	[bullseye] - hotspot <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/03/14/8
 	NOTE: Introduced by: https://github.com/KDAB/hotspot/commit/3b4682565f0e53f903f3ad0f3f2c0f236d382efb (v1.3.0)
 	NOTE: Opt-In to allow privilege escalation (and disable by default):
@@ -4894,10 +4897,12 @@ CVE-2023-27104
 	RESERVED
 CVE-2023-27103 (Libde265 v1.0.11 was discovered to contain a heap buffer overflow via  ...)
 	- libde265 <unfixed> (bug #1033257)
+	[bullseye] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/394
 	NOTE: https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995
 CVE-2023-27102 (Libde265 v1.0.11 was discovered to contain a segmentation violation vi ...)
 	- libde265 <unfixed> (bug #1033257)
+	[bullseye] - libde265 <no-dsa> (Minor issue)
 	NOTE: https://github.com/strukturag/libde265/issues/393
 	NOTE: https://github.com/strukturag/libde265/commit/0b1752abff97cb542941d317a0d18aa50cb199b1
 CVE-2023-27101
@@ -6384,7 +6389,7 @@ CVE-2022-48345 (sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows X
 	[bullseye] - node-mermaid <no-dsa> (Minor issue)
 	NOTE: https://github.com/braintree/sanitize-url/commit/d4bdc89f1743fe3cdb7c3f24b06e4c875f349b0c
 CVE-2023-26464 (** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppen ...)
-	- apache-log4j1.2 <unfixed>
+	- apache-log4j1.2 <not-affected> (Only affects legacy Java releases which Debian hasn't shipped since 2015)
 	NOTE: https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t
 CVE-2023-0991
 	RESERVED
@@ -6963,6 +6968,7 @@ CVE-2023-26250
 	RESERVED
 CVE-2023-26249 (Knot Resolver before 5.6.0 enables attackers to consume its resources, ...)
 	- knot-resolver 5.6.0-1
+	[bullseye] - knot-resolver <no-dsa> (Minor issue)
 	NOTE: https://www.knot-resolver.cz/2023-01-26-knot-resolver-5.6.0.html
 CVE-2023-26248
 	RESERVED
@@ -83113,12 +83119,15 @@ CVE-2022-26891 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerabi
 	NOT-FOR-US: Microsoft
 CVE-2022-26061 (A heap-based buffer overflow vulnerability exists in the gif2h5 functi ...)
 	- hdf5 <unfixed> (bug #1031726)
+	[bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1487
 CVE-2022-25972 (An out-of-bounds write vulnerability exists in the gif2h5 functionalit ...)
 	- hdf5 <unfixed> (bug #1031726)
+	[bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1485
 CVE-2022-25942 (An out-of-bounds read vulnerability exists in the gif2h5 functionality ...)
 	- hdf5 <unfixed> (bug #1031726)
+	[bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1486
 CVE-2022-0935 (Host Header injection in password Reset in GitHub repository livehelpe ...)
 	NOT-FOR-US: livehelperchat


=====================================
data/dsa-needed.txt
=====================================
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source package.
 
+--
+cairosvg
 --
 gpac (aron)
 --
@@ -56,6 +58,8 @@ samba
 sofia-sip
   Maintainer proposed debdiff for review with additional question and sent a followup
 --
+xen
+--
 xrdp
   needs some additional clarification, tentatively DSA worthy
   maybe upgrade to 0.9.21 within bullseye?



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/369063438fa0c83376cb33e8b99f554ef1339339

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/369063438fa0c83376cb33e8b99f554ef1339339
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230321/cd6e99c8/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list