[Git][security-tracker-team/security-tracker][master] 2 commits: Removed runc from dla-needed since no CVEs remain to be fixed.

Ola Lundqvist (@opal) opal at debian.org
Sun Mar 10 22:15:11 GMT 2024



Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f20876c2 by Ola Lundqvist at 2024-03-10T23:07:51+01:00
Removed runc from dla-needed since no CVEs remain to be fixed.

- - - - -
e722a127 by Ola Lundqvist at 2024-03-10T23:09:22+01:00
Reverted decision to remove qemu from dla-needed.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -9128,6 +9128,8 @@ CVE-2024-21626 (runc is a CLI tool for spawning and running containers on Linux
 	NOTE: https://github.com/opencontainers/runc/commit/89c93ddf289437d5c8558b37047c54af6a0edb48
 	NOTE: https://github.com/opencontainers/runc/commit/ee73091a8d28692fa4868bac81aa40a0b05f9780
 	NOTE: https://github.com/opencontainers/runc/commit/d8edada9f252873b88043279a71099db71941dea
+	NOTE: For buster DLA-3735-1 do not completely fix the issue. The rest requires
+	NOTE: backport that is hard to do so that will not be done.
 CVE-2024-24579 (stereoscope is a go library for processing container images and simula ...)
 	NOT-FOR-US: stereoscope
 CVE-2024-24566 (Lobe Chat is a chatbot framework that supports speech synthesis, multi ...)
@@ -44668,7 +44670,7 @@ CVE-2023-3354 (A flaw was found in the QEMU built-in VNC server. When a client c
 	- qemu 1:8.0.4+dfsg-1
 	[bookworm] - qemu 1:7.2+dfsg-7+deb12u2
 	[bullseye] - qemu 1:5.2+dfsg-11+deb11u3
-	[buster] - qemu <ignored> (Minor issue)
+	[buster] - qemu <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2216478
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg01014.html
 	NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62 (v8.0.4)


=====================================
data/dla-needed.txt
=====================================
@@ -192,6 +192,10 @@ python-asyncssh
   NOTE: 20240116: Added by Front-Desk (lamby)
   NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert)
 --
+qemu (Adrian Bunk)
+  NOTE: 20240119: Added by Front-Desk (lamby)
+  NOTE: 20240119: CVE-2023-1544 and CVE-2023-3354 already fixed in bullseye via DSA or point releases; to be fixed or <ignored>. (lamby)
+--
 rails
   NOTE: 20220909: Re-added due to regression (abhijith)
   NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
@@ -213,13 +217,6 @@ ring
 ruby-rack (Adrian Bunk)
   NOTE: 20240306: Added by Front-Desk (opal)
 --
-runc
-  NOTE: 20240204: Added by Front-Desk (ta)
-  NOTE: 20240219: Complete fix for CVE-2024-21626 would require backport of
-  NOTE: 20240219: https://github.com/opencontainers/runc/commit/284ba3057e428f8d6c7afcc3b0ac752e525957df and
-  NOTE: 20240219: https://github.com/opencontainers/runc/commit/e9665f4d606b64bf9c4652ab2510da368bfbd951.
-  NOTE: 20240219: But it uses a link to internal/poll.IsPollDescriptor, introduced in Go 1.12, which I cannot backport (dleidert).
---
 samba
   NOTE: 20230918: Added by Front-Desk (apo)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/82315a7e28b28c15b606431bf909fe71a023f769...e722a12799f2fe393d12ee0eccee2fc385d6da2b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/82315a7e28b28c15b606431bf909fe71a023f769...e722a12799f2fe393d12ee0eccee2fc385d6da2b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240310/d5a76847/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list