[Git][security-tracker-team/security-tracker][master] 2 commits: Remove curl from dla-needed.txt

Markus Koschany (@apo) apo at debian.org
Fri Nov 24 18:41:11 GMT 2023



Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8ad8336e by Markus Koschany at 2023-11-24T19:40:42+01:00
Remove curl from dla-needed.txt

This was a bit confusing. Apparently curl was added to dla-needed.txt and
afterwards someone triaged the two open CVE as no-dsa.

I reviewed the decision to mark CVE-2023-27534 and CVE-2023-28322 and I believe
no-dsa is the correct decision. CVE-2023-28322 does not affect the command line
tool and even a use after free is not present in libcurl. This is a rather
theoretical behavior violation. CVE-2023-27534 requires the new internal dnybuf
functions which are not present in Buster's curl version. The described
scenario is unlikely because sftp users are usually restricted by the ssh
server and a buggy client can't just simply access a file in another user's
home directory.

- - - - -
658354ca by Markus Koschany at 2023-11-24T19:40:42+01:00
Claim rabbitmq-server in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=====================================
data/dla-needed.txt
=====================================
@@ -43,10 +43,6 @@ cinder
 cryptojs (guilhem)
   NOTE: 20231119: Added by Front-Desk (apo)
 --
-curl (Markus Koschany)
-  NOTE: 20231103: Added by Front-Desk (lamby)
-  NOTE: 20231103: Sync with stable. (lamby)
---
 docker.io
   NOTE: 20230303: Added by Front-Desk (Beuc)
   NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)
@@ -188,7 +184,7 @@ python-requestbuilder
   NOTE: 20231108: Added by Front-Desk (santiago)
   NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70
 --
-rabbitmq-server
+rabbitmq-server (Markus Koschany)
   NOTE: 20231119: Added by Front-Desk (apo)
 --
 rails



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7e00cf6fe4933a4259a4e230e870dcbaa59337e3...658354ca67fe6ddab6709e10ebf22a55c4c7c53e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7e00cf6fe4933a4259a4e230e870dcbaa59337e3...658354ca67fe6ddab6709e10ebf22a55c4c7c53e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231124/bc0c2204/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list