[Git][security-tracker-team/security-tracker][master] Switch firefox and firefox-esr entries to unimportant for CVE-2023-5217

Fri Sep 29 20:41:52 BST 2023


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
230771cc by Salvatore Bonaccorso at 2023-09-29T21:41:03+02:00
Switch firefox and firefox-esr entries to unimportant for CVE-2023-5217

Admittely this is *not* fully correct tracking, because we cannot say
it's unimportant on suite level only globally for a source package.
Starting in bookworm the system libvpx library is used (for now) and so
CVE-2023-5217 while affecting the source, not impacted on the binary
packages.

But it *is* for bullseye and buster, and there needs to be an upload for
115.3.1 ESR in those suites. As this is already beeing handled by
security team and LTS team and on the radar, mark the entry as
unimportant for the rest.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -250,14 +250,16 @@ CVE-2023-5221 (A vulnerability classified as critical has been found in ForU CMS
 CVE-2023-5217 (Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior  ...)
 	- chromium 117.0.5938.132-1
 	[buster] - chromium <end-of-life> (see DSA 5046)
-	- firefox <unfixed>
-	- firefox-esr <unfixed>
+	- firefox <unfixed> (unimportant)
+	- firefox-esr <unfixed> (unimportant)
 	- libvpx 1.12.0-1.1 (bug #1053182)
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/#CVE-2023-5217
 	NOTE: https://www.openwall.com/lists/oss-security/2023/09/28/5
 	NOTE: Fixed by (libvpx): https://github.com/webmproject/libvpx/commit/af6dedd715f4307669366944cca6e0417b290282
 	NOTE: Fixed by (libvpx): https://github.com/webmproject/libvpx/commit/3fbd1dca6a4d2dad332a2110d646e4ffef36d590
 	NOTE: https://hg.mozilla.org/mozilla-central/rev/c53f5ef77b62b79af86951a7f9130e1896b695d2
+	NOTE: src:firefox and firefox-esr use the system libvpx starting in bookworm and above. For
+	NOTE: older releases still needs the fixes in src:firefox-esr.
 CVE-2023-5187 (Use after free in Extensions in Google Chrome prior to 117.0.5938.132  ...)
 	- chromium 117.0.5938.132-1
 	[buster] - chromium <end-of-life> (see DSA 5046)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/230771cc6faaefa0e05348f8125c4164f2c0e414

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/230771cc6faaefa0e05348f8125c4164f2c0e414
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230929/2a4705ac/attachment.htm>
