[Git][security-tracker-team/security-tracker][master] Reserve DLA-3995-1 for libpgjava

Mon Dec 16 09:06:37 GMT 2024


Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
af2921ff by Adrian Bunk at 2024-12-16T11:06:24+02:00
Reserve DLA-3995-1 for libpgjava

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -86428,7 +86428,6 @@ CVE-2024-1597 (pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL
 	{DLA-3812-1}
 	- libpgjava 42.7.2-1
 	[bookworm] - libpgjava <no-dsa> (Minor issue)
-	[bullseye] - libpgjava <no-dsa> (Minor issue)
 	NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
 	NOTE: https://github.com/pgjdbc/pgjdbc/commit/93b0fcb2711d9c1e3a2a03134369738a02a58b40 (REL42.7.2)
 	NOTE: https://github.com/pgjdbc/pgjdbc/commit/06abfb78a627277a580d4df825f210e96a4e14ee (REL42.7.2)
@@ -182489,7 +182488,6 @@ CVE-2022-41947 (DHIS 2 is an open source information system for data capture, ma
 CVE-2022-41946 (pgjdbc is an open source postgresql JDBC Driver. In affected versions  ...)
 	{DLA-3218-1}
 	- libpgjava 42.5.1-1
-	[bullseye] - libpgjava <no-dsa> (Minor issue)
 	NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-562r-vg33-8x8h
 	NOTE: https://github.com/pgjdbc/pgjdbc/commit/9008dc9aade6dbfe4efafcd6872ebc55f4699cf5 (REL42.5.1-rc1)
 CVE-2022-41945 (super-xray is a vulnerability scanner (xray) GUI launcher. In version  ...)
@@ -212127,7 +212125,6 @@ CVE-2022-31198 (OpenZeppelin Contracts is a library for secure smart contract de
 CVE-2022-31197 (PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to conn ...)
 	{DLA-3140-1}
 	- libpgjava 42.4.1-1 (bug #1016662)
-	[bullseye] - libpgjava <no-dsa> (Minor issue)
 	NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-r38f-c4h4-hqq2
 	NOTE: https://github.com/pgjdbc/pgjdbc/commit/739e599d52ad80f8dcd6efedc6157859b1a9d637 (REL42.4.1-rc1)
 CVE-2022-31196 (Databasir is a database metadata management platform. Databasir <= 1.0 ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[16 Dec 2024] DLA-3995-1 libpgjava - security update
+	{CVE-2022-31197 CVE-2022-41946 CVE-2024-1597}
+	[bullseye] - libpgjava 42.2.15-1+deb11u2
 [15 Dec 2024] DLA-3994-1 gstreamer1.0 - security update
 	{CVE-2024-47606}
 	[bullseye] - gstreamer1.0 1.18.4-2.1+deb11u1


=====================================
data/dla-needed.txt
=====================================
@@ -128,11 +128,6 @@ jetty9 (Markus Koschany)
 knot-resolver
   NOTE: 20240924: Added by Front-Desk (lamby)
 --
-libpgjava (Adrian Bunk)
-  NOTE: 20241206: Added by coordinator (roberto)
-  NOTE: 20241206: CVE-2022-31197, CVE-2022-41946, and CVE-2024-1597 were fixed in buster, are still open (no-dsa) in bullseye (all 3) and bookworm (only CVE-2024-1597)
-  NOTE: 20241206: https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/168
---
 libxstream-java (Markus Koschany)
   NOTE: 20241110: Added by Front-Desk (apo)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af2921ff7db5b5eb0cde7ccae5c385849c463b70

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af2921ff7db5b5eb0cde7ccae5c385849c463b70
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241216/2a313963/attachment-0001.htm>
