[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue Mar 21 15:51:43 GMT 2023
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
36906343 by Moritz Muehlenhoff at 2023-03-21T16:51:11+01:00
bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1147,6 +1147,7 @@ CVE-2023-28340
RESERVED
CVE-2023-28339 (OpenDoas through 6.8.2, when TIOCSTI is available, allows privilege es ...)
- doas <removed>
+ [bullseye] - doas <no-dsa> (Minor issue)
- opendoas <unfixed>
NOTE: https://github.com/Duncaen/OpenDoas/issues/106
NOTE: https://www.openwall.com/lists/oss-security/2023/03/14/4
@@ -1717,6 +1718,7 @@ CVE-2023-1371
RESERVED
CVE-2023-1370 ([Json-smart](https://netplex.github.io/json-smart/) is a performance f ...)
- json-smart <unfixed>
+ [bullseye] - json-smart <no-dsa> (Minor issue)
NOTE: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
NOTE: https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a (2.4.9)
CVE-2023-1369 (A vulnerability was found in TG Soft Vir.IT eXplorer 9.4.86.0. It has ...)
@@ -1829,6 +1831,7 @@ CVE-2023-28145
RESERVED
CVE-2023-28144 (KDAB Hotspot 1.3.x and 1.4.x through 1.4.1, in a non-default configura ...)
- hotspot <unfixed>
+ [bullseye] - hotspot <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/03/14/8
NOTE: Introduced by: https://github.com/KDAB/hotspot/commit/3b4682565f0e53f903f3ad0f3f2c0f236d382efb (v1.3.0)
NOTE: Opt-In to allow privilege escalation (and disable by default):
@@ -4894,10 +4897,12 @@ CVE-2023-27104
RESERVED
CVE-2023-27103 (Libde265 v1.0.11 was discovered to contain a heap buffer overflow via ...)
- libde265 <unfixed> (bug #1033257)
+ [bullseye] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/394
NOTE: https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995
CVE-2023-27102 (Libde265 v1.0.11 was discovered to contain a segmentation violation vi ...)
- libde265 <unfixed> (bug #1033257)
+ [bullseye] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/393
NOTE: https://github.com/strukturag/libde265/commit/0b1752abff97cb542941d317a0d18aa50cb199b1
CVE-2023-27101
@@ -6384,7 +6389,7 @@ CVE-2022-48345 (sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows X
[bullseye] - node-mermaid <no-dsa> (Minor issue)
NOTE: https://github.com/braintree/sanitize-url/commit/d4bdc89f1743fe3cdb7c3f24b06e4c875f349b0c
CVE-2023-26464 (** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppen ...)
- - apache-log4j1.2 <unfixed>
+ - apache-log4j1.2 <not-affected> (Only affects legacy Java releases which Debian hasn't shipped since 2015)
NOTE: https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t
CVE-2023-0991
RESERVED
@@ -6963,6 +6968,7 @@ CVE-2023-26250
RESERVED
CVE-2023-26249 (Knot Resolver before 5.6.0 enables attackers to consume its resources, ...)
- knot-resolver 5.6.0-1
+ [bullseye] - knot-resolver <no-dsa> (Minor issue)
NOTE: https://www.knot-resolver.cz/2023-01-26-knot-resolver-5.6.0.html
CVE-2023-26248
RESERVED
@@ -83113,12 +83119,15 @@ CVE-2022-26891 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerabi
NOT-FOR-US: Microsoft
CVE-2022-26061 (A heap-based buffer overflow vulnerability exists in the gif2h5 functi ...)
- hdf5 <unfixed> (bug #1031726)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1487
CVE-2022-25972 (An out-of-bounds write vulnerability exists in the gif2h5 functionalit ...)
- hdf5 <unfixed> (bug #1031726)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1485
CVE-2022-25942 (An out-of-bounds read vulnerability exists in the gif2h5 functionality ...)
- hdf5 <unfixed> (bug #1031726)
+ [bullseye] - hdf5 <postponed> (Minor issue, revisit when fixed upstream)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1486
CVE-2022-0935 (Host Header injection in password Reset in GitHub repository livehelpe ...)
NOT-FOR-US: livehelperchat
=====================================
data/dsa-needed.txt
=====================================
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
If needed, specify the release by adding a slash after the name of the source package.
+--
+cairosvg
--
gpac (aron)
--
@@ -56,6 +58,8 @@ samba
sofia-sip
Maintainer proposed debdiff for review with additional question and sent a followup
--
+xen
+--
xrdp
needs some additional clarification, tentatively DSA worthy
maybe upgrade to 0.9.21 within bullseye?
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/369063438fa0c83376cb33e8b99f554ef1339339
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/369063438fa0c83376cb33e8b99f554ef1339339
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230321/cd6e99c8/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list