[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2021-31684/json-smart was fixed in 2.5.1-1

Tue Mar 4 05:20:01 GMT 2025

Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ab17bc9a by Adrian Bunk at 2025-03-04T07:13:28+02:00
CVE-2021-31684/json-smart was fixed in 2.5.1-1

- - - - -
ab8e6456 by Adrian Bunk at 2025-03-04T07:18:32+02:00
CVE-2024-57699/json-smart does not affect bookworm or bullseye

- - - - -
ab0e4dbd by Adrian Bunk at 2025-03-04T07:18:55+02:00
dla: No CVE that needs fixing in json-smart

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -9651,8 +9651,11 @@ CVE-2025-0522 (The LikeBot  WordPress plugin through 0.85 does not have CSRF che
 	NOT-FOR-US: WordPress plugin
 CVE-2024-57699 (A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1.  ...)
 	- json-smart 2.5.2-1 (bug #1095839)
+	[bookworm] - json-smart <not-affected> (Vulnerable code introduced in 2.5.0)
+	[bullseye] - json-smart <not-affected> (Vulnerable code introduced in 2.5.0)
 	NOTE: https://github.com/TurtleLiu/Vul_PoC/tree/main/CVE-2024-57699
 	NOTE: https://github.com/netplex/json-smart-v2/pull/233
+	NOTE: Introduced by: https://github.com/netplex/json-smart-v2/commit/da2e8332395021b3c3b5636a8003377b8e61eaa0 (2.5.0)
 	NOTE: Fixed by: https://github.com/netplex/json-smart-v2/commit/c21d8545e58b2ef2aa16094a09b13ff92adef15c (2.5.2)
 CVE-2024-57598 (A floating point exception (divide-by-zero) vulnerability was discover ...)
 	NOT-FOR-US: Bento4
@@ -308805,11 +308808,11 @@ CVE-2021-31685
 	RESERVED
 CVE-2021-31684 (A vulnerability was discovered in the indexOf function of JSONParserBy ...)
 	{DLA-3373-1}
-	- json-smart <unfixed> (unimportant)
+	- json-smart 2.5.1-1 (unimportant)
 	[bookworm] - json-smart 2.2-2+deb12u1
 	[bullseye] - json-smart 2.2-2+deb11u1
 	NOTE: https://github.com/netplex/json-smart-v2/issues/67
-	NOTE: https://github.com/netplex/json-smart-v2/commit/6ecff1c2974eaaab2e74e441bdf5ba8495227bf5
+	NOTE: https://github.com/netplex/json-smart-v2/commit/6ecff1c2974eaaab2e74e441bdf5ba8495227bf5 (2.4.5)
 	NOTE: Security impact disputed by upstream
 CVE-2021-31683
 	RESERVED


=====================================
data/dla-needed.txt
=====================================
@@ -130,9 +130,6 @@ jinja2 (lee)
   NOTE: 20250122: CVE-2024-56326 testcase does not work directly in bullseye.
   NOTE: 20250122: Don't break the Python2 package again as I did (DLA-3988-2). (bunk)
 --
-json-smart
-  NOTE: 20250303: Added by Front-Desk (rouca)
---
 knot-resolver
   NOTE: 20240924: Added by Front-Desk (lamby)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/03941c5fcf4bbf825eafb7d4b855220b5e6be09f...ab0e4dbd897e38d3c191a54b8d098d3e6bf1a09f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/03941c5fcf4bbf825eafb7d4b855220b5e6be09f...ab0e4dbd897e38d3c191a54b8d098d3e6bf1a09f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250304/ad31fe88/attachment.htm>
