Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9e5eda01 by Sylvain Beucler at 2023-03-03T16:16:00+01:00
golang* buster triage/harmonization
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -8419,6 +8419,7 @@ CVE-2023-0476 (A LDAP injection vulnerability exists in
Tenable.sc due to improp
NOT-FOR-US: Tenable
CVE-2023-0475 (HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to
decompressi ...)
- golang-github-hashicorp-go-getter <unfixed> (bug #1032100)
+ [buster] - golang-github-hashicorp-go-getter <postponed> (Limited
support, minor issue, follow bullseye DSAs/point-releases)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125
CVE-2023-0474 (Use after free in GuestView in Google Chrome prior to
109.0.5414.119 a ...)
{DSA-5328-1}
@@ -37702,6 +37703,7 @@ CVE-2022-41728
RESERVED
CVE-2022-41727 (An attacker can craft a malformed TIFF image which will
consume a sign ...)
- golang-golang-x-image 0.5.0-1
+ [buster] - golang-golang-x-image <postponed> (Limited support, minor
issue, DoS)
CVE-2022-41726
RESERVED
CVE-2022-41725 (A denial of service is possible from excessive resource
consumption in ...)
@@ -50332,7 +50334,7 @@ CVE-2021-4236 (Web Sockets do not execute any
AuthenticateMethod methods which m
NOT-FOR-US: ecnepsnai/web
CVE-2021-4235 (Due to unbounded alias chasing, a maliciously crafted YAML file
can ca ...)
- golang-yaml.v2 2.2.8-1
- [buster] - golang-yaml.v2 <postponed> (Limited support, minor issue,
DoS, follow bullseye DSAs/point-releases)
+ [buster] - golang-yaml.v2 <postponed> (Limited support, minor issue,
DoS)
NOTE:
https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241
(v2.2.3)
NOTE: https://github.com/go-yaml/yaml/pull/375
NOTE: https://pkg.go.dev/vuln/GO-2021-0061
@@ -50340,13 +50342,14 @@ CVE-2020-36569 (Authentication is globally bypassed
in github.com/nanobox-io/gol
NOT-FOR-US: golang-nanoauth
CVE-2020-36568 (Unsanitized input in the query parser in
github.com/revel/revel before ...)
- golang-github-revel-revel 1.0.0-1
+ [buster] - golang-github-revel-revel <postponed> (Limited support,
minor issue, DoS)
NOTE: https://github.com/revel/revel/pull/1427
NOTE:
https://github.com/revel/revel/commit/d160ecb72207824005b19778594cbdc272e8a605
(v1.0.0)
NOTE: https://github.com/revel/revel/issues/1424
NOTE: https://pkg.go.dev/vuln/GO-2020-0003
CVE-2020-36567 (Unsanitized input in the default logger in
github.com/gin-gonic/gin be ...)
- golang-github-gin-gonic-gin 1.6.3-1
- [buster] - golang-github-gin-gonic-gin <postponed> (Limited support,
minor issue, follow bullseye DSAs/point-releases)
+ [buster] - golang-github-gin-gonic-gin <postponed> (Limited support,
minor issue)
NOTE: https://github.com/gin-gonic/gin/pull/2237
NOTE:
https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d
(v1.6.0)
CVE-2020-36566 (Due to improper path santization, archives containing relative
file pa ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e5eda018f4e1f8cfcfda4ea33c7c7b28bfe5131
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e5eda018f4e1f8cfcfda4ea33c7c7b28bfe5131
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
