[Git][security-tracker-team/security-tracker][master] 5 commits: Mark pluxml CVE in buster EOL
Markus Koschany (@apo)
apo at debian.org
Fri May 5 23:52:01 BST 2023
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
1f8dda2f by Markus Koschany at 2023-05-06T00:14:57+02:00
Mark pluxml CVE in buster EOL
pluxml has been removed from Debian. Last upstream activity was in August 2022.
Currently there is no sign that any CVE will be addressed in the near future.
pluxml is almost not used by any Debian user according to popcon.
- - - - -
9a0db038 by Markus Koschany at 2023-05-06T00:20:56+02:00
CVE-2022-23494,tinymce: Mark buster no-dsa
This is a minor issue. Only citadel-webcit in Buster might be affected by this issue.
I don't think a XSS issue like that warrants a DLA.
NOTE: tinymce has been removed from Debian.
- - - - -
a95b624e by Markus Koschany at 2023-05-06T00:24:19+02:00
Remove tinymce and pluxml from dla-needed.txt
- - - - -
1610beb5 by Markus Koschany at 2023-05-06T00:49:33+02:00
Triage CVE-2022-47015,mariadb-10.3 as postponed for Buster
Null pointer dereference. Wait for next point release.
- - - - -
a2dab2f2 by Markus Koschany at 2023-05-06T00:51:28+02:00
Claim emacs in dla-needed.txt
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -97195,11 +97195,13 @@ CVE-2022-25021
RESERVED
CVE-2022-25020 (A cross-site scripting (XSS) vulnerability in Pluxml v5.8.7 allows att ...)
- pluxml <removed> (bug #1008264)
+ [buster] - pluxml <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/MoritzHuppert/CVE-2022-25020/blob/main/CVE-2022-25020.pdf
CVE-2022-25019
REJECTED
CVE-2022-25018 (Pluxml v5.8.7 was discovered to allow attackers to execute arbitrary c ...)
- pluxml <removed> (bug #1008264)
+ [buster] - pluxml <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/MoritzHuppert/CVE-2022-25018/blob/main/CVE-2022-25018.pdf
CVE-2022-25017 (Hitron CHITA 7.2.2.0.3b6-CD devices contain a command injection vulner ...)
NOT-FOR-US: Hitron CHITA
@@ -98744,12 +98746,15 @@ CVE-2022-24588 (Flatpress v1.2.1 was discovered to contain a cross-site scriptin
NOT-FOR-US: Flatpress
CVE-2022-24587 (A stored cross-site scripting (XSS) vulnerability in the component cor ...)
- pluxml <removed> (bug #1008264)
+ [buster] - pluxml <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24587/CVE-2022-24587.pdf
CVE-2022-24586 (A stored cross-site scripting (XSS) vulnerability in the component /co ...)
- pluxml <removed> (bug #1008264)
+ [buster] - pluxml <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24586/CVE-2022-24586.pdf
CVE-2022-24585 (A stored cross-site scripting (XSS) vulnerability in the component /co ...)
- pluxml <removed> (bug #1008264)
+ [buster] - pluxml <end-of-life> (EOL in buster LTS)
NOTE: https://github.com/Nguyen-Trung-Kien/CVE/blob/main/CVE-2022-24585/CVE-2022-24585.pdf
CVE-2022-24584 (Incorrect access control in Yubico OTP functionality of the YubiKey ha ...)
NOT-FOR-US: yubico.com
@@ -102643,6 +102648,7 @@ CVE-2022-23495 (go-merkledag implements the 'DAGService' interface and adds two
NOT-FOR-US: go-merkledag
CVE-2022-23494 (tinymce is an open source rich text editor. A cross-site scripting (XS ...)
- tinymce <removed>
+ [buster] - tinymce <no-dsa> (Minor issue)
NOTE: https://github.com/tinymce/tinymce/commit/6923d85eba6de3e08ebc9c5a387b5abdaa21150e
NOTE: https://github.com/tinymce/tinymce/commit/8bb2d2646d4e1a718fce61a775fa22e9d317b32d
NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-gg8r-xjwq-4w92
=====================================
data/dla-needed.txt
=====================================
@@ -35,7 +35,7 @@ docker.io (gladk)
NOTE: 20230320: VCS: https://salsa.debian.org/lts-team/packages/docker.io.git
NOTE: 20230424: Is in preparation.
--
-emacs
+emacs (Markus Koschany)
NOTE: 20230223: Programming language: Lisp.
NOTE: 20230223: VCS: https://salsa.debian.org/lts-team/packages/emacs.git
NOTE: 20230228: Waiting for confirmation that CVE-2022-48337 regression
@@ -87,7 +87,7 @@ hdf5
linux (Ben Hutchings)
NOTE: 20230111: Programming language: C
--
-man2html
+man2html (Markus Koschany)
NOTE: 20221004: Programming language: C.
NOTE: 20221004: It looks like not patch is available.
NOTE: 20221004: Please evalulate, whether the issue can be marked as <ignored>.
@@ -95,12 +95,6 @@ man2html
NOTE: 20230226: I would prefer to fix it instead of ignoring. (gladk)
NOTE: 20230226: It looks like upstream is dead. Patch needs to be written. (gladk)
--
-mariadb-10.3
- NOTE: 20230225: Programming language: C.
- NOTE: 20230225: VCS: https://salsa.debian.org/mariadb-team/mariadb-10.3/-/commits/buster
- NOTE: 20230225: Testsuite: https://lists.debian.org/debian-lts/2019/07/msg00049.html
- NOTE: 20230225: Maintainer notes: Contact original maintainer, Otto.
---
nbconvert
NOTE: 20230423: Programming language: Python.
NOTE: 20230423: XSS may be worth fixing and this was a lot of them. To consider if this require
@@ -165,11 +159,6 @@ php-cas
NOTE: 20221110: a DSA is planned (Beuc/front-desk)
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/php-cas.git
--
-pluxml (Markus Koschany)
- NOTE: 20220913: Programming language: PHP.
- NOTE: 20220913: Special attention: orphaned package.
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/pluxml.git
---
puppet-module-puppetlabs-mysql
NOTE: 20221107: Programming language: Puppet, Ruby.
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/puppet-module-puppetlabs-mysql.git
@@ -253,10 +242,6 @@ sssd (gladk)
NOTE: 20230131: Programming language: C.
NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git
--
-tinymce (Markus Koschany)
- NOTE: 20221227: Programming language: PHP.
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git
---
webkit2gtk (Emilio)
NOTE: 20230503: Programming language: C++.
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/webkit2gtk.git
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89c485def98a05273f84e9fadd23e094eaeb7620...a2dab2f2b4ae8ed2551c51493194be35dc833986
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/89c485def98a05273f84e9fadd23e094eaeb7620...a2dab2f2b4ae8ed2551c51493194be35dc833986
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230505/623361ea/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list