Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
80aa198e by Markus Koschany at 2022-06-06T16:17:48+02:00
Remove no-dsa tags for upcoming glib2.0/stretch update
- - - - -
3a282b03 by Markus Koschany at 2022-06-06T16:18:40+02:00
Reserve DLA-3044-1 for glib2.0
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -81971,7 +81971,6 @@ CVE-2016-20009 (** UNSUPPORTED WHEN ASSIGNED ** A DNS
client stack-based buffer
CVE-2021-28153 (An issue was discovered in GNOME GLib before 2.66.8. When
g_file_repla ...)
- glib2.0 2.66.7-2 (bug #984969)
[buster] - glib2.0 2.58.3-2+deb10u3
- [stretch] - glib2.0 <postponed> (Minor issue, directory traversal
exploitable in file-roller)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2325
CVE-2021-3435
RESERVED
@@ -85138,13 +85137,11 @@ CVE-2021-21299 (hyper is an open-source HTTP library
for Rust (crates.io). In hy
CVE-2021-27218 (An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x
before ...)
- glib2.0 2.66.7-1 (bug #982779)
[buster] - glib2.0 2.58.3-2+deb10u3
- [stretch] - glib2.0 <postponed> (fix along with CVE-2021-27219)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942
NOTE: Test case depends on CVE-2021-27219 fix
CVE-2021-27219 (An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x
before ...)
- glib2.0 2.66.6-1 (bug #982778)
[buster] - glib2.0 2.58.3-2+deb10u3
- [stretch] - glib2.0 <postponed> (requires fixing vulnerable rdeps,
follow buster strategy)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2319
NOTE: Fix introduces new API 'g_memdup2'
NOTE: Fix backport in 2.66.7 adds 'g_memdup2' for internal use but does
not allow fixing reverse-dependencies using vulnerable 'g_memdup'
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[06 Jun 2022] DLA-3044-1 glib2.0 - security update
+ {CVE-2021-27218 CVE-2021-27219 CVE-2021-28153}
+ [stretch] - glib2.0 2.50.3-2+deb9u3
[06 Jun 2022] DLA-3043-1 pidgin - security update
{CVE-2022-26491}
[stretch] - pidgin 2.12.0-1+deb9u1
=====================================
data/dla-needed.txt
=====================================
@@ -75,10 +75,6 @@ gerbv
NOTE: 20220326: CVE-2021-40401 is fixed
https://salsa.debian.org/lts-team/packages/gerbv/-/blob/debian/stretch/debian/patches/CVE-2021-40401.patch
(Anton)
NOTE: 20220326: CVE-2021-4040{0,2,3} do not have confirmed upstream fixes
yet. (Anton)
--
-glib2.0 (Markus Koschany)
- NOTE: 20220529: Programming language: C.
- NOTE: 20220523: Follow buster: harmonize with with Debian 10.10 (3 CVEs)
(Beuc/front-desk)
---
golang-github-hashicorp-go-getter (Thorsten Alteholz)
NOTE: 20220529: Programming language: Go.
NOTE: 20220528: limited golang support in stretch (cf. stretch release notes)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b526681161ce2744e2e0149f628421b8651ff3f2...3a282b03f469dc9c5868e17ab5a034182f4f596e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b526681161ce2744e2e0149f628421b8651ff3f2...3a282b03f469dc9c5868e17ab5a034182f4f596e
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
