[Git][security-tracker-team/security-tracker][master] Update classification for CVE-2023-38703/ring

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Jan 26 20:18:45 GMT 2024 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4dea49aa by Salvatore Bonaccorso at 2024-01-26T21:13:25+01:00
Update classification for CVE-2023-38703/ring

As per maintainer and upstream investigation:

        I brought this up with some Jami core devs, and one of them
        investigated and told me that Jami's use of pjsip is not
        affected by this bug. As such, I believe we don't have to do
        anything for this at this stage, and can close this bug.

Instead of marking it source-wise affected (for the embedded use), but
not affecting the ring as by its use of pjsip we might even drop the
entry completely if there is fear that this confuses users.

Link: https://bugs.debian.org/1059307#12

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -20409,9 +20409,11 @@ CVE-2023-38703 (PJSIP is a free and open source multimedia communication library
 	{DSA-5596-1 DLA-3696-1}
 	- asterisk <unfixed> (bug #1059303)
 	- pjproject <removed>
-	- ring <unfixed> (bug #1059307)
+	- ring <unfixed> (bug #1059307; unimportant)
 	NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66
 	NOTE: https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d (2.14)
+	NOTE: According to https://bugs.debian.org/1059307#12 Jami's use of pjsip is not affected
+	NOTE: by this issue.
 CVE-2023-36465 (Decidim is a participatory democracy framework, written in Ruby on Rai ...)
 	NOT-FOR-US: Decidim
 CVE-2023-35897 (IBM Spectrum Protect Client and IBM Storage Protect for Virtual Enviro ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4dea49aac02dd2481d2874d6ea85fd552a89126b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4dea49aac02dd2481d2874d6ea85fd552a89126b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240126/895adba0/attachment.htm>

More information about the debian-security-tracker-commits mailing list