[Git][security-tracker-team/security-tracker][master] Reserve DLA-3938-1 for exim4

Mon Oct 28 11:08:28 GMT 2024


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0d01657c by Markus Koschany at 2024-10-28T12:08:15+01:00
Reserve DLA-3938-1 for exim4

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -97993,7 +97993,6 @@ CVE-2023-38870 (A SQL injection vulnerability exists in gugoan Economizzer commi
 CVE-2023-42119 (Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability. Th ...)
 	- exim4 4.97~RC2-2
 	[bookworm] - exim4 4.96-15+deb12u3
-	[bullseye] - exim4 <no-dsa> (Minor issue; use Exim4 with a trustworthy DNS resolver able to validate the data according to the DNS record types)
 	[buster] - exim4 <no-dsa> (Minor issue; use Exim4 with a trustworthy DNS resolver able to validate the data according to the DNS record types)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1473/
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=3033
@@ -98020,7 +98019,6 @@ CVE-2023-42118 (Exim libspf2 Integer Underflow Remote Code Execution Vulnerabili
 CVE-2023-42117 (Exim Improper Neutralization of Special Elements Remote Code Execution ...)
 	- exim4 4.97~RC2-2
 	[bookworm] - exim4 4.96-15+deb12u3
-	[bullseye] - exim4 <no-dsa> (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy)
 	[buster] - exim4 <no-dsa> (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1471/
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=3031
@@ -164321,7 +164319,6 @@ CVE-2022-3560 (A flaw was found in pesign. The pesign package provides a systemd
 	NOTE: https://github.com/rhboot/pesign/commit/d8a8c259994d0278c59b30b41758a8dd0abff998 (116)
 CVE-2022-3559 (A vulnerability was found in Exim and classified as problematic. This  ...)
 	- exim4 4.96-4
-	[bullseye] - exim4 <no-dsa> (Minor issue)
 	[buster] - exim4 <no-dsa> (Minor issue)
 	NOTE: https://bugs.exim.org/show_bug.cgi?id=2915
 	NOTE: https://git.exim.org/exim.git/commit/4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2
@@ -251098,7 +251095,6 @@ CVE-2021-38372 (In KDE Trojita 0.7, man-in-the-middle attackers can create new f
 	- trojita <itp> (bug #795701)
 CVE-2021-38371 (The STARTTLS feature in Exim through 4.94.2 allows response injection  ...)
 	- exim4 4.95~RC2-1 (bug #992172)
-	[bullseye] - exim4 <no-dsa> (Minor issue)
 	[buster] - exim4 <no-dsa> (Minor issue)
 	[stretch] - exim4 <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://nostarttls.secvuln.info


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[28 Oct 2024] DLA-3938-1 exim4 - security update
+	{CVE-2021-38371 CVE-2022-3559 CVE-2023-42117 CVE-2023-42119}
+	[bullseye] - exim4 4.94.2-7+deb11u4
 [27 Oct 2024] DLA-3937-1 nss - security update
 	{CVE-2024-0743 CVE-2024-6602 CVE-2024-6609}
 	[bullseye] - nss 2:3.61-1+deb11u4


=====================================
data/dla-needed.txt
=====================================
@@ -56,13 +56,6 @@ espeak-ng (Abhijith PA)
   NOTE: 20240929: Can be still reproduced (abhijith)
   NOTE: 20241014: Still looking at the incomplete fixes (abhijith)
 --
-exim4
-  NOTE: 20240815: Added by Front-Desk (Beuc)
-  NOTE: 20240815: Follow fixes from bookworm 12.3 (2 CVEs)
-  NOTE: 20240815: Consider fixing older postponed CVEs as well (Beuc/front-desk)
-  NOTE: 20240923: Currently testing the update. (apo)
-  NOTE: 20241010: Fixed some broken patches and will release soonish. (apo)
---
 firmware-nonfree (tobi)
   NOTE: 20241011: Added by Front-Desk (pochu)
   NOTE: 20241011: Update to bookworm version, possibly coordinate upload of



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d01657cfca28bf1ae2e203e2ecf072fd7f8ffa8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d01657cfca28bf1ae2e203e2ecf072fd7f8ffa8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241028/dc528535/attachment-0001.htm>
