[Git][security-tracker-team/security-tracker][master] 6 commits: Triage CVE-2023-39741 in lrzip for buster LTS.
Chris Lamb (@lamby)
lamby at debian.org
Thu Sep 7 19:05:48 BST 2023
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c670cb02 by Chris Lamb at 2023-09-07T10:47:22-07:00
Triage CVE-2023-39741 in lrzip for buster LTS.
- - - - -
a78a6e18 by Chris Lamb at 2023-09-07T10:47:26-07:00
data/dla-needed.txt: Triage open-vm-tools for buster LTS (CVE-2023-20900)
- - - - -
835ea036 by Chris Lamb at 2023-09-07T10:54:05-07:00
Triage CVE-2023-41080 in tomcat9 for buster LTS.
- - - - -
52d329a9 by Chris Lamb at 2023-09-07T10:55:38-07:00
data/dla-needed.txt: Triage exempi for buster LTS (CVE-2020-18651 & CVE-2020-18652)
- - - - -
03b707eb by Chris Lamb at 2023-09-07T10:57:48-07:00
data/dla-needed.txt: Triage nasm for buster LTS (CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686)
- - - - -
039a69be by Chris Lamb at 2023-09-07T11:05:26-07:00
data/dla-needed.txt: Triage e2guardian for buster LTS (CVE-2021-44273)
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1835,6 +1835,7 @@ CVE-2023-41080 (URL Redirection to Untrusted Site ('Open Redirect') vulnerabilit
[bookworm] - tomcat10 <postponed> (Minor issue, fix along with future update)
- tomcat9 9.0.70-2
[bullseye] - tomcat9 <postponed> (Minor issue, fix along with future update)
+ [buster] - tomcat9 <postponed> (Minor issue; can be fixed later)
- tomcat8 <removed>
NOTE: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f
NOTE: https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27 (10.1.13)
@@ -2811,6 +2812,7 @@ CVE-2023-39741 (lrzip v0.651 was discovered to contain a heap overflow via the l
- lrzip <unfixed>
[bookworm] - lrzip <no-dsa> (Minor issue)
[bullseye] - lrzip <no-dsa> (Minor issue)
+ [buster] - lrzip <no-dsa> (Minor issue)
NOTE: https://github.com/ckolivas/lrzip/issues/246
CVE-2023-38905 (SQL injection vulnerability in Jeecg-boot v.3.5.0 and before allows a ...)
NOT-FOR-US: JeecgBoot
=====================================
data/dla-needed.txt
=====================================
@@ -54,9 +54,16 @@ dogecoin
NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk)
--
+e2guardian
+ NOTE: 20230907: Added by Front-Desk (lamby)
+ NOTE: 20230907: CVE-2021-44273 fixed in bullseye via DSA; patch easy to backport. (lamby)
+--
elfutils (Thorsten Alteholz)
NOTE: 20230903: Added by Front-Desk (gladk)
--
+exempi
+ NOTE: 20230907: Added by Front-Desk (lamby)
+--
exiv2
NOTE: 20230906: Added by Front-Desk (lamby)
--
@@ -117,6 +124,11 @@ memcached (Chris Lamb)
NOTE: 20230906: Added by Front-Desk (lamby)
NOTE: 20230906: lamby is maintainer (lamby)
--
+nasm
+ NOTE: 20230907: Added by Front-Desk (lamby)
+ NOTE: 20230907: Added due to CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686,
+ NOTE: 20230907: but some of these may require some investigation. (lamby)
+--
nova
NOTE: 20230302: Re-add, request by maintainer (Beuc)
NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression
@@ -136,6 +148,9 @@ nvidia-cuda-toolkit
NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html
NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi)
--
+open-vm-tools
+ NOTE: 20230907: Added by Front-Desk (lamby)
+--
opendkim
NOTE: 20230821: Added by Front-Desk (ta)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/91cf8ea2dcc916ede9b7333e3115828042c1bf09...039a69be4117a6509cdc415c80c2ad79ab29ebcd
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/91cf8ea2dcc916ede9b7333e3115828042c1bf09...039a69be4117a6509cdc415c80c2ad79ab29ebcd
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230907/25fab387/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list