[Git][security-tracker-team/security-tracker][master] Reserve DLA-3393-1 for protobuf

Tue, 18 Apr 2023 00:04:12 -0700 


Helmut Grohne pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ad65f979 by Helmut Grohne at 2023-04-18T09:03:41+02:00
Reserve DLA-3393-1 for protobuf

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -170504,7 +170504,6 @@ CVE-2021-22570 (Nullptr dereference when a null char 
is present in a proto symbo
        [experimental] - protobuf 3.17.1-1
        - protobuf 3.21.9-3
        [bullseye] - protobuf <no-dsa> (Minor issue)
-       [buster] - protobuf <no-dsa> (Minor issue)
        [stretch] - protobuf <postponed> (Minor issue; clean crash / Dos; patch 
needs to be isolated)
        NOTE: Fixed upstream in v3.15.0: 
https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0
        NOTE: Fixed in merge commit 
https://github.com/protocolbuffers/protobuf/a00125024e9231d76746bd394fef8876f5cc15e2
@@ -170513,7 +170512,6 @@ CVE-2021-22569 (An issue in protobuf-java allowed the 
interleaving of com.google
        [experimental] - protobuf 3.19.3-1
        - protobuf 3.21.9-3
        [bullseye] - protobuf <no-dsa> (Minor issue)
-       [buster] - protobuf <no-dsa> (Minor issue)
        [stretch] - protobuf <no-dsa> (Minor issue)
        NOTE: https://www.openwall.com/lists/oss-security/2022/01/12/4
        NOTE: https://cloud.google.com/support/bulletins#gcp-2022-001


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[18 Apr 2023] DLA-3393-1 protobuf - security update
+       {CVE-2021-22569 CVE-2021-22570 CVE-2022-1941}
+       [buster] - protobuf 3.6.1.3-2+deb10u1
 [17 Apr 2023] DLA-3392-1 ruby-rack - security update
        {CVE-2023-27530 CVE-2023-27539}
        [buster] - ruby-rack 2.0.6-3+deb10u3


=====================================
data/dla-needed.txt
=====================================
@@ -222,11 +222,6 @@ pluxml
   NOTE: 20220913: Special attention: orphaned package.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/pluxml.git
 --
-protobuf (Helmut Grohne)
-  NOTE: 20221031: Programming language: Several.
-  NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated 
code and must therefore get special attention from the application developer 
using protobuf.
-  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/protobuf.git
---
 puppet-module-puppetlabs-mysql
   NOTE: 20221107: Programming language: Puppet, Ruby.
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/puppet-module-puppetlabs-mysql.git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad65f9796ca0a39e10dcadc212513d040387ecb3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad65f9796ca0a39e10dcadc212513d040387ecb3
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to