[Git][security-tracker-team/security-tracker][master] Reserve DLA-4107-1 for openjpeg2

Tue Apr 1 22:33:10 BST 2025


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e996ca84 by Markus Koschany at 2025-04-01T23:32:58+02:00
Reserve DLA-4107-1 for openjpeg2

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -256753,7 +256753,6 @@ CVE-2022-25348 (Untrusted search path vulnerability in AttacheCase ver.4.0.2.7 a
 CVE-2022-1122 (A flaw was found in the opj2_decompress program in openjpeg2 2.4.0 in  ...)
 	{DLA-2975-1}
 	- openjpeg2 2.5.0-1
-	[bullseye] - openjpeg2 <no-dsa> (Minor issue)
 	[buster] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1368
 	NOTE: https://github.com/uclouvain/openjpeg/commit/0afbdcf3e6d0d2bd2e16a0c4d513ee3cf86e460d
@@ -312737,7 +312736,6 @@ CVE-2021-3575 (A heap-based buffer overflow was found in openjpeg in color.c:379
 	{DSA-5851-1}
 	[experimental] - openjpeg2 2.5.3-1~exp1
 	- openjpeg2 2.5.3-1 (bug #989775)
-	[bullseye] - openjpeg2 <no-dsa> (Minor issue)
 	[buster] - openjpeg2 <no-dsa> (Minor issue)
 	[stretch] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1347
@@ -324922,7 +324920,6 @@ CVE-2021-29339
 CVE-2021-29338 (Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash t ...)
 	{DLA-2975-1}
 	- openjpeg2 2.4.0-4 (bug #987276)
-	[bullseye] - openjpeg2 <no-dsa> (Minor issue)
 	[buster] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1338
 	NOTE: https://github.com/uclouvain/openjpeg/commit/79c7d7af598b778c3cdcb455df23d50efc95eb3c


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[01 Apr 2025] DLA-4107-1 openjpeg2 - security update
+	{CVE-2021-3575 CVE-2021-29338 CVE-2022-1122 CVE-2024-56826 CVE-2024-56827}
+	[bullseye] - openjpeg2 2.4.0-3+deb11u1
 [01 Apr 2025] DLA-4106-1 jetty9 - security update
 	{CVE-2024-6762 CVE-2024-8184 CVE-2024-9823}
 	[bullseye] - jetty9 9.4.57-0+deb11u1


=====================================
data/dla-needed.txt
=====================================
@@ -197,10 +197,6 @@ openafs
   NOTE: 20250102: Looking at CVE-2024-10394 (abhijith)
   NOTE: 20250203: https://people.debian.org/~abhijith/upload/openafs_patches/ (abhijith)
 --
-openjpeg2 (Markus Koschany)
-  NOTE: 20250105: Added by Front-Desk (apo)
-  NOTE: 20250224: Discovered two regressions. I plan to release on Wednesday. (apo)
---
 pagure
   NOTE: 20250117: Added by Front-Desk (rouca)
   NOTE: 20250119: Coordinate with ds (rouca/FD)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e996ca84e437395a906f387a7b113b44b29bb312

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e996ca84e437395a906f387a7b113b44b29bb312
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250401/e8b2c86d/attachment.htm>
