[Git][security-tracker-team/security-tracker][master] 8 commits: Add gnutls28 to dla-needed.txt

Markus Koschany (@apo) apo at debian.org
Fri Nov 17 12:29:43 GMT 2023 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b1140c02 by Markus Koschany at 2023-11-17T11:27:33+01:00
Add gnutls28 to dla-needed.txt

- - - - -
11e42605 by Markus Koschany at 2023-11-17T11:53:16+01:00
CVE-2023-44429,gst-plugins-bad1.0: Buster is not affected

The vulnerable code was introduced later.

https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/13d55627f0be18c52dd1019c1f464acfe2da8b98

- - - - -
a501a7d4 by Markus Koschany at 2023-11-17T12:57:13+01:00
Add varnish to dla-needed.txt

- - - - -
56e1eb6f by Markus Koschany at 2023-11-17T12:58:37+01:00
CVE-2023-44487,varnish: link to upstream issue

- - - - -
c4d23181 by Markus Koschany at 2023-11-17T13:02:35+01:00
Add zlib to dla-needed.txt

- - - - -
75f5bceb by Markus Koschany at 2023-11-17T13:06:42+01:00
CVE-2023-45853: minizip is also affected

- - - - -
dd2ed1c6 by Markus Koschany at 2023-11-17T13:08:22+01:00
Add minizip to dla-needed.txt

- - - - -
3f64dc16 by Markus Koschany at 2023-11-17T13:29:08+01:00
Add gimp to dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5927,6 +5927,7 @@ CVE-2023-45855 (qdPM 9.2 allows Directory Traversal to list files and directorie
 	NOT-FOR-US: qdPM
 CVE-2023-45853 (MiniZip in zlib through 1.3 has an integer overflow and resultant heap ...)
 	- zlib <unfixed> (bug #1054290)
+	- minizip <unfixed>
 	NOTE: https://github.com/madler/zlib/pull/843
 	NOTE: https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
 CVE-2023-45852 (In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticat ...)
@@ -7020,6 +7021,7 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource
 	NOTE: netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p
 	NOTE: netty: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 (netty-4.1.100.Final)
 	NOTE: varnish: https://varnish-cache.org/security/VSV00013.html
+	NOTE: varnish: https://github.com/varnishcache/varnish-cache/issues/3996
 	NOTE: Unaffected implementations not requiring code changes:
 	NOTE: - rust-hyper: https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected
 	NOTE: - apache2: https://chaos.social/@icing/111210915918780532
@@ -8814,6 +8816,7 @@ CVE-2023-44446 [MXF demuxer use-after-free]
 	NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7dfaa57b6f9b55f17ffe824bd8988bb71ae11353 (1.22.7)
 CVE-2023-44429 [AV1 codec parser buffer overflow]
 	- gst-plugins-bad1.0 <unfixed> (bug #1056102)
+	[buster] - gst-plugins-bad1.0 <not-affected> (Vulnerable code was introduced later)
 	- gst-plugins-bad0.10 <removed>
 	NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0009.html
 	NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5634


=====================================
data/dla-needed.txt
=====================================
@@ -80,6 +80,12 @@ galera-3 (Adrian Bunk)
   NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk)
   NOTE: 20231113: Investigating whether vulnerability already existed before commit introducing current code. (bunk)
 --
+gimp
+  NOTE: 20231117: Added by Front-Desk (apo)
+--
+gnutls28
+  NOTE: 20231117: Added by Front-Desk (apo)
+--
 horizon
   NOTE: 20231101: Added by Front-Desk (lamby)
   NOTE: 20231101: Sync with bullseye (CVE-2022-45582). (lamby)
@@ -130,6 +136,9 @@ lwip
 mediawiki (guilhem)
   NOTE: 20231011: Added by Front-Desk (ta)
 --
+minizip
+  NOTE: 20231117: Added by Front-Desk (apo)
+--
 netty (Markus Koschany)
   NOTE: 20231104: Added by Front-Desk (lamby)
   NOTE: 20231104: For, at least, CVE-2023-44487. (lamby)
@@ -246,6 +255,9 @@ suricata (Adrian Bunk)
   NOTE: 20230731: Still reviewing+testing CVEs. (bunk)
   NOTE: 20231016: Still reviewing+testing CVEs. (bunk)
 --
+varnish
+  NOTE: 20231117: Added by Front-Desk (apo)
+--
 vlc
   NOTE: 20231106: Added by Front-Desk (pochu)
   NOTE: 20231106: Follow bullseye and update to 3.0.20 (pochu)
@@ -253,3 +265,6 @@ vlc
 zabbix
   NOTE: 20231015: Added by Front-Desk (ta)
 --
+zlib
+  NOTE: 20231117: Added by Front-Desk (apo)
+--



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f94cf8c879dce13ad5e9adf9fdf12b42f398d5b3...3f64dc160be59799aefb332345bb3a33996253bd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f94cf8c879dce13ad5e9adf9fdf12b42f398d5b3...3f64dc160be59799aefb332345bb3a33996253bd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231117/c60dfabd/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list