[Git][security-tracker-team/security-tracker][master] 2 commits: Ignore CVE-2022-3287 for buster - vulnerable code was introduced later

Stefano Rivera (@stefanor) Tue, 27 Dec 2022 08:04:12 -0800


Stefano Rivera pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
1a5e3bba by Stefano Rivera at 2022-12-27T12:02:25-04:00
Ignore CVE-2022-3287 for buster - vulnerable code was introduced later

- - - - -
ff193807 by Stefano Rivera at 2022-12-27T12:02:27-04:00
Take ceph

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -22735,6 +22735,7 @@ CVE-2022-3288 (A branch/tag name confusion in GitLab 
CE/EE affecting all version
 CVE-2022-3287 (When creating an OPERATOR user account on the BMC, the redfish 
plugin  ...)
        - fwupd 1.8.5-1
        [bullseye] - fwupd <no-dsa> (Minor issue)
+       [buster] - fwupd <not-affected> (Vulnerable code introduced in 1.7.0)
        NOTE: 
https://github.com/fwupd/fwupd/commit/ea676855f2119e36d433fbd2ed604039f53b2091 
(1.8.5)
 CVE-2022-3286 (Lack of IP address checking in GitLab EE affecting all versions 
from 1 ...)
        - gitlab <not-affected> (Only affects Gitlab EE)


=====================================
data/dla-needed.txt
=====================================
@@ -20,7 +20,7 @@ cacti (guilhem)
   NOTE: 20221208: Programming language: PHP.
   NOTE: 20221208: VCS: https://salsa.debian.org/cacti-team/cacti/
 --
-ceph
+ceph (Stefano Rivera)
   NOTE: 20221031: Programming language: C++.
   NOTE: 20221031: To be checked further. Not clear whether the vulnerability 
can be exploited in a Debian system.
   NOTE: 20221031: What should be checked is whether any user with ceph 
permission can do the actions described in the exploit. (ola/front-desk)
@@ -62,9 +62,6 @@ fusiondirectory
   NOTE: 20221203: Also the package was removed from sid recently (gladk).
   NOTE: 20221203: Feel free to marke both CVEs as <ignored>, if they are not 
too serious (gladk).
 --
-fwupd
-  NOTE: 20221003: Programming language: C++.
---
 golang-1.11
   NOTE: 20220916: Programming language: Go.
   NOTE: 20220916: Special attention: limited support; requires rebuilding 
reverse build dependencies (though recent bullseye updates didn't)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/52c3a1e62877cb75a47473a086123b19bd90ec1c...ff193807632c3916bfe557a88aa29bcc1d0a0d60

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/52c3a1e62877cb75a47473a086123b19bd90ec1c...ff193807632c3916bfe557a88aa29bcc1d0a0d60
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Ignore CVE-2022-3287 for buster - vulnerable code was introduced later

Reply via email to