[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2022-1897,CVE-2022-1898/vim: stretch postponed

[Sylvain Beucler (@beuc)]

Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
11747c06 by Sylvain Beucler at 2022-05-28T10:04:53+02:00
CVE-2022-1897,CVE-2022-1898/vim: stretch postponed

- - - - -
c39411f3 by Sylvain Beucler at 2022-05-28T10:04:54+02:00
CVE-2022-0544,CVE-2022-0545,CVE-2022-0546/blender: reference patches, fixed in 
unstable

- - - - -
ad71d603 by Sylvain Beucler at 2022-05-28T10:04:54+02:00
dla: add blender

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -175,12 +175,14 @@ CVE-2022-1898 (Use After Free in GitHub repository 
vim/vim prior to 8.2. ...)
        - vim <unfixed>
        [bullseye] - vim <no-dsa> (Minor issue)
        [buster] - vim <no-dsa> (Minor issue)
+       [stretch] - vim <postponed> (Minor issue)
        NOTE: https://huntr.dev/bounties/45aad635-c2f1-47ca-a4f9-db5b25979cea
        NOTE: 
https://github.com/vim/vim/commit/e2fa213cf571041dbd04ab0329303ffdc980678a 
(v8.2.5024)
 CVE-2022-1897 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. 
...)
        - vim <unfixed>
        [bullseye] - vim <no-dsa> (Minor issue)
        [buster] - vim <no-dsa> (Minor issue)
+       [stretch] - vim <postponed> (Minor issue)
        NOTE: https://huntr.dev/bounties/82c12151-c283-40cf-aa05-2e39efa89118
        NOTE: 
https://github.com/vim/vim/commit/338f1fc0ee3ca929387448fe464579d6113fa76a 
(v8.2.5023)
 CVE-2022-1896
@@ -20285,19 +20287,24 @@ CVE-2022-0547 (OpenVPN 2.1 until v2.4.12 and v2.5.6 
may enable authentication by
        NOTE: 
https://github.com/OpenVPN/openvpn/commit/58ec3bb4aac77131118dbbc39a65181e7847adee
 (v2.4.12)
        NOTE: 
https://github.com/OpenVPN/openvpn/commit/af3e382649d96ae77cc5e42be8270f355e5cfec5
 (v2.5.6)
 CVE-2022-0546 (A missing bounds check in the image loader used in Blender 3.x 
and 2.9 ...)
-       - blender <unfixed>
+       - blender 3.1.2+dfsg-1
        NOTE: Issue: https://developer.blender.org/T94572
        NOTE: Patch: https://developer.blender.org/D11952
+       NOTE: 
https://developer.blender.org/rB77616082f44da5258faf9ec0d53618c721b88c62 
(v3.1.0)
+       NOTE: 
https://developer.blender.org/rB1ee4e6bf31ff32f87f9cd1eafa548d6811794380 
(v2.93.9)
 CVE-2022-0545 (An integer overflow in the processing of loaded 2D images leads 
to a w ...)
-       - blender <unfixed>
+       - blender 3.1.2+dfsg-1
        NOTE: Issue: https://developer.blender.org/T94629
        NOTE: Patch: https://developer.blender.org/D13744
+       NOTE: 
https://developer.blender.org/rB82858ca3f4e6dc6f840af9306c350900abd491fc 
(v3.1.0)
+       NOTE: 
https://developer.blender.org/rBe07f16776bca5e9494e6b143170f31d5eeb160ce 
(v2.93.8)
+       NOTE: 
https://developer.blender.org/rB63fdcbb5889e31b5f07d8d5c8e923cc57900fe1b 
(v2.83.19)
 CVE-2022-0544 (An integer underflow in the DDS loader of Blender leads to an 
out-of-b ...)
-       - blender <unfixed>
+       - blender 3.1.2+dfsg-1
        NOTE: Issue: https://developer.blender.org/T94661
-       NOTE: 
https://developer.blender.org/rB0ac83d05d7cccec436bb939e0aa768f6a3d77d72
-       NOTE: 
https://developer.blender.org/rBbbad834f1c2a1f7030ed9741c486b23241e8885e
-       NOTE: 
https://developer.blender.org/rBd9dd8c287f57716a827483973c31bbb2face2816
+       NOTE: 
https://developer.blender.org/rBd9dd8c287f57716a827483973c31bbb2face2816 
(v3.1.0)
+       NOTE: 
https://developer.blender.org/rBbbad834f1c2a1f7030ed9741c486b23241e8885e 
(v2.93.8)
+       NOTE: 
https://developer.blender.org/rB0ac83d05d7cccec436bb939e0aa768f6a3d77d72 
(v2.83.19)
 CVE-2022-0543 (It was discovered, that redis, a persistent key-value database, 
due to ...)
        {DSA-5081-1}
        - redis 5:6.0.16-2 (bug #1005787)


=====================================
data/dla-needed.txt
=====================================
@@ -25,6 +25,10 @@ asterisk (Abhijith PA)
 avahi
   NOTE: 20220523: Follow buster: harmonize with with Debian 10.9 (1 
Debian-specific CVE) (Beuc/front-desk)
 --
+blender
+  NOTE: 20220528: 3 CVEs now fixed in unstable, but maintainer never was 
approached to fix in stable/oldstable,
+  NOTE: 20220528: maybe coordinate with them (Beuc/front-desk)
+--
 cgal
   NOTE: 20220421: many no-dsa issues, please check, whether it is possible to 
fix them without uploading a new upstream release (Anton)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2e45b3adfe45f58ccb8617b66753e7b622dc8efc...ad71d603efae70eaa0601623f77dd230a7a5beec

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/2e45b3adfe45f58ccb8617b66753e7b622dc8efc...ad71d603efae70eaa0601623f77dd230a7a5beec
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits