[Git][security-tracker-team/security-tracker][master] Reserve DLA-3950-1 for libarchive
Adrian Bunk (@bunk)
bunk at debian.org
Mon Nov 11 21:34:03 GMT 2024
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b7c38395 by Adrian Bunk at 2024-11-11T23:33:50+02:00
Reserve DLA-3950-1 for libarchive
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -187412,7 +187412,6 @@ CVE-2022-36228 (Nokelock Smart padlock O1 Version 5.3.0 is vulnerable to Insecur
CVE-2022-36227 (In libarchive before 3.6.2, the software does not check for an error a ...)
{DLA-3294-1}
- libarchive 3.6.2-1 (bug #1024669)
- [bullseye] - libarchive <no-dsa> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/issues/1754
NOTE: https://github.com/libarchive/libarchive/pull/1759
NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/bff38efe8c110469c5080d387bec62a6ca15b1a5
@@ -216215,7 +216214,6 @@ CVE-2022-26281 (BigAnt Server v5.6.06 was discovered to contain an incorrect acc
NOT-FOR-US: BigAnt Server
CVE-2022-26280 (Libarchive v3.6.0 was discovered to contain an out-of-bounds read via ...)
- libarchive 3.6.2-1 (bug #1008953)
- [bullseye] - libarchive <no-dsa> (Minor issue)
[buster] - libarchive <not-affected> (Vulnerable code not present)
[stretch] - libarchive <not-affected> (Vulnerable code not present)
NOTE: https://github.com/libarchive/libarchive/issues/1672
@@ -259212,7 +259210,6 @@ CVE-2021-36977 (matio (aka MAT File I/O Library) 1.5.20 and 1.5.21 has a heap-ba
NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/matio/OSV-2021-440.yaml
CVE-2021-36976 (libarchive 3.4.1 through 3.5.1 has a use-after-free in copy_string (ca ...)
- libarchive 3.6.0-1 (bug #991442)
- [bullseye] - libarchive <no-dsa> (Minor issue)
[buster] - libarchive <not-affected> (Vulnerable code introduced by 47bb818 in version 3.4.1)
[stretch] - libarchive <not-affected> (Vulnerable code introduced by 47bb818 in version 3.4.1)
NOTE: https://github.com/libarchive/libarchive/issues/1554
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[11 Nov 2024] DLA-3950-1 libarchive - security update
+ {CVE-2021-36976 CVE-2022-26280 CVE-2022-36227 CVE-2024-20696}
+ [bullseye] - libarchive 3.4.3-2+deb11u2
[11 Nov 2024] DLA-3949-1 ruby-saml - security update
{CVE-2024-45409}
[bullseye] - ruby-saml 1.11.0-1+deb11u1
=====================================
data/dla-needed.txt
=====================================
@@ -101,11 +101,6 @@ jetty9 (Markus Koschany)
knot-resolver
NOTE: 20240924: Added by Front-Desk (lamby)
--
-libarchive
- NOTE: 20241031: Added by Front-Desk (pochu)
- NOTE: 20241031: look at no-dsa issues as well (pochu)
- NOTE: 20241104: DLA pending, waiting for DSA published (bunk)
---
libxstream-java (Markus Koschany)
NOTE: 20241110: Added by Front-Desk (apo)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7c38395bf1f56cfb9b21f922ad91c21d79dc3ae
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7c38395bf1f56cfb9b21f922ad91c21d79dc3ae
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241111/e4ae1fe8/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list