[Git][security-tracker-team/security-tracker][master] reserve DLA-3575-1 for python2.7

Helmut Grohne (@helmutg) helmutg at debian.org
Wed Sep 20 20:06:51 BST 2023 


Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker


Commits:
52f72bfe by Helmut Grohne at 2023-09-20T21:06:37+02:00
reserve DLA-3575-1 for python2.7

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3928,8 +3928,7 @@ CVE-2022-48565 (An XML External Entity (XXE) issue was discovered in Python thro
 CVE-2022-48564 (read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a po ...)
 	- python3.9 3.9.1~rc1-1
 	- python3.7 <removed>
-	- python2.7 <removed>
-	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
+	- python2.7 <not-affected> (In 2.7, the plistlib parser only supports XML and not the affected binary format)
 	NOTE: https://bugs.python.org/issue42103
 	NOTE: https://github.com/python/cpython/issues/86269
 	NOTE: https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f	(v3.10.0a2)
@@ -38302,7 +38301,6 @@ CVE-2023-24329 (An issue in the urllib.parse component of Python before 3.11.4 a
 	[buster] - python3.7 <ignored> (Cf. related CVE-2022-0391)
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
-	[buster] - python2.7 <ignored> (Cf. related CVE-2022-0391)
 	NOTE: https://pointernull.com/security/python-url-parse-problem.html
 	NOTE: https://github.com/python/cpython/pull/99421
 	NOTE: https://github.com/python/cpython/pull/99446 (backport for 3.11 branch)
@@ -118560,7 +118558,6 @@ CVE-2022-0391 (A flaw was found in Python, specifically within the urllib.parse
 	- python3.4 <removed>
 	- python2.7 <removed>
 	[bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications)
-	[buster] - python2.7 <ignored> (Minor issue, different approach to sanitization; regressions reports)
 	NOTE: https://bugs.python.org/issue43882
 	NOTE: Regressions reported for django, boto-core and cloud-init
 	NOTE: Fixed by: https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 (v3.10.0b1)
@@ -189199,7 +189196,6 @@ CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0
 	[experimental] - python2.7 2.7.18-13.1~exp1
 	- python2.7 2.7.18-13.1
 	[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
-	[buster] - python2.7 <ignored> (Will break existing applications, don't backport to released suites)
 	- pypy3 7.3.3+dfsg-3
 	[buster] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/python/cpython/pull/24297


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[20 Sep 2023] DLA-3575-1 python2.7 - security update
+	{CVE-2021-23336 CVE-2022-0391 CVE-2022-48560 CVE-2022-48565 CVE-2022-48566 CVE-2023-24329 CVE-2023-40217}
+	[buster] - python2.7 2.7.16-2+deb10u3
 [20 Sep 2023] DLA-3574-1 mutt - security update
 	{CVE-2023-4874 CVE-2023-4875}
 	[buster] - mutt 1.10.1-2.1+deb10u7


=====================================
data/dla-needed.txt
=====================================
@@ -166,13 +166,6 @@ python-os-brick
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder.
 --
-python2.7 (Helmut Grohne)
-  NOTE: 20230826: Added by Front-Desk (utkarsh)
-  NOTE: 20230826: some traces of vulnerable code found. My hunch is that it's not-affected but it needs
-  NOTE: 20230826: a deeper triage. Also CVE-2023-24329 is vulnerable and was partially fixed in some suites
-  NOTE: 20230826: and wasn't fixed in Debian, but the extra patch is now available and can be fixed now. (utkarsh)
-  NOTE: 20230826: contact Utkarsh in case you're unable to find the supplementary patch. (utkarsh)
---
 qt4-x11
   NOTE: 20230822: Re-added for one remaining open CVE (roberto)
   NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, fix or remove entry from this file (roberto)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f72bfe89dd993081fb80d3c93717553ae809e0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f72bfe89dd993081fb80d3c93717553ae809e0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230920/ad706d66/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list