[Git][security-tracker-team/security-tracker][master] 8 commits: CVE-2021-40647,CVE-2021-40648,man2html: Buster is no-dsa

Markus Koschany (@apo) apo at debian.org
Mon May 8 00:07:26 BST 2023 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3b9b94f8 by Markus Koschany at 2023-05-08T00:17:08+02:00
CVE-2021-40647,CVE-2021-40648,man2html: Buster is no-dsa

Minor issues

- - - - -
d9d02f10 by Markus Koschany at 2023-05-08T00:19:14+02:00
Remove man2html from dla-needed.txt

- - - - -
8ff57b1b by Markus Koschany at 2023-05-08T00:20:08+02:00
Remove r-cran-commonmark from dla-needed.txt

- - - - -
40f85448 by Markus Koschany at 2023-05-08T00:37:45+02:00
r-cran-commonmark: triage open CVE for Buster

Minor issues. The security impact for r-cran-commonmark is negligible.

- - - - -
9d18c172 by Markus Koschany at 2023-05-08T00:55:20+02:00
Remove puppet-module-puppetlabs-mysql from dla-needed.txt

- - - - -
9b62c4f4 by Markus Koschany at 2023-05-08T00:55:49+02:00
CVE-2022-3276,puppet-module-puppetlabs-mysql: Buster is no-dsa

Minor issue. Hard to exploit.

- - - - -
cd6969c7 by Markus Koschany at 2023-05-08T01:05:22+02:00
Claim netatalk in dsa-needed.txt

- - - - -
6aeebaa4 by Markus Koschany at 2023-05-08T01:06:17+02:00
Claim netatalk in dla-needed.txt

- - - - -


3 changed files:

- data/CVE/list
- data/dla-needed.txt
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -14474,6 +14474,7 @@ CVE-2023-26485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
 	- r-cran-commonmark <unfixed> (bug #1034173)
 	[bookworm] - r-cran-commonmark <no-dsa> (Minor issue)
 	[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
+	[buster] - r-cran-commonmark <no-dsa> (Minor issue)
 	- ruby-commonmarker <unfixed> (bug #1034174)
 	[bookworm] - ruby-commonmarker <no-dsa> (Minor issue)
 	[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -19385,6 +19386,7 @@ CVE-2023-24824 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
 	- r-cran-commonmark <unfixed> (bug #1034173)
 	[bookworm] - r-cran-commonmark <no-dsa> (Minor issue)
 	[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
+	[buster] - r-cran-commonmark <no-dsa> (Minor issue)
 	- ruby-commonmarker <unfixed> (bug #1034174)
 	[bookworm] - ruby-commonmarker <no-dsa> (Minor issue)
 	[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -27006,6 +27008,7 @@ CVE-2023-22486 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
 	- r-cran-commonmark <unfixed> (bug #1033112)
 	[bookworm] - r-cran-commonmark <no-dsa> (Minor issue)
 	[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
+	[buster] - r-cran-commonmark <no-dsa> (Minor issue)
 	- ruby-commonmarker <unfixed> (bug #1033113)
 	[bookworm] - ruby-commonmarker <no-dsa> (Minor issue)
 	[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -27024,6 +27027,7 @@ CVE-2023-22485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
 	- r-cran-commonmark <unfixed> (bug #1033112)
 	[bookworm] - r-cran-commonmark <no-dsa> (Minor issue)
 	[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
+	[buster] - r-cran-commonmark <no-dsa> (Minor issue)
 	- ruby-commonmarker <unfixed> (bug #1033113)
 	[bookworm] - ruby-commonmarker <no-dsa> (Minor issue)
 	[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -27041,6 +27045,7 @@ CVE-2023-22484 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
 	- r-cran-commonmark <unfixed> (bug #1033112)
 	[bookworm] - r-cran-commonmark <no-dsa> (Minor issue)
 	[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
+	[buster] - r-cran-commonmark <no-dsa> (Minor issue)
 	- ruby-commonmarker <unfixed> (bug #1033113)
 	[bookworm] - ruby-commonmarker <no-dsa> (Minor issue)
 	[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -27058,6 +27063,7 @@ CVE-2023-22483 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
 	- r-cran-commonmark <unfixed> (bug #1033112)
 	[bookworm] - r-cran-commonmark <no-dsa> (Minor issue)
 	[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
+	[buster] - r-cran-commonmark <no-dsa> (Minor issue)
 	- ruby-commonmarker <unfixed> (bug #1033113)
 	[bookworm] - ruby-commonmarker <no-dsa> (Minor issue)
 	[bullseye] - ruby-commonmarker <no-dsa> (Minor issue)
@@ -51524,6 +51530,7 @@ CVE-2022-3276 (Command injection is possible in the puppetlabs-mysql module prio
 	- puppet-module-puppetlabs-mysql <unfixed> (bug #1027154)
 	[bookworm] - puppet-module-puppetlabs-mysql <no-dsa> (Minor issue)
 	[bullseye] - puppet-module-puppetlabs-mysql <no-dsa> (Minor issue)
+	[buster] - puppet-module-puppetlabs-mysql <no-dsa> (Minor issue)
 	NOTE: https://puppet.com/security/cve/CVE-2022-3276
 	NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/f83792b256fa6acc1b1375b3bfed257629a5c02d (v13.0.0)
 	NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/18813a151f150a374a52141db520ed2a8d38b071 (v13.0.0)
@@ -56679,6 +56686,7 @@ CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re
 	[buster] - ruby-commonmarker <no-dsa> (Minor issue)
 	- r-cran-commonmark 1.8.1-1
 	[bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
+	[buster] - r-cran-commonmark <no-dsa> (Minor issue)
 	NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
 	NOTE: https://github.com/github/cmark-gfm/commit/cfcaa0068bf319974fdec283416fcee5035c2d70 (0.29.0.gfm.6)
 	NOTE: For ghostwriter just a hang/crash in GUI tool, no security impact
@@ -127119,11 +127127,13 @@ CVE-2021-40648 (In man2html 1.6g, a filename can be created to overwrite the pre
 	- man2html <unfixed> (bug #1021738)
 	[bookworm] - man2html <no-dsa> (Minor issue)
 	[bullseye] - man2html <no-dsa> (Minor issue)
+	[buster] - man2html <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933
 CVE-2021-40647 (In man2html 1.6g, a specific string being read in from a file will ove ...)
 	- man2html <unfixed> (bug #1021738)
 	[bookworm] - man2html <no-dsa> (Minor issue)
 	[bullseye] - man2html <no-dsa> (Minor issue)
+	[buster] - man2html <no-dsa> (Minor issue)
 	NOTE: https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933
 CVE-2021-40646
 	RESERVED


