[Git][security-tracker-team/security-tracker][master] Reserve DLA-3990-1 for avahi

Adrian Bunk (@bunk) bunk at debian.org
Mon Dec 9 12:07:57 GMT 2024 


Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9cc56dc1 by Adrian Bunk at 2024-12-09T14:07:43+02:00
Reserve DLA-3990-1 for avahi

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -109257,7 +109257,6 @@ CVE-2023-3430 (A vulnerability was found in OpenImageIO, where a heap buffer ove
 CVE-2023-38473 (A vulnerability was found in Avahi. A reachable assertion exists in th ...)
 	- avahi 0.8-14 (bug #1054880)
 	[bookworm] - avahi <no-dsa> (Minor issue)
-	[bullseye] - avahi <no-dsa> (Minor issue)
 	[buster] - avahi <postponed> (Minor issue; re-evaluate when fixed upstream)
 	NOTE: https://github.com/avahi/avahi/issues/451
 	NOTE: https://github.com/avahi/avahi/pull/486
@@ -109266,7 +109265,6 @@ CVE-2023-38473 (A vulnerability was found in Avahi. A reachable assertion exists
 CVE-2023-38472 (A vulnerability was found in Avahi. A reachable assertion exists in th ...)
 	- avahi 0.8-14 (bug #1054879)
 	[bookworm] - avahi <no-dsa> (Minor issue)
-	[bullseye] - avahi <no-dsa> (Minor issue)
 	[buster] - avahi <postponed> (Minor issue; re-evaluate when fixed upstream)
 	NOTE: https://github.com/avahi/avahi/issues/452
 	NOTE: https://github.com/avahi/avahi/pull/490
@@ -109275,7 +109273,6 @@ CVE-2023-38472 (A vulnerability was found in Avahi. A reachable assertion exists
 CVE-2023-38471 (A vulnerability was found in Avahi. A reachable assertion exists in th ...)
 	- avahi 0.8-14 (bug #1054878)
 	[bookworm] - avahi <no-dsa> (Minor issue)
-	[bullseye] - avahi <no-dsa> (Minor issue)
 	[buster] - avahi <postponed> (Minor issue; re-evaluate when fixed upstream)
 	NOTE: https://github.com/avahi/avahi/issues/453
 	NOTE: https://github.com/avahi/avahi/pull/494
@@ -109284,7 +109281,6 @@ CVE-2023-38471 (A vulnerability was found in Avahi. A reachable assertion exists
 CVE-2023-38470 (A vulnerability was found in Avahi. A reachable assertion exists in th ...)
 	- avahi 0.8-14 (bug #1054877)
 	[bookworm] - avahi <no-dsa> (Minor issue)
-	[bullseye] - avahi <no-dsa> (Minor issue)
 	[buster] - avahi <postponed> (Minor issue; re-evaluate when fixed upstream)
 	NOTE: https://github.com/avahi/avahi/issues/454
 	NOTE: https://github.com/avahi/avahi/pull/457
@@ -109293,7 +109289,6 @@ CVE-2023-38470 (A vulnerability was found in Avahi. A reachable assertion exists
 CVE-2023-38469 (A vulnerability was found in Avahi, where a reachable assertion exists ...)
 	- avahi 0.8-14 (bug #1054876)
 	[bookworm] - avahi <no-dsa> (Minor issue; can be mitigated by setting disable-user-service-publishing to yes)
-	[bullseye] - avahi <no-dsa> (Minor issue; can be mitigated by setting disable-user-service-publishing to yes)
 	[buster] - avahi <postponed> (Minor issue; can be mitigated by setting disable-user-service-publishing to yes)
 	NOTE: https://github.com/avahi/avahi/issues/455
 	NOTE: https://github.com/avahi/avahi/pull/500
@@ -131723,7 +131718,6 @@ CVE-2023-1982 (The Front Editor WordPress plugin through 4.0.4 does not sanitize
 CVE-2023-1981 (A vulnerability was found in the avahi library. This flaw allows an un ...)
 	{DLA-3414-1}
 	- avahi 0.8-10 (bug #1034594)
-	[bullseye] - avahi <no-dsa> (Minor issue)
 	NOTE: https://github.com/avahi/avahi/issues/375
 	NOTE: https://github.com/avahi/avahi/pull/407
 	NOTE: https://github.com/avahi/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[09 Dec 2024] DLA-3990-1 avahi - security update
+	{CVE-2023-1981 CVE-2023-38469 CVE-2023-38470 CVE-2023-38471 CVE-2023-38472 CVE-2023-38473}
+	[bullseye] - avahi 0.8-5+deb11u3
 [09 Dec 2024] DLA-3989-1 ruby-doorkeeper - security update
 	{CVE-2023-34246}
 	[bullseye] - ruby-doorkeeper 5.3.0-2+deb11u1


=====================================
data/dla-needed.txt
=====================================
@@ -34,12 +34,6 @@ ansible
   NOTE: 20241120: Waiting for release by Lee testsuite is ok
   NOTE: 20241123: Made a partial release. only CVE-2024-11079 needed but more upstream backport work needed
 --
-avahi (Adrian Bunk)
-  NOTE: 20241119: Added by Front-Desk (Beuc)
-  NOTE: 20241119: Multiple CVEs now fixed upstream: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054880#12
-  NOTE: 20241119: Consider coordinating with maintainers to fix in sid, and then in all releases.
-  NOTE: 20241119: Also CVE-2023-1981 fixed in both bookworm and buster/stretch/jessie (Beuc/front-desk)
---
 busybox (Adrian Bunk)
   NOTE: 20241204: Added by Front-Desk (santiago)
   NOTE: 20241204: Added to address the CVEs from 2021, after a request from a sponsor



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9cc56dc18b8dd4a72c4e9cb8e9fb9e003fe12877

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9cc56dc18b8dd4a72c4e9cb8e9fb9e003fe12877
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241209/a2149baa/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list