Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1d34d950 by Markus Koschany at 2022-08-29T00:47:54+02:00
Remove no-dsa tags for upcoming curl update
- - - - -
cd62cd85 by Markus Koschany at 2022-08-29T00:49:45+02:00
Reserve DLA-3085-1 for curl
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -112122,13 +112122,11 @@ CVE-2021-22948 (Vulnerability in the generation of
session IDs in revive-adserve
CVE-2021-22947 (When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or
POP3 se ...)
{DSA-5197-1 DLA-2773-1}
- curl 7.79.1-1
- [buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2021-22947.html
NOTE: Fixed by:
https://github.com/curl/curl/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68
(curl-7_79_0)
CVE-2021-22946 (A user can tell curl >= 7.20.0 and <= 7.78.0 to require
a succes ...)
{DSA-5197-1 DLA-2773-1}
- curl 7.79.1-1 (bug #1017589)
- [buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2021-22946.html
NOTE: Fixed by:
https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca
(curl-7_79_0)
CVE-2021-22945 (When sending data to an MQTT server, libcurl <= 7.73.0 and
7.78.0 c ...)
@@ -112206,7 +112204,6 @@ CVE-2021-22925 (curl supports the `-t` command line
option, known as `CURLOPT_TE
CVE-2021-22924 (libcurl keeps previously used connections in a connection pool
for sub ...)
{DSA-5197-1 DLA-2734-1}
- curl 7.79.1-1 (bug #991492)
- [buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2021-22924.html
NOTE: Introduced by:
https://github.com/curl/curl/commit/89721ff04af70f527baae1368f3b992777bf6526
(curl-7_10_4)
NOTE: Fixed by:
https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161
(curl-7_78_0)
@@ -112291,7 +112288,6 @@ CVE-2021-22899 (A command injection vulnerability
exists in Pulse Connect Secure
CVE-2021-22898 (curl 7.7 through 7.76.1 suffers from an information disclosure
when th ...)
{DSA-5197-1 DLA-2734-1}
- curl 7.79.1-1 (bug #989228)
- [buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2021-22898.html
NOTE: Introduced by:
https://github.com/curl/curl/commit/a1d6ad26100bc493c7b04f1301b1634b7f5aa8b4
(7.7)
NOTE: Fixed by:
https://github.com/curl/curl/commit/39ce47f219b09c380b81f89fe54ac586c8db6bde
(7.77.0)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[29 Aug 2022] DLA-3085-1 curl - security update
+ {CVE-2021-22898 CVE-2021-22924 CVE-2021-22946 CVE-2021-22947
CVE-2022-22576 CVE-2022-27776 CVE-2022-27781 CVE-2022-27782 CVE-2022-32206
CVE-2022-32208}
+ [buster] - curl 7.64.0-4+deb10u3
[27 Aug 2022] DLA-3084-1 ndpi - security update
{CVE-2020-15472 CVE-2020-15476}
[buster] - ndpi 2.6-3+deb10u1
=====================================
data/dla-needed.txt
=====================================
@@ -27,10 +27,6 @@ apache2
asterisk (Markus Koschany)
NOTE: 20220810: Programming language: C.
--
-curl (Markus Koschany)
- NOTE: 20220802: Programming language: C.
- NOTE: 20220821: VCS: https://salsa.debian.org/lts-team/packages/curl
---
exiv2 (Roberto C. Sánchez)
NOTE: 20220819: Programming language: C++.
NOTE: 20220819:
https://github.com/Exiv2/exiv2/commit/109d5df7abd329f141b500c92a00178d35a6bef3#diff-bd28aafd4c87975a3a236af74c2200db447587fa0bb4f43ba9beb98738c77b2aL292
does not directly apply, but a very quick glance suggests the earlier code may
be equally vulnerable. (Chris Lamb)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cd30c18b586b62b3e2cd6937fb68b5117842e75b...cd62cd85632ef4e5e618d4d986524d5a36308573
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cd30c18b586b62b3e2cd6937fb68b5117842e75b...cd62cd85632ef4e5e618d4d986524d5a36308573
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
