[Git][security-tracker-team/security-tracker][master] 6 commits: Triage CVE-2023-39741 in lrzip for buster LTS.

Thu Sep 7 19:05:48 BST 2023


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c670cb02 by Chris Lamb at 2023-09-07T10:47:22-07:00
Triage CVE-2023-39741 in lrzip for buster LTS.

- - - - -
a78a6e18 by Chris Lamb at 2023-09-07T10:47:26-07:00
data/dla-needed.txt: Triage open-vm-tools for buster LTS (CVE-2023-20900)

- - - - -
835ea036 by Chris Lamb at 2023-09-07T10:54:05-07:00
Triage CVE-2023-41080 in tomcat9 for buster LTS.

- - - - -
52d329a9 by Chris Lamb at 2023-09-07T10:55:38-07:00
data/dla-needed.txt: Triage exempi for buster LTS (CVE-2020-18651 & CVE-2020-18652)

- - - - -
03b707eb by Chris Lamb at 2023-09-07T10:57:48-07:00
data/dla-needed.txt: Triage nasm for buster LTS (CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686)

- - - - -
039a69be by Chris Lamb at 2023-09-07T11:05:26-07:00
data/dla-needed.txt: Triage e2guardian for buster LTS (CVE-2021-44273)

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1835,6 +1835,7 @@ CVE-2023-41080 (URL Redirection to Untrusted Site ('Open Redirect') vulnerabilit
 	[bookworm] - tomcat10 <postponed> (Minor issue, fix along with future update)
 	- tomcat9 9.0.70-2
 	[bullseye] - tomcat9 <postponed> (Minor issue, fix along with future update)
+	[buster] - tomcat9 <postponed> (Minor issue; can be fixed later)
 	- tomcat8 <removed>
 	NOTE: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f
 	NOTE: https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27 (10.1.13)
@@ -2811,6 +2812,7 @@ CVE-2023-39741 (lrzip v0.651 was discovered to contain a heap overflow via the l
 	- lrzip <unfixed>
 	[bookworm] - lrzip <no-dsa> (Minor issue)
 	[bullseye] - lrzip <no-dsa> (Minor issue)
+	[buster] - lrzip <no-dsa> (Minor issue)
 	NOTE: https://github.com/ckolivas/lrzip/issues/246
 CVE-2023-38905 (SQL injection vulnerability in Jeecg-boot v.3.5.0 and before allows a  ...)
 	NOT-FOR-US: JeecgBoot


=====================================
data/dla-needed.txt
=====================================
@@ -54,9 +54,16 @@ dogecoin
   NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix;
   NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk)
 --
+e2guardian
+  NOTE: 20230907: Added by Front-Desk (lamby)
+  NOTE: 20230907: CVE-2021-44273 fixed in bullseye via DSA; patch easy to backport. (lamby)
+--
 elfutils (Thorsten Alteholz)
   NOTE: 20230903: Added by Front-Desk (gladk)
 --
+exempi
+  NOTE: 20230907: Added by Front-Desk (lamby)
+--
 exiv2
   NOTE: 20230906: Added by Front-Desk (lamby)
 --
@@ -117,6 +124,11 @@ memcached (Chris Lamb)
   NOTE: 20230906: Added by Front-Desk (lamby)
   NOTE: 20230906: lamby is maintainer (lamby)
 --
+nasm
+  NOTE: 20230907: Added by Front-Desk (lamby)
+  NOTE: 20230907: Added due to CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686,
+  NOTE: 20230907: but some of these may require some investigation. (lamby)
+--
 nova
   NOTE: 20230302: Re-add, request by maintainer (Beuc)
   NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression
@@ -136,6 +148,9 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi)
 --
+open-vm-tools
+  NOTE: 20230907: Added by Front-Desk (lamby)
+--
 opendkim
   NOTE: 20230821: Added by Front-Desk (ta)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/91cf8ea2dcc916ede9b7333e3115828042c1bf09...039a69be4117a6509cdc415c80c2ad79ab29ebcd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/91cf8ea2dcc916ede9b7333e3115828042c1bf09...039a69be4117a6509cdc415c80c2ad79ab29ebcd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230907/25fab387/attachment-0001.htm>
