[Git][security-tracker-team/security-tracker][master] Reserve DLA-3844-1 for git

Sean Whitton (@spwhitton) spwhitton at debian.org
Wed Jun 26 09:44:24 BST 2024



Sean Whitton pushed to branch master at Debian Security Tracker / security-tracker


Commits:
25cc6b9d by Sean Whitton at 2024-06-26T16:43:55+08:00
Reserve DLA-3844-1 for git

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -93905,7 +93905,6 @@ CVE-2023-29007 (Git is a revision control system. Prior to versions 2.30.9, 2.31
 	- git 1:2.40.1-1 (bug #1034835)
 	[bookworm] - git <no-dsa> (Minor issue)
 	[bullseye] - git <no-dsa> (Minor issue)
-	[buster] - git <no-dsa> (Minor issue)
 	NOTE: https://lore.kernel.org/lkml/xmqqa5yv3n93.fsf@gitster.g/
 	NOTE: https://github.com/git/git/commit/29198213c9163c1d552ee2bdbf78d2b09ccc98b8 (v2.30.9)
 	NOTE: https://github.com/git/git/commit/a5bb10fd5e74101e7c07da93e7c32bbe60f6173a (v2.30.9)
@@ -103789,7 +103788,6 @@ CVE-2023-25815 (In Git for Windows, the Windows port of Git, no localized messag
 	- git 1:2.40.1-1 (bug #1034835)
 	[bookworm] - git <no-dsa> (Minor issue)
 	[bullseye] - git <no-dsa> (Minor issue)
-	[buster] - git <no-dsa> (Minor issue)
 	NOTE: https://lore.kernel.org/lkml/xmqqa5yv3n93.fsf@gitster.g/
 	NOTE: https://github.com/git/git/commit/c4137be0f5a6edf9a9044e6e43ecf4468c7a4046 (v2.30.9)
 CVE-2023-25814 (metersphere is an open source continuous testing platform. In versions ...)
@@ -104602,7 +104600,6 @@ CVE-2023-25652 (Git is a revision control system. Prior to versions 2.30.9, 2.31
 	- git 1:2.40.1-1 (bug #1034835)
 	[bookworm] - git <no-dsa> (Minor issue)
 	[bullseye] - git <no-dsa> (Minor issue)
-	[buster] - git <no-dsa> (Minor issue)
 	NOTE: https://lore.kernel.org/lkml/xmqqa5yv3n93.fsf@gitster.g/
 	NOTE: https://github.com/git/git/commit/9db05711c98efc14f414d4c87135a34c13586e0b (v2.30.9)
 CVE-2023-25651 (There is a SQL injection vulnerability in some ZTE mobile internetprod ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[26 Jun 2024] DLA-3844-1 git - security update
+	{CVE-2019-1387 CVE-2023-25652 CVE-2023-25815 CVE-2023-29007 CVE-2024-32002 CVE-2024-32004 CVE-2024-32021 CVE-2024-32465}
+	[buster] - git 1:2.20.1-2+deb10u9
 [25 Jun 2024] DLA-3843-1 linux-5.10 - security update
 	{CVE-2022-48655 CVE-2023-52585 CVE-2023-52882 CVE-2024-26900 CVE-2024-27398 CVE-2024-27399 CVE-2024-27401 CVE-2024-35848 CVE-2024-35947 CVE-2024-36017 CVE-2024-36031 CVE-2024-36883 CVE-2024-36886 CVE-2024-36889 CVE-2024-36902 CVE-2024-36904 CVE-2024-36905 CVE-2024-36916 CVE-2024-36919 CVE-2024-36929 CVE-2024-36933 CVE-2024-36934 CVE-2024-36939 CVE-2024-36940 CVE-2024-36941 CVE-2024-36946 CVE-2024-36950 CVE-2024-36953 CVE-2024-36954 CVE-2024-36957 CVE-2024-36959 CVE-2024-36960}
 	[buster] - linux-5.10 5.10.218-1~deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -112,16 +112,6 @@ ghostscript
   NOTE: 20240621: gs_activate_path_control,gs_is_path_control_active. I don't
   NOTE: 20240621: think it makes sense to introduce those changes without those functions.
 --
-git (Sean Whitton)
-  NOTE: 20240519: Added by Front-Desk (utkarsh)
-  NOTE: 20240519: there are other no-dsa/postponed issues as well, please batch
-  NOTE: 20240519: them, too. Newer ones are RCE and have high severity. (utkarsh)
-  NOTE: 20240610: Upstream fixes for CVE-2024-32004, CVE-2024-32020 have
-  NOTE: 20240610: usability regression.  We will not apply them for now.
-  NOTE: 20240610: Fix for CVE-2024-32465 apparently fixes CVE-2024-32004 as a
-  NOTE: 20240610: byproduct.  I am working on testing that claim.  (spwhitton)
-  NOTE: 20240618: Discussing bullseye with secteam & Jonathan Nieder (spwhitton).
---
 glibc (Adrian Bunk)
   NOTE: 20240504: Re-add for remaining CVEs. (bunk)
   NOTE: 20240520: Testing fixes. (bunk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25cc6b9d48fecdad5ca5e081ceedca4c8b50b0e7

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25cc6b9d48fecdad5ca5e081ceedca4c8b50b0e7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240626/fa8a098a/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list