Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
178e878e by Markus Koschany at 2023-06-16T23:09:07+02:00
Reserve DLA-3455-1 for golang-go.crypto
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -242406,7 +242406,6 @@ CVE-2020-9284
CVE-2020-9283 (golang.org/x/crypto before v0.0.0-20200220183623-bac4c82f6975
for Go a ...)
{DLA-2455-1 DLA-2453-1 DLA-2402-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1 (bug #952462)
- [buster] - golang-go.crypto <postponed> (Limited support, minor issue,
fixed in stretch)
[jessie] - golang-go.crypto <no-dsa> (Minor issue)
NOTE:
https://github.com/golang/crypto/commit/bac4c82f69751a6dd76e702d54b3ceb88adab236
CVE-2020-9282 (In Mahara 18.10 before 18.10.5, 19.04 before 19.04.4, and 19.10
before ...)
@@ -289552,7 +289551,6 @@ CVE-2019-11843 (The MailPoet plugin before 3.23.2 for
WordPress allows remote at
CVE-2019-11841 (A message-forgery issue was discovered in
crypto/openpgp/clearsign/cle ...)
{DLA-2402-1 DLA-1920-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1
- [buster] - golang-go.crypto <postponed> (Limited support, fixed in
stretch)
NOTE:
https://go.googlesource.com/crypto/+/c05e17bb3b2dca130fc919668a96b4bec9eb9442
NOTE: Patch fixes the second part of the CVE ("prepend arbitrary text")
NOTE: but not the first ("ignores the value of [the Hash] header"), as
hinted at reporter's 2019-05-09 note:
@@ -289561,7 +289559,6 @@ CVE-2019-11841 (A message-forgery issue was
discovered in crypto/openpgp/clearsi
CVE-2019-11840 (An issue was discovered in supplementary Go cryptography
libraries, ak ...)
{DLA-2527-1 DLA-2454-1 DLA-2442-1 DLA-2402-1 DLA-1840-1}
- golang-go.crypto 1:0.0~git20200221.2aa609c-1
- [buster] - golang-go.crypto <postponed> (Limited support, minor issue,
fixed in stretch)
NOTE: https://github.com/golang/go/issues/30965
NOTE:
https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d
NOTE:
https://groups.google.com/forum/#!msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[16 Jun 2023] DLA-3455-1 golang-go.crypto - security update
+ {CVE-2019-11840 CVE-2019-11841 CVE-2020-9283}
+ [buster] - golang-go.crypto 1:0.0~git20181203.505ab14-1+deb10u1
[13 Jun 2023] DLA-3454-1 ffmpeg - security update
{CVE-2022-3109 CVE-2022-3341}
[buster] - ffmpeg 7:4.1.11-0+deb10u1
=====================================
data/dla-needed.txt
=====================================
@@ -54,10 +54,6 @@ fusiondirectory (Abhijith PA)
glib2.0
NOTE: 20230612: Added by Front-Desk (apo)
--
-golang-go.crypto (Markus Koschany)
- NOTE: 20220915: Added by Front-Desk (Beuc)
- NOTE: 20220915: 3 CVEs fixed in stretch and bullseye (Beuc/front-desk)
---
golang-yaml.v2 (sgmoore)
NOTE: 20230125: Added by Front-Desk (gladk)
NOTE: 20230525: In review with utkarsh.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/178e878ea2a0dc1108234306f9dc67844d0ab7aa
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/178e878ea2a0dc1108234306f9dc67844d0ab7aa
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
