[Git][security-tracker-team/security-tracker][master] 6 commits: Reassign DLA-3834-1 to netty from unbound
Markus Koschany (@apo)
apo at debian.org
Fri Jun 21 22:18:31 BST 2024
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2b9097a0 by Markus Koschany at 2024-06-21T23:02:02+02:00
Reassign DLA-3834-1 to netty from unbound
Assigning DLA-3834-1 to unbound was premature. Fix that by using the number for
netty.
- - - - -
aad481bc by Markus Koschany at 2024-06-21T23:02:02+02:00
Remove netty from dla-needed.txt
- - - - -
5593e2fa by Markus Koschany at 2024-06-21T23:02:03+02:00
CVE-2024-33655,unbound: mark buster as ignored.
Reasoning: Unbound itself is not affected by the DoS attack but it could be
part of a distributed denial of service attack against other services/servers
provided all conditions are met which is non-trivial to do.
Ideally we could fix this scenario too. However the patch introduced new
configuration options which in turn rely on features which are not present in
1.9. For instance there is no cookie support and there is also no distinction
when unbound is used in a proxy scenario. My patch removed the cookie part of
the patch and ignored the remote_addr / client_addr part and just used the UDP
IP addr. I don't feel confident enough that this is a proper solution to the
problem though. Since there is no imminent risk for unbound users I am going to
mark this problem as ignored.
- - - - -
fc60451a by Markus Koschany at 2024-06-21T23:02:05+02:00
CVE-2024-33869,CVE-2024-33870,ghostscript: buster is not affected
The gp_validate_path_len function was introduced later.
- - - - -
0a202c98 by Markus Koschany at 2024-06-21T23:02:05+02:00
Return ghostscript and let someone else double-check the package.
- - - - -
01d5f4db by Markus Koschany at 2024-06-21T23:13:20+02:00
Claim tryton and dlt-daemon in dla-needed.txt
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -15350,8 +15350,8 @@ CVE-2024-0445 (The The Plus Addons for Elementor plugin for WordPress is vulnera
CVE-2023-6327 (The ShopLentor (formerly WooLentor) plugin for WordPress is vulnerable ...)
NOT-FOR-US: WordPress plugin
CVE-2024-33655 (The DNS protocol in RFC 1035 and updates allows remote attackers to ca ...)
- {DLA-3834-1}
- unbound 1.20.0-1
+ [buster] - unbound <ignored> (Not affected by DoS, intrusive changes)
NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2024-33655.txt
NOTE: Fixed by: https://github.com/NLnetLabs/unbound/commit/c3206f4568f60c486be6d165b1f2b5b254fea3de (release-1.20.0rc1)
CVE-2024-4693 (A flaw was found in the QEMU Virtio PCI Bindings (hw/virtio/virtio-pci ...)
@@ -15424,12 +15424,14 @@ CVE-2024-33871
CVE-2024-33870
{DSA-5692-1}
- ghostscript 10.03.1~dfsg~git20240518-1
+ [buster] - ghostscript <not-affected> (The vulnerable code was introduced later)
NOTE: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html
NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc3da2dc090450407d9fbcff80 (ghostpdl-10.03.1)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707686
CVE-2024-33869
{DSA-5692-1}
- ghostscript 10.03.1~dfsg~git20240518-1
+ [buster] - ghostscript <not-affected> (The vulnerable code was introduced later)
NOTE: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html
NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43 (ghostpdl-10.03.1)
NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4 (ghostpdl-10.03.1)
@@ -31093,10 +31095,10 @@ CVE-2024-29650 (An issue in @thi.ng/paths v.5.1.62 and before allows a remote at
CVE-2024-29515 (File Upload vulnerability in lepton v.7.1.0 allows a remote authentica ...)
NOT-FOR-US: Lepton CMS
CVE-2024-29025 (Netty is an asynchronous event-driven network application framework fo ...)
