[Git][security-tracker-team/security-tracker][master] 8 commits: Added firefox-esr to dla-needed. Already fixed in bullseye.

Wed Nov 22 22:33:01 GMT 2023


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
68cf3b09 by Ola Lundqvist at 2023-11-22T22:32:12+00:00
Added firefox-esr to dla-needed. Already fixed in bullseye.

- - - - -
bcdde0f6 by Ola Lundqvist at 2023-11-22T22:32:12+00:00
Added thunderbird to dla-needed.

  Same problems as in firefox-esr and firefox-esr has already
  been fixed in bullseye.

- - - - -
73956283 by Ola Lundqvist at 2023-11-22T22:32:16+00:00
Marked CVE-2022-46337 as no-dsa for buster following decision for bullseye.

- - - - -
a0670f71 by Ola Lundqvist at 2023-11-22T22:32:19+00:00
Marked CVE-2023-48161 as no-dsa for buster following decision for bullseye.

- - - - -
9b53ab53 by Ola Lundqvist at 2023-11-22T22:32:23+00:00
Marked CVE-2023-46445 and CVE-2023-46446 as no-dsa for buster following decision for bullseye.

- - - - -
0d8cb229 by Ola Lundqvist at 2023-11-22T22:32:26+00:00
Marked CVE-2023-5557 as no-dsa for buster following decision for bullseye.

- - - - -
042d8823 by Ola Lundqvist at 2023-11-22T22:32:30+00:00
Marked CVE-2016-1243 and CVE-2016-1244 as no-dsa for buster following decision for bullseye.

- - - - -
76b566a4 by Ola Lundqvist at 2023-11-22T22:32:33+00:00
Marked CVE-2023-48039 and CVE-2023-48090 as EOL for buster.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -234,6 +234,7 @@ CVE-2023-48161 (Buffer Overflow vulnerability in GifLib Project GifLib v.5.2.1 a
 	- giflib <unfixed>
 	[bookworm] - giflib <no-dsa> (Minor issue)
 	[bullseye] - giflib <no-dsa> (Minor issue)
+	[buster] - giflib <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/giflib/bugs/167/
 CVE-2023-47393 (An access control issue in Mercedes me IOS APP v1.34.0 and below allow ...)
 	NOT-FOR-US: Mercedes me IOS APP
@@ -473,9 +474,11 @@ CVE-2023-48109 (Tenda AX1803 v1.0.0.1 was discovered to contain a heap overflow
 	NOT-FOR-US: Tenda
 CVE-2023-48090 (GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks in ...)
 	- gpac <unfixed>
+	[buster] - gpac <end-of-life> (EOL in Buster LTS)
 	NOTE: https://github.com/gpac/gpac/issues/2680
 CVE-2023-48039 (GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak in  ...)
 	- gpac <unfixed>
+	[buster] - gpac <end-of-life> (EOL in Buster LTS)
 	NOTE: https://github.com/gpac/gpac/issues/2679
 CVE-2023-47772 (Contributor+Stored Cross-Site Scripting (XSS) vulnerability in Slider  ...)
 	NOT-FOR-US: WordPress plugin
@@ -1737,11 +1740,13 @@ CVE-2023-46446 (An issue in AsyncSSH v2.14.0 and earlier allows attackers to con
 	- python-asyncssh <unfixed> (bug #1055999)
 	[bookworm] - python-asyncssh <no-dsa> (Minor issue)
 	[bullseye] - python-asyncssh <no-dsa> (Minor issue)
+	[buster] - python-asyncssh <no-dsa> (Minor issue)
 	NOTE: https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm
 CVE-2023-46445 (An issue in AsyncSSH v2.14.0 and earlier allows attackers to control t ...)
 	- python-asyncssh <unfixed> (bug #1056000)
 	[bookworm] - python-asyncssh <no-dsa> (Minor issue)
 	[bullseye] - python-asyncssh <no-dsa> (Minor issue)
+	[buster] - python-asyncssh <no-dsa> (Minor issue)
 	NOTE: https://github.com/ronf/asyncssh/security/advisories/GHSA-cfc2-wr2v-gxm5
 CVE-2023-46021 (SQL Injection vulnerability in cancel.php in Code-Projects Blood Bank  ...)
 	NOT-FOR-US: Code-Projects Blood Bank
@@ -6764,6 +6769,7 @@ CVE-2023-5557 (A flaw was found in the tracker-miners package. A weakness in the
 	- tracker-miners 3.4.5-1 (bug #1053881)
 	[bookworm] - tracker-miners <no-dsa> (Minor issue)
 	[bullseye] - tracker-miners <no-dsa> (Minor issue)
+	[buster] - tracker-miners <no-dsa> (Minor issue)
 	NOTE: https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/#tracker-miners-seccomp-sandbox-escape
 	NOTE: https://gitlab.gnome.org/GNOME/tracker-miners/-/issues/277
 	NOTE: https://gitlab.gnome.org/GNOME/tracker-miners/-/merge_requests/480
@@ -63209,6 +63215,7 @@ CVE-2022-46337 (A cleverly devised username might bypass LDAP authentication che
 	- derby <unfixed>
 	[bookworm] - derby <no-dsa> (Minor issue)
 	[bullseye] - derby <no-dsa> (Minor issue)
+	[buster] - derby <no-dsa> (Minor issue)
 	NOTE: https://issues.apache.org/jira/browse/DERBY-7147
 	NOTE: https://www.openwall.com/lists/oss-security/2023/11/19/3
 CVE-2022-46336
@@ -481625,6 +481632,7 @@ CVE-2016-1244 (The extractTree function in unADF allows remote attackers to exec
 	- unadf 0.7.11a-6 (bug #838248)
 	[bookworm] - unadf <no-dsa> (Minor issue)
 	[bullseye] - unadf <no-dsa> (Minor issue)
+	[buster] - unadf <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd
 	NOTE: The changes between 0.7.11a-3 and 0.7.11a-4 did not include the upstream fix.
 CVE-2016-1243 (Stack-based buffer overflow in the extractTree function in unADF allow ...)
@@ -481632,6 +481640,7 @@ CVE-2016-1243 (Stack-based buffer overflow in the extractTree function in unADF
 	- unadf 0.7.11a-6 (bug #838248)
 	[bookworm] - unadf <no-dsa> (Minor issue)
 	[bullseye] - unadf <no-dsa> (Minor issue)
+	[buster] - unadf <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd
 	NOTE: The changes between 0.7.11a-3 and 0.7.11a-4 did not include the upstream fix.
 CVE-2016-1242 (file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3 ...)


=====================================
data/dla-needed.txt
=====================================
@@ -61,6 +61,9 @@ dogecoin
   NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
   NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk)
 --
+firefox-esr
+  NOTE: 20231122: Added by Front-Desk (ola)
+--
 flatpak
   NOTE: 20231006: Added by Front-Desk (Beuc)
   NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk)
@@ -258,6 +261,9 @@ suricata (Adrian Bunk)
 symfony (Markus Koschany)
   NOTE: 20231118: Added by Front-Desk (apo)
 --
+thunderbird
+  NOTE: 20231122: Added by Front-Desk (ola)
+--
 tor
   NOTE: 20231119: Added by Front-Desk (apo)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/808fdee5c7178773c8a540938d25564f4ab52c2f...76b566a4413208a8624d2c91cadb33dfaeef057b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/808fdee5c7178773c8a540938d25564f4ab52c2f...76b566a4413208a8624d2c91cadb33dfaeef057b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231122/7f23efdc/attachment-0001.htm>
