[Git][security-tracker-team/security-tracker][master] bookworm triage

Moritz Muehlenhoff (@jmm) Tue, 07 Mar 2023 06:56:01 -0800


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
76e65624 by Moritz Muehlenhoff at 2023-03-07T15:55:29+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -44948,7 +44948,7 @@ CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a 
CommonMark parsing and re
        - ghostwriter 2.1.6+ds-1 (unimportant)
        - ruby-commonmarker <unfixed>
        [buster] - ruby-commonmarker <no-dsa> (Minor issue)
-       - r-cran-commonmark <unfixed>
+       - r-cran-commonmark 1.8.1-1
        [bullseye] - r-cran-commonmark <no-dsa> (Minor issue)
        NOTE: 
https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
        NOTE: 
https://github.com/github/cmark-gfm/commit/cfcaa0068bf319974fdec283416fcee5035c2d70
 (0.29.0.gfm.6)
@@ -47417,9 +47417,9 @@ CVE-2021-46834 (A permission bypass vulnerability in 
Huawei cross device task ma
        NOT-FOR-US: Huawei
 CVE-2020-36599 (lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and 
before  ...)
        [experimental] - ruby-omniauth 2.0.4-1~exp1
-       - ruby-omniauth <unfixed>
+       - ruby-omniauth 2.0.4-2
        [buster] - ruby-omniauth <no-dsa> (Minor issue)
-       NOTE: 
https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2
 (v2.0.0-rc1)
+       NOTE: 
https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00
 (v2.0.0-rc1)
 CVE-2020-36598
        RESERVED
 CVE-2020-36597
@@ -69104,11 +69104,11 @@ CVE-2022-XXXX [RUSTSEC-2022-0022]
        - rust-hyper 0.14.19-1
        NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0022.html
 CVE-2022-XXXX [RUSTSEC-2022-0021]
-       - rust-crossbeam-queue <unfixed>
+       - rust-crossbeam-queue 0.3.5-1
        [bullseye] - rust-crossbeam-queue <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0021.html
 CVE-2022-XXXX [RUSTSEC-2022-0019]
-       - rust-crossbeam-channel <unfixed>
+       - rust-crossbeam-channel 0.4.4-1
        [bullseye] - rust-crossbeam-channel <no-dsa> (Minor issue)
        [buster] - rust-crossbeam-channel <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0019.html
@@ -137393,9 +137393,10 @@ CVE-2020-36327 (Bundler 1.16.0 through 2.2.9 and 
2.2.11 through 2.2.16 sometimes
        - bundler <removed>
        [buster] - bundler <no-dsa> (Minor issue)
        [stretch] - bundler <no-dsa> (Invasive change, hard to backport; 
chances of regression)
-       - rubygems <unfixed>
-       [bullseye] - rubygems <no-dsa> (Minor issue)
+       - rubygems 3.3.5-1
+       [bullseye] - rubygems <ignored> (Minor issue, too intrusive to backport)
        NOTE: https://github.com/rubygems/rubygems/issues/3982
+       NOTE: https://github.com/rubygems/rubygems/pull/4609
 CVE-2021-3521 (There is a flaw in RPM's signature functionality. OpenPGP 
subkeys are  ...)
        - rpm 4.18.0+dfsg-1 (bug #1014723)
        [bullseye] - rpm <no-dsa> (Minor issue)
@@ -164120,7 +164121,8 @@ CVE-2019-25011 (NetBox through 2.6.2 allows an 
Authenticated User to conduct an
        NOT-FOR-US: NetBox
 CVE-2019-25010 (An issue was discovered in the failure crate through 
2019-11-13 for Ru ...)
        - rust-failure <unfixed> (bug #969839)
-       [bullseye] - rust-failure <no-dsa> (Minor issue, 
unmaintained/deprecated upstream)
+       [bookworm] - rust-failure <ignored> (Minor issue, 
unmaintained/deprecated upstream)
+       [bullseye] - rust-failure <ignored> (Minor issue, 
unmaintained/deprecated upstream)
        [buster] - rust-failure <no-dsa> (Minor issue, unmaintained/deprecated 
upstream)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0036.html
 CVE-2019-25009 (An issue was discovered in the http crate before 0.1.20 for 
Rust. The  ...)
@@ -186439,11 +186441,10 @@ CVE-2020-25574 (An issue was discovered in the http 
crate before 0.1.20 for Rust
        NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0033.html
        NOTE: https://github.com/hyperium/http/issues/352
 CVE-2020-25575 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in the 
failure ...)
-       - rust-failure <unfixed> (bug #969839; low)
-       [bullseye] - rust-failure <ignored> (Minor issue; unmaintained upstream)
-       [buster] - rust-failure <ignored> (Minor issue; unmaintained upstream)
+       - rust-failure <unfixed> (unimportant; bug #969839)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0036.html
        NOTE: https://github.com/rust-lang-nursery/failure/issues/336
+       NOTE: This CVE ID is merely for the fact that the crate is unmaintained
 CVE-2020-25202
        RESERVED
 CVE-2020-25201 (HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes 
a names ...)
@@ -227007,6 +227008,7 @@ CVE-2018-21034 (In Argo versions prior to v1.5.0-rc1, 
it was possible for authen
        NOT-FOR-US: Argo
 CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext 
HTTP, a ...)
        - lxc-templates <unfixed> (bug #988730)
+       [bookworm] - lxc-templates <ignored> (Minor issue)
        [bullseye] - lxc-templates <ignored> (Minor issue)
        [buster] - lxc-templates <ignored> (Minor issue)
        - lxc 1:3.0.3-1 (low)
@@ -275582,13 +275584,15 @@ CVE-2019-11029 (Mirasys VMS before V7.6.1 and 8.x 
before V8.3.2 mishandles the D
 CVE-2019-11028 (GAT-Ship Web Module before 1.40 suffers from a vulnerability 
allowing  ...)
        NOT-FOR-US: GAT-Ship Web Module
 CVE-2015-9284 (The request phase of the OmniAuth Ruby gem (1.9.1 and earlier) 
is vuln ...)
-       - ruby-omniauth <unfixed> (bug #973384)
+       - ruby-omniauth 2.0.4-2 (bug #973384)
        [bullseye] - ruby-omniauth <ignored> (Minor issue)
        [buster] - ruby-omniauth <ignored> (Minor issue)
        [stretch] - ruby-omniauth <no-dsa> (Minor issue)
        [jessie] - ruby-omniauth <no-dsa> (Fix is in additional gem and needs 
CSRF protection in apps)
        NOTE: https://github.com/omniauth/omniauth/pull/809
        NOTE: https://www.openwall.com/lists/oss-security/2015/05/26/11
+       NOTE: Upstream considers this resolved with the change of the default 
config in the 2.0.0 release
+       NOTE: https://github.com/omniauth/omniauth/discussions/1017
 CVE-2019-11027 (Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely 
exploitable ...)
        {DLA-1956-1}
        - ruby-openid 2.9.2debian-1 (bug #930388)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76e65624ac91573d12d1254f77886dfa48b9e638

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76e65624ac91573d12d1254f77886dfa48b9e638
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bookworm triage

Reply via email to