[Git][security-tracker-team/security-tracker][master] 2 commits: Mark CVE-2024-29508 as postponed for bullseye. All severe CVEs in

Sun Sep 29 14:52:03 BST 2024


Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker


Commits:
57ac19d6 by Abhijith PA at 2024-09-29T19:05:06+05:30
Mark CVE-2024-29508 as postponed for bullseye. All severe CVEs in
this series are already fixed and uploaded by sec team. Can be
tagged with next upload.

- - - - -
da3bad75 by Abhijith PA at 2024-09-29T19:19:19+05:30
Re-claim espeak-ng for bullseye

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -20110,11 +20110,13 @@ CVE-2024-29509 (Artifex Ghostscript before 10.03.0 has a heap-based overflow whe
 CVE-2024-29508 (Artifex Ghostscript before 10.03.0 has a heap-based pointer disclosure ...)
 	{DSA-5760-1}
 	- ghostscript 10.03.0~dfsg-1
+	[bullseye] - ghostscript <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707510
 	NOTE: https://www.openwall.com/lists/oss-security/2024/07/03/7
 	NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=ff1013a0ab485b66783b70145e342a82c670906a (ghostpdl-10.03.0)
 	NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=147e5abd63d82c9ec3587c6f67a5d8ec7dc38e61 (ghostpdl-10.03.0)
 	NOTE: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=d084021e06ba1caa1373fbbcf24a8510f43830ab (ghostpdl-10.03.0)
+	NOTE: http://people.debian.org/~abhijith/CVE-2024-29508.patch (bullseye patch)
 CVE-2024-29507 (Artifex Ghostscript before 10.03.0 sometimes has a stack-based buffer  ...)
 	{DSA-5760-1}
 	- ghostscript 10.03.0~dfsg-1


=====================================
data/dla-needed.txt
=====================================
@@ -68,9 +68,11 @@ edk2
   NOTE: 20240815: bullseye did not get most of DSA 5624-1 security fixes,
   NOTE: 20240815: (10 ipv6-related, postponed CVEs), plus there are older postponed vulnerabilities (Beuc/front-desk)
 --
-espeak-ng
+espeak-ng (Abhijith PA)
   NOTE: 20240816: Added by Front-Desk (Beuc)
   NOTE: 20240816: Follow fixes from bookworm 12.5 (5 CVEs) (Beuc/front-desk)
+  NOTE: 20240929: Upstream patches not enough to fix issues in bullseye. (abhijith)
+  NOTE: 20240929: Can be still reproduced (abhijith)
 --
 exim4 (Markus Koschany)
   NOTE: 20240815: Added by Front-Desk (Beuc)
@@ -96,12 +98,6 @@ frr
   NOTE: 20240906: Added by Front-Desk (lamby)
   NOTE: 20240906: NB. There was a recent update, DLA-3865, @ Tue Sep 3 06:55:29 2024 +0200 (lamby)
 --
-ghostscript (abhijith)
-  NOTE: 20240718: Added by oldstable Security Team (carnil)
-  NOTE: 20240815: A bookworm DSA is planned
-  NOTE: 20240815: Coordinate bullseye update with carnil (Beuc/front-desk)
-  NOTE: 20240916: Patch - http://people.debian.org/~abhijith/CVE-2024-29508.patch . Testing against PoC
---
 git
   NOTE: 20240903: Added by Front-Desk (lamby)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cef7729159d705b7618060d22ba2b188c92529b2...da3bad75e3f41abcfefd58e96f6bf6386f199884

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cef7729159d705b7618060d22ba2b188c92529b2...da3bad75e3f41abcfefd58e96f6bf6386f199884
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240929/a43a6767/attachment-0001.htm>