=====================================
data/dla-needed.txt
=====================================
@@ -93,20 +93,12 @@ libfastjson (Thorsten Alteholz)
 linux (Ben Hutchings)
   NOTE: 20230111: Programming language: C
 --
-man2html (Markus Koschany)
-  NOTE: 20221004: Programming language: C.
-  NOTE: 20221004: It looks like not patch is available.
-  NOTE: 20221004: Please evalulate, whether the issue can be marked as <ignored>.
-  NOTE: 20230213: VCS: https://salsa.debian.org/debian/man2html.git
-  NOTE: 20230226: I would prefer to fix it instead of ignoring. (gladk)
-  NOTE: 20230226: It looks like upstream is dead. Patch needs to be written. (gladk)
---
 nbconvert
   NOTE: 20230423: Programming language: Python.
   NOTE: 20230423: XSS may be worth fixing and this was a lot of them. To consider if this require
   NOTE: 20230423: more work on user side and that require further analysis.
 --
-netatalk
+netatalk (Markus Koschany)
   NOTE: 20220816: Programming language: C.
   NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor)
   NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk
@@ -165,10 +157,6 @@ php-cas
   NOTE: 20221110: a DSA is planned (Beuc/front-desk)
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/php-cas.git
 --
-puppet-module-puppetlabs-mysql
-  NOTE: 20221107: Programming language: Puppet, Ruby.
-  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/puppet-module-puppetlabs-mysql.git
---
 python-ipaddress (guilhem)
   NOTE: 20220507: Programming language: Python.
 --
@@ -187,11 +175,6 @@ python3.7
   NOTE: 20230220: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/python.html
   NOTE: 20230228: Waiting for actual upstream fix for CVE-2023-24329. (bunk)
 --
-r-cran-commonmark (Markus Koschany)
-  NOTE: 20221009: Programming language: R.
-  NOTE: 20221009: Please synchronize with ghostwriter.
-  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/r-cran-commonmark.git
---
 rails
   NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
   NOTE: 20220909: Two issues https://lists.debian.org/debian-lts/2022/09/msg00014.html (abhijith)


=====================================
data/dsa-needed.txt
=====================================
@@ -21,7 +21,7 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v5.10.y versions
 --
-netatalk
+netatalk (apo)
   open regression with MacOS, tentative patch not yet merged upstream
 --
 openjdk-11 (jmm)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b5712724042405443601c198cb16e968346cc829...6aeebaa4ceb50548981d9fd99d9bf9ead444c1f1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b5712724042405443601c198cb16e968346cc829...6aeebaa4ceb50548981d9fd99d9bf9ead444c1f1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230507/f3601e46/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list