[Git][security-tracker-team/security-tracker][master] 2 commits: Remove flatpak from dla-needed.txt

[Markus Koschany (@apo)]

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7e9a816a by Markus Koschany at 2023-11-30T23:11:40+01:00
Remove flatpak from dla-needed.txt

As discussed with Sylvain via private email. Here is my reasoning from
13.07.2023 again.

CVE-2023-28100 and CVE-2023-28101 are minor issues and most users will install
their applications via GUIs and from trusted repositories anyway. An upgrade to
the 1.10.x series would require backports of at least bubblewrap and ostree.
This may or may not cause regressions in other applications. The risk to reward
ratio is rather unfavorable in this case and since targeted fixes are also
intrusive and sensible workarounds do exist, it is better to keep flatpak as is.

- - - - -
1fd38ff1 by Markus Koschany at 2023-11-30T23:13:56+01:00
CVE-2023-28100,CVE-2023-28101,flatpak: mark both CVE as ignored in Buster

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -39151,7 +39151,7 @@ CVE-2023-28102 (discordrb is an implementation of the Discord API using Ruby. In
 CVE-2023-28101 (Flatpak is a system for building, distributing, and running sandboxed  ...)
 	- flatpak 1.14.4-1 (bug #1033098)
 	[bullseye] - flatpak 1.10.8-0+deb11u1
-	[buster] - flatpak <no-dsa> (Minor issue)
+	[buster] - flatpak <ignored> (Minor issue)
 	NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8
 	NOTE: https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869 (1.15.4)
 	NOTE: https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c (1.15.4)
@@ -39161,7 +39161,7 @@ CVE-2023-28101 (Flatpak is a system for building, distributing, and running sand
 CVE-2023-28100 (Flatpak is a system for building, distributing, and running sandboxed  ...)
 	- flatpak 1.14.4-1 (bug #1033099)
 	[bullseye] - flatpak 1.10.8-0+deb11u1
-	[buster] - flatpak <no-dsa> (Minor issue)
+	[buster] - flatpak <ignored> (Minor issue)
 	NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp
 	NOTE: https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9 (1.15.4)
 	NOTE: https://github.com/flatpak/flatpak/commit/a9bf18040cc075a70657c6090a59d7f6fe78f893 (1.10.8)


=====================================
data/dla-needed.txt
=====================================
@@ -59,10 +59,6 @@ dogecoin
   NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
   NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk)
 --
-flatpak
-  NOTE: 20231006: Added by Front-Desk (Beuc)
-  NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk)
---
 frr
   NOTE: 20231119: Added by Front-Desk (apo)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8bf283d8bfddc75770dd9178b0d15c025c8e3ebf...1fd38ff1b65935881a8402e4d42d556f695a3023

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8bf283d8bfddc75770dd9178b0d15c025c8e3ebf...1fd38ff1b65935881a8402e4d42d556f695a3023
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231130/ac227276/attachment-0001.htm>