[Git][security-tracker-team/security-tracker][master] 2 commits: Reserve DLA-3610-1 for python-urllib3

Sun Oct 8 11:49:40 BST 2023


Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d1774c9e by Guilhem Moulin at 2023-10-08T12:46:22+02:00
Reserve DLA-3610-1 for python-urllib3

- - - - -
c5f22ae0 by Guilhem Moulin at 2023-10-08T12:49:00+02:00
Reserve DLA-3611-1 for inetutils

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -7630,7 +7630,6 @@ CVE-2023-40303 (GNU inetutils through 2.4 may allow privilege escalation because
 	- inetutils 2:2.4-3 (bug #1049365)
 	[bookworm] - inetutils 2:2.4-2+deb12u1
 	[bullseye] - inetutils 2:2.0-1+deb11u2
-	[buster] - inetutils <no-dsa> (Minor issue)
 	NOTE: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6
 	NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html
 CVE-2023-40296 (async-sockets-cpp through 0.3.1 has a stack-based buffer overflow in R ...)
@@ -217068,7 +217067,6 @@ CVE-2020-26138 (In SilverStripe through 4.6.0-rc1, a FormField with square brack
 CVE-2020-26137 (urllib3 before 1.25.9 allows CRLF injection if the attacker controls t ...)
 	{DLA-2686-1}
 	- python-urllib3 1.25.9-1
-	[buster] - python-urllib3 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue39603
 	NOTE: https://github.com/urllib3/urllib3/commit/1dd69c5c5982fae7c87a620d487c2ebf7a6b436b (1.25.9)
 	NOTE: https://github.com/urllib3/urllib3/pull/1800
@@ -308014,7 +308012,6 @@ CVE-2019-11323 (HAProxy before 1.9.7 mishandles a reload with rotated keys, whic
 CVE-2019-11324 (The urllib3 library before 1.24.2 for Python mishandles certain cases  ...)
 	{DLA-2686-1}
 	- python-urllib3 1.25.6-4 (bug #927412)
-	[buster] - python-urllib3 <no-dsa> (Minor issue)
 	[jessie] - python-urllib3 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/urllib3/urllib3/commit/1efadf43dc63317cd9eaa3e0fdb9e05ab07254b1
 	NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/3
@@ -308244,7 +308241,6 @@ CVE-2019-11236 (In the urllib3 library through 1.24.1 for Python, CRLF injection
 	{DLA-2686-1 DLA-1828-1}
 	[experimental] - python-urllib3 1.25.6-1
 	- python-urllib3 1.25.6-4 (bug #927172)
-	[buster] - python-urllib3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/urllib3/urllib3/issues/1553
 	NOTE: https://github.com/urllib3/urllib3/commit/9b76785331243689a9d52cef3db05ef7462cb02d
 	NOTE: https://github.com/urllib3/urllib3/commit/efddd7e7bad26188c3b692d1090cba768afa9162


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,9 @@
+[08 Oct 2023] DLA-3611-1 inetutils - security update
+	{CVE-2019-0053 CVE-2023-40303}
+	[buster] - inetutils 2:1.9.4-7+deb10u3
+[08 Oct 2023] DLA-3610-1 python-urllib3 - security update
+	{CVE-2019-11236 CVE-2019-11324 CVE-2020-26137 CVE-2023-43804}
+	[buster] - python-urllib3 1.24.1-1+deb10u1
 [08 Oct 2023] DLA-3609-1 prometheus-alertmanager - security update
 	{CVE-2023-40577}
 	[buster] - prometheus-alertmanager 0.15.3+ds-3+deb10u1
@@ -1225,7 +1231,7 @@
 	{CVE-2019-14870 CVE-2021-3671 CVE-2021-44758 CVE-2022-3437 CVE-2022-41916 CVE-2022-42898 CVE-2022-44640}
 	[buster] - heimdal 7.5.0+dfsg-3+deb10u1
 [25 Nov 2022] DLA-3205-1 inetutils - security update
-	{CVE-2019-0053 CVE-2021-40491 CVE-2022-39028}
+	{CVE-2021-40491 CVE-2022-39028}
 	[buster] - inetutils 2:1.9.4-7+deb10u2
 [24 Nov 2022] DLA-3204-1 vim - security update
 	{CVE-2022-0318 CVE-2022-0392 CVE-2022-0629 CVE-2022-0696 CVE-2022-1619 CVE-2022-1621 CVE-2022-1785 CVE-2022-1897 CVE-2022-1942 CVE-2022-2000 CVE-2022-2129 CVE-2022-3235 CVE-2022-3256 CVE-2022-3352}


=====================================
data/dla-needed.txt
=====================================
@@ -99,10 +99,6 @@ imagemagick
   NOTE: 20230622: Added by Front-Desk (Beuc)
   NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk)
 --
-inetutils (guilhem)
-  NOTE: 20231007: Added by Front-Desk (Beuc)
-  NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk)
---
 krb5 (Adrian Bunk)
   NOTE: 20231007: Added by Front-Desk (Beuc)
   NOTE: 20231007: Follow fixes from bullseye 11.8 (1 CVE) (Beuc/front-desk)
@@ -185,10 +181,6 @@ python-os-brick
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
 --
-python-urllib3 (guilhem)
-  NOTE: 20231006: Added by Front-Desk (Beuc)
-  NOTE: 20231006: Fix the 4 no-dsa issues (Beuc/front-desk)
---
 python3.7 (Sean Whitton)
   NOTE: 20231003: Added by Front-Desk (Beuc)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a4bf1e1b5b7959ae7df77ce2d6f011cc32e84699...c5f22ae05c064579e1f539dd16d0602301cd1629

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a4bf1e1b5b7959ae7df77ce2d6f011cc32e84699...c5f22ae05c064579e1f539dd16d0602301cd1629
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231008/e036f3ae/attachment-0001.htm>
