[Git][security-tracker-team/security-tracker][master] Reserve DLA-4130-1 for shadow

Fri Apr 18 19:57:46 BST 2025


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3723dd23 by Sylvain Beucler at 2025-04-18T20:57:30+02:00
Reserve DLA-4130-1 for shadow

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -158877,7 +158877,6 @@ CVE-2023-4649 (Session Fixation in GitHub repository instantsoft/icms2 prior to
 CVE-2023-4641 (A flaw was found in shadow-utils. When asking for a new password, shad ...)
 	- shadow 1:4.13+dfsg1-2 (bug #1051062)
 	[bookworm] - shadow <no-dsa> (Minor issue)
-	[bullseye] - shadow <no-dsa> (Minor issue)
 	[buster] - shadow <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2215945
 	NOTE: https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904 (4.14.0-rc1)
@@ -178993,7 +178992,6 @@ CVE-2014-125094 (A vulnerability classified as problematic was found in phpMiniA
 CVE-2023-29383 (In Shadow 4.13, it is possible to inject control characters into field ...)
 	- shadow 1:4.13+dfsg1-2 (bug #1034482)
 	[bookworm] - shadow <no-dsa> (Minor issue)
-	[bullseye] - shadow <no-dsa> (Minor issue)
 	[buster] - shadow <no-dsa> (Minor issue)
 	NOTE: https://github.com/shadow-maint/shadow/pull/687
 	NOTE: Fixed by: https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d (4.14.0-rc1)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[18 Apr 2025] DLA-4130-1 shadow - security update
+	{CVE-2023-4641 CVE-2023-29383}
+	[bullseye] - shadow 1:4.8.1-1+deb11u1
 [17 Apr 2025] DLA-4129-1 libapache2-mod-auth-openidc - security update
 	{CVE-2025-31492}
 	[bullseye] - libapache2-mod-auth-openidc 2.4.9.4-0+deb11u5


=====================================
data/dla-needed.txt
=====================================
@@ -264,13 +264,6 @@ rubygems (kanashiro)
   NOTE: 20250407: CVE-2025-27221 is already fixed in src:rubygems/sid,trixie. (kanashiro)
   NOTE: 20250407: It needs to be fixed in src:ruby3.3 (there are 3 copies of the uri gem, affected by this CVE). (kanashiro)
 --
-shadow (Sylvain Beucler)
-  NOTE: 20250105: Added by Front-Desk (apo)
-  NOTE: 20250105: shadow is a high-profile package. Upstream discussion for CVE-2024-56433 is
-  NOTE: 20250105: ongoing. I'm adding it to dla-needed.txt to keep it on our radar.
-  NOTE: 20250409: CVE-2024-56433 disputed and stalled, but see postponed issues (Beuc/front-desk)
-  NOTE: 20250418: Upcoming PU: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102139 (Beuc)
---
 simplesamlphp
   NOTE: 20250331: Added by Front-Desk (apo)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3723dd23455ecb8629b9274f625ceb98972f353c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3723dd23455ecb8629b9274f625ceb98972f353c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250418/904c642e/attachment-0001.htm>
