[Git][security-tracker-team/security-tracker][master] Correct tracking for gnutls28 in bullseye

Fri Mar 1 19:13:43 GMT 2024


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4e4d5fe1 by Salvatore Bonaccorso at 2024-03-01T20:11:00+01:00
Correct tracking for gnutls28 in bullseye

gnutls28/3.7.1-5+deb11u5 was meant to enter bullseye in the last point
release, as per #1061190 but looks that the upload did not happen in
time. This means that in fact gnutls28 for bullseye is affected by
CVE-2024-0553 as the incomplete fix for CVE-2023-5981 was applied in
3.7.1-5+deb11u4.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9847,7 +9847,6 @@ CVE-2024-0569 (A vulnerability classified as problematic has been found in Totol
 CVE-2024-0567 (A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTL ...)
 	- gnutls28 3.8.3-1 (bug #1061045)
 	[bookworm] - gnutls28 3.7.9-2+deb12u2
-	[bullseye] - gnutls28 3.7.1-5+deb11u5
 	[buster] - gnutls28 <not-affected> (Vulnerabity introduced in 3.7)
 	NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1521
 	NOTE: https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-09
@@ -9863,7 +9862,6 @@ CVE-2024-0553 (A vulnerability was found in GnuTLS. The response times to malfor
 	{DLA-3740-1}
 	- gnutls28 3.8.3-1 (bug #1061046)
 	[bookworm] - gnutls28 3.7.9-2+deb12u2
-	[bullseye] - gnutls28 <not-affected> (Incomplete fix for CVE-2023-5981 not published officially in any Debian bullseye release)
 	NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1522
 	NOTE: https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-14
 	NOTE: https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e (3.8.3)
@@ -21168,11 +21166,12 @@ CVE-2023-5981 (A vulnerability was found that the response times to malformed ci
 	{DLA-3660-1}
 	- gnutls28 3.8.2-1 (bug #1056188)
 	[bookworm] - gnutls28 3.7.9-2+deb12u1
-	[bullseye] - gnutls28 3.7.1-5+deb11u5
+	[bullseye] - gnutls28 3.7.1-5+deb11u4
 	NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1511
 	NOTE: https://gnutls.org/security-new.html#GNUTLS-SA-2023-10-23
 	NOTE: https://lists.gnupg.org/pipermail/gnutls-help/2023-November/004837.html
 	NOTE: Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/29d6298d0b04cfff970b993915db71ba3f580b6d (3.8.2)
+	NOTE: Fixing this issue incompletely opens up CVE-2024-0553
 CVE-2023-4889 (The Shareaholic plugin for WordPress is vulnerable to Stored Cross-Sit ...)
 	NOT-FOR-US: WordPress plugin
 CVE-2023-48217 (Statamic is a flat-first, Laravel + Git powered CMS designed for build ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e4d5fe115b52ceab76de5c59e73f38a5dd0601a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e4d5fe115b52ceab76de5c59e73f38a5dd0601a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240301/a5e4a682/attachment.htm>
