[Git][security-tracker-team/security-tracker][master] Reserve DLA-3654-1 for freerdp2

Tobias Frost (@tobi) tobi at debian.org
Fri Nov 17 17:17:24 GMT 2023 


Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a1595abf by Tobias Frost at 2023-11-17T18:17:04+01:00
Reserve DLA-3654-1 for freerdp2

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -77973,7 +77973,6 @@ CVE-2022-41878 (Parse Server is an open source backend that can be deployed to a
 CVE-2022-41877 (FreeRDP is a free remote desktop protocol library and clients. Affecte ...)
 	- freerdp2 2.9.0+dfsg1-1 (bug #1024511)
 	[bullseye] - freerdp2 <no-dsa> (Minor issue)
-	[buster] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pmv3-wpw4-pw5h
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/6655841cf2a00b764f855040aecb8803cfc5eaba
 CVE-2022-41876 (ezplatform-graphql is a GraphQL server implementation for Ibexa DXP an ...)
@@ -84411,7 +84410,6 @@ CVE-2022-39348 (Twisted is an event-based framework for internet applications. S
 CVE-2022-39347 (FreeRDP is a free remote desktop protocol library and clients. Affecte ...)
 	- freerdp2 2.9.0+dfsg1-1 (bug #1024511)
 	[bullseye] - freerdp2 <no-dsa> (Minor issue)
-	[buster] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/027424c2c6c0991cb9c22f9511478229c9b17e5d
 CVE-2022-39346 (Nextcloud server is an open source personal cloud server. Affected ver ...)
@@ -84501,13 +84499,11 @@ CVE-2022-39320 (FreeRDP is a free remote desktop protocol library and clients. A
 CVE-2022-39319 (FreeRDP is a free remote desktop protocol library and clients. Affecte ...)
 	- freerdp2 2.9.0+dfsg1-1 (bug #1024511)
 	[bullseye] - freerdp2 <no-dsa> (Minor issue)
-	[buster] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvxm-wfj2-5fvh
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/11555828d2cf289b350baba5ad1f462f10b80b76
 CVE-2022-39318 (FreeRDP is a free remote desktop protocol library and clients. Affecte ...)
 	- freerdp2 2.9.0+dfsg1-1 (bug #1024511)
 	[bullseye] - freerdp2 <no-dsa> (Minor issue)
-	[buster] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-387j-8j96-7q35
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea
 CVE-2022-39317 (FreeRDP is a free remote desktop protocol library and clients. Affecte ...)
@@ -84518,7 +84514,6 @@ CVE-2022-39317 (FreeRDP is a free remote desktop protocol library and clients. A
 CVE-2022-39316 (FreeRDP is a free remote desktop protocol library and clients. In affe ...)
 	- freerdp2 2.9.0+dfsg1-1 (bug #1024511)
 	[bullseye] - freerdp2 <no-dsa> (Minor issue)
-	[buster] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5w4j-mrrh-jjrm
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/e865c24efc40ebc52e75979c94cdd4ee2c1495b0
 CVE-2022-39315 (Kirby is a Content Management System. Prior to versions 3.5.8.2, 3.6.6 ...)
@@ -84613,7 +84608,6 @@ CVE-2022-39283 (FreeRDP is a free remote desktop protocol library and clients. A
 CVE-2022-39282 (FreeRDP is a free remote desktop protocol library and clients. FreeRDP ...)
 	- freerdp2 2.8.1+dfsg1-1 (bug #1021659)
 	[bullseye] - freerdp2 <no-dsa> (Minor issue)
-	[buster] - freerdp2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq
 	NOTE: patch likely: https://github.com/FreeRDP/FreeRDP/commit/60aac2abf0740dd36b62712fba91498fd6e055fe (not confirmed by upstream)
 CVE-2022-39281 (fat_free_crm is a an open source, Ruby on Rails customer relationship  ...)
@@ -126065,7 +126059,6 @@ CVE-2022-24884 (ecdsautils is a tiny collection of programs used for ECDSA (keyg
 CVE-2022-24883 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP). ...)
 	- freerdp2 2.7.0+dfsg1-1
 	[bullseye] - freerdp2 <no-dsa> (Minor issue)
-	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qxm3-v2r6-vmwf
 	NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/4661492e5a617199457c8074bad22f766a116cdc
@@ -154250,7 +154243,6 @@ CVE-2021-41161 (Combodo iTop is a web based IT Service Management tool. In versi
 CVE-2021-41160 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...)
 	- freerdp2 2.4.1+dfsg1-1 (bug #1001062)
 	[bullseye] - freerdp2 <no-dsa> (Minor issue)
-	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
 	[stretch] - freerdp <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7c9r-6r2q-93qg


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[17 Nov 2023] DLA-3654-1 freerdp2 - security update
+	{CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39316 CVE-2022-39318 CVE-2022-39319 CVE-2022-39347 CVE-2022-41877 CVE-2023-39283}
+	[buster] - freerdp2 2.3.0+dfsg1-2+deb10u4
 [15 Nov 2023] DLA-3653-1 libclamunrar - security update
 	{CVE-2023-40477}
 	[buster] - libclamunrar 0.103.10-0+deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -68,13 +68,6 @@ freeimage (gladk)
   NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll
   NOTE: 20230826: out the DLA/ELA now. (utkarsh)
 --
-freerdp2 (tobi)
-  NOTE: 20230924: Added by Front-Desk (apo)
-  NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo)
-  NOTE: 20231007: First round done, unfortunatly missed a few CVES while updating, will do an follow up.
-  NOTE: 20231023: Will continue working on package next weekend. (tobi)
-  NOTE: 20231107: 80% ready, waiting for upstream feedback about remaining CVEs which have not indicated the patch needed. (tobi)
---
 galera-3 (Adrian Bunk)
   NOTE: 20231028: Added by Front-Desk (gladk)
   NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1595abf3774e219c2db4ef5578a64659f62635b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a1595abf3774e219c2db4ef5578a64659f62635b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231117/d1d8a1c7/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list