[Git][security-tracker-team/security-tracker][master] Reserve DLA-4018-1 for ruby2.7

Bastien Roucariès (@rouca) rouca at debian.org
Fri Jan 17 23:51:10 GMT 2025 


Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
91cb9787 by Bastien Roucariès at 2025-01-17T23:50:44+00:00
Reserve DLA-4018-1 for ruby2.7

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -39899,7 +39899,6 @@ CVE-2024-43398 (REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has
 	- ruby3.1 <unfixed> (bug #1083190)
 	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
-	[bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
 	NOTE: https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3 (v3.3.6)
 CVE-2024-43331 (Missing Authorization vulnerability in VeronaLabs WP SMS.This issue af ...)
@@ -45411,7 +45410,6 @@ CVE-2024-41946 (REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS
 	- ruby3.1 <unfixed> (bug #1083190)
 	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
-	[bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
 	NOTE: https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/
 	NOTE: https://github.com/ruby/rexml/pull/187
@@ -45434,7 +45432,6 @@ CVE-2024-41123 (REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has
 	- ruby3.1 <unfixed> (bug #1083190)
 	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
-	[bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
 	NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6
 	NOTE: https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/
 	NOTE: https://github.com/ruby/rexml/issues/232#issuecomment-2585211411
@@ -49307,7 +49304,6 @@ CVE-2024-39908 (REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has
 	- ruby3.1 <unfixed> (bug #1076768)
 	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
-	[bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
 	NOTE: https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
 	NOTE: https://github.com/advisories/GHSA-4xqq-m2hx-25v8
 	NOTE: https://github.com/ruby/rexml/issues/232#issuecomment-2585211411
@@ -68852,7 +68848,6 @@ CVE-2024-35176 (REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has
 	- ruby3.1 <unfixed> (bug #1071626)
 	[bookworm] - ruby3.1 <no-dsa> (Minor issue)
 	- ruby2.7 <removed>
-	[bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
 	- ruby2.5 <removed>
 	NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
 	NOTE: Fixed by: https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb (v3.2.7)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[17 Jan 2025] DLA-4018-1 ruby2.7 - security update
+	{CVE-2024-35176 CVE-2024-39908 CVE-2024-41123 CVE-2024-41946 CVE-2024-43398 CVE-2024-49761}
+	[bullseye] - ruby2.7 2.7.4-1+deb11u3
 [18 Jan 2025] DLA-4015-2 rsync - security update
 	[bullseye] - rsync 3.2.3-4+deb11u3
 [17 Jan 2025] DLA-4017-1 tomcat9 - security update


=====================================
data/dla-needed.txt
=====================================
@@ -238,15 +238,6 @@ ruby-sinatra
   NOTE: 20241122: Was awaiting approved upstream fix; still working on package. (lamby)
   NOTE: 20241204: Returning to pool; have prepared patch for CVE-2024-21510 but tests fail in a way that requires someone better at Ruby than myself. (lamby)
 --
-ruby2.7 (rouca)
-  NOTE: 20241130: Added by Front-Desk (ta)
-  NOTE: 20241130: See also postponed issues.
-  NOTE: 20241208: 6 CVEs in REXML that should all be fixed, Ruby and XML knowledge required. (bunk)
-  NOTE: 20250105: Fixed CVE-2024-35176, CVE-2024-41946, CVE-2024-49761, CVE-2024-43398 waiting upstream for more information for remaining (rouca)
-  NOTE: 20250111: See https://github.com/ruby/rexml/issues/232 (rouca)
-  NOTE: 20250112: Wait review https://lists.debian.org/debian-lts/2025/01/msg00011.html
-  NOTE: 20250117: Review done some cosmetic modification (rouca)
---
 shadow
   NOTE: 20250105: Added by Front-Desk (apo)
   NOTE: 20250105: shadow is a high-profile package. Upstream discussion for CVE-2024-56433 is



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91cb97879639bcb0e9e2c59dc64d16d6f64120e2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91cb97879639bcb0e9e2c59dc64d16d6f64120e2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250117/0201a6dd/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list