+ {DLA-3834-1}
- netty 1:4.1.48-10 (bug #1068110)
[bookworm] - netty <postponed> (Minor issue, fix along with future update)
[bullseye] - netty <postponed> (Minor issue, fix along with future update)
- [buster] - netty <postponed> (Minor issue, HTTP multipart DoS, fix along with future update)
NOTE: https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
NOTE: https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c (netty-4.1.108.Final)
NOTE: https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
=====================================
data/DLA/list
=====================================
@@ -15,8 +15,8 @@
[17 Jun 2024] DLA-3835-1 roundcube - security update
{CVE-2024-37383 CVE-2024-37384}
[buster] - roundcube 1.3.17+dfsg.1-1~deb10u6
-[17 Jun 2024] DLA-3834-1 unbound - security update
- {CVE-2024-33655}
+[17 Jun 2024] DLA-3834-1 netty - security update
+ {CVE-2024-29025}
[buster] - unbound 1.9.0-2+deb10u5
[17 Jun 2024] DLA-3833-1 php7.3 - security update
{CVE-2024-5458}
=====================================
data/dla-needed.txt
=====================================
@@ -49,7 +49,7 @@ cyrus-imapd
dcmtk (Adrian Bunk)
NOTE: 20240428: Added by Front-Desk (ta)
--
-dlt-daemon
+dlt-daemon (Markus Koschany)
NOTE: 20240519: Added by Front-Desk (utkarsh)
NOTE: 20240519: 1 buffer-overflow, 1 memory leak, and 2 crashes. I think we
NOTE: 20240519: can postpone these but I am in split mind. Will take it myself
@@ -104,9 +104,13 @@ freeimage
NOTE: 20240412: ELTS also have a need to update this package.
NOTE: 20240412: We should open upstream bug reports and push fixes. See above email discussion. (ola)
--
-ghostscript (Markus Koschany)
+ghostscript
NOTE: 20240510: Added by Front-Desk (ta)
- NOTE: 20240610: Doing some final tests. (apo)
+ NOTE: 20240621: I am returning the package so that someone else can assess
+ NOTE: 20240621: whether we can fix the problems or have to ignore them.
+ NOTE: 20240621: The patches rely on newly introduced API,e.g.
+ NOTE: 20240621: gs_activate_path_control,gs_is_path_control_active. I don't
+ NOTE: 20240621: think it makes sense to introduce those changes without those functions.
--
git (Sean Whitton)
NOTE: 20240519: Added by Front-Desk (utkarsh)
@@ -187,10 +191,6 @@ mariadb-10.3
NOTE: 20240610: This version is EOL and I could not find a targeted patch for the
NOTE: 20240610: problem which appears to be not too serious. (apo)
--
-netty (Markus Koschany)
- NOTE: 20240511: Added by (apo)
- NOTE: 20240610: Doing some final tests. (apo)
---
nodejs (rouca)
NOTE: 20240406: Added by Front-Desk (lamby)
--
@@ -305,12 +305,12 @@ tinymce
NOTE: 20231216: upstream's patch is backportable, as the code has changed a
NOTE: 20231216: lot. (spwhitton)
--
-tryton-client
+tryton-client (Markus Koschany)
NOTE: 20240618: Added by coordinator (santiago)
NOTE: 20240618: bookworm pu by maintainer was accepted. LTS Team should take care of bullseye pu along with buster, as suggested by maintainer (santiago)
NOTE: 20240618: https://salsa.debian.org/tryton-team/tryton-client/-/commit/dfa889381d572f5ee229c3eec32cbdff8084d36c
--
-tryton-server
+tryton-server (Markus Koschany)
NOTE: 20240421: Added by Front-Desk (apo)
NOTE: 20240421: Fix causes regressions in tryton client. Waiting for that
NOTE: 20240421: being resolved upstream.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a6624d77f131b34abef764fb3074fc51448461da...01d5f4db5384365753993280820d9439c2ac3fed
--
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a6624d77f131b34abef764fb3074fc51448461da...01d5f4db5384365753993280820d9439c2ac3fed
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240621/eda8462e/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list