[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2022-27240,CVE-2023-49208/glewlwyd: reference introductory commit

Sylvain Beucler (@beuc) gitlab at salsa.debian.org
Tue Aug 13 10:09:42 BST 2024 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c2276290 by Sylvain Beucler at 2024-08-13T11:09:00+02:00
CVE-2022-27240,CVE-2023-49208/glewlwyd: reference introductory commit

- - - - -
de678a4c by Sylvain Beucler at 2024-08-13T11:09:00+02:00
dla: more packages to sync with bookworm pu; drop roundcube

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.prospective


Changes:

=====================================
data/CVE/list
=====================================
@@ -69533,8 +69533,9 @@ CVE-2023-49208 (scheme/webauthn.c in Glewlwyd SSO server before 2.7.6 has a poss
 	- glewlwyd 2.7.6+ds-1
 	[bookworm] - glewlwyd 2.7.5-3+deb12u1
 	[bullseye] - glewlwyd <no-dsa> (Minor issue)
-	[buster] - glewlwyd <not-affected> (Vulnerable code not present)
+	[buster] - glewlwyd <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/babelouest/glewlwyd/commit/f9d8c06aae8dfe17e761b18b577ff169e059e812 (v2.7.6)
+	NOTE: Introduced by: https://github.com/babelouest/glewlwyd/commit/13265133e8287f246f2feecb24449179d20c9f0e (v2.0.0b1)
 CVE-2023-41812 (Unrestricted Upload of File with Dangerous Type vulnerability in Pando ...)
 	NOT-FOR-US: Pandora FMS
 CVE-2023-41811 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...)
@@ -190252,8 +190253,9 @@ CVE-2022-1020 (The Product Table for WooCommerce (wooproducttable) WordPress plu
 CVE-2022-27240 (scheme/webauthn.c in Glewlwyd SSO server 2.x before 2.6.2 has a buffer ...)
 	- glewlwyd 2.6.1-2
 	[bullseye] - glewlwyd <no-dsa> (Minor issue)
-	[buster] - glewlwyd <no-dsa> (Minor issue)
+	[buster] - glewlwyd <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/babelouest/glewlwyd/commit/4c5597c155bfbaf6491cf6b83479d241ae66940a (v2.6.2)
+	NOTE: Introduced by: https://github.com/babelouest/glewlwyd/commit/e5007f6e102f1260a9562654c4e88f1c6de12c02 (v2.0.0-b1)
 CVE-2022-29869 (cifs-utils through 6.14, with verbose logging, can cause an informatio ...)
 	{DSA-5157-1 DLA-3009-1}
 	- cifs-utils 2:6.14-1.1 (bug #1010818)


=====================================
data/dla-needed.prospective
=====================================
@@ -32,6 +32,10 @@ NOTE: IMPORTANT: During 2024-07/08, make sure you do NOT conflict with
 NOTE: IMPORTANT: a prepared upload for bullseye's last point release, see:
 NOTE: IMPORTANT: https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=release.debian.org@packages.debian.org;tag=pu
 
+--
+amanda
+  NOTE: 20240815: Added by Front-Desk (Beuc)
+  NOTE: 20240815: Follow fixes from buster DLA-3681-1 (3 CVEs) and bookworm 12.4 (CVE-2023-30577) (Beuc/front-desk)
 --
 bind9
   NOTE: 20240729: Added by oldstable Security Team (carnil)
@@ -107,6 +111,11 @@ glance (Thomas Goirand)
   NOTE: 20240815: A bookworm DSA is planned (Beuc/front-desk)
   NOTE: 20240815: zigo prepared bullseye packages, cf. http://osbpo.debian.net/deb-status/ (Beuc/front-desk)
 --
+glewlwyd
+  NOTE: 20240815: Added by Front-Desk (Beuc)
+  NOTE: 20240815: Follow fixes from bookworm 12.6 (2 CVEs)
+  NOTE: 20240815: Consider fixing postponed CVEs (Beuc/front-desk)
+--
 gpac
   NOTE: 20240815: Added by Front-Desk (Beuc)
   NOTE: 20240815: Considered for EOL
@@ -122,6 +131,11 @@ indent
   NOTE: 20240815: pu scheduled https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1074142
   NOTE: 20240815: drop this entry after bullseye 11.11 is out on 2024-08-31 (Beuc/front-desk)
 --
+libxml2
+  NOTE: 20240815: Added by Front-Desk (Beuc)
+  NOTE: 20240815: Follow fixes from bookworm 12.1 (CVE-2022-2309) (low-priority)
+  NOTE: 20240815: Consider fixing CVE-2016-3709 (Beuc/front-desk)
+--
 linux (Ben Hutchings)
   NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
 --
@@ -187,10 +201,6 @@ ring
   NOTE: 20230301: might make sense to rebase to current version (jmm)
   NOTE: 20240815: A bookworm DSA is planned (Beuc/front-desk)
 --
-roundcube
-  NOTE: 20240805: Added by oldstable Security Team (jmm)
-  NOTE: 20240815: Follow DSA-5743-1 (CVE-2024-42008,9,10) (Beuc/front-desk)
---
 ruby-httparty
   NOTE: 20240815: Added by Front-Desk (Beuc)
   NOTE: 20240815: Follow fixes from DLA-3716-1 (CVE-2024-22049) (Beuc/front-desk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eac65a69e3740fdd6a76d0378edaaa26a3bb0993...de678a4c0e66f4669c1851dc629346e412acf9f6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eac65a69e3740fdd6a76d0378edaaa26a3bb0993...de678a4c0e66f4669c1851dc629346e412acf9f6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240813/179d8f5c/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list