Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: b1140c02 by Markus Koschany at 2023-11-17T11:27:33+01:00 Add gnutls28 to dla-needed.txt - - - - - 11e42605 by Markus Koschany at 2023-11-17T11:53:16+01:00 CVE-2023-44429,gst-plugins-bad1.0: Buster is not affected The vulnerable code was introduced later. https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/13d55627f0be18c52dd1019c1f464acfe2da8b98 - - - - - a501a7d4 by Markus Koschany at 2023-11-17T12:57:13+01:00 Add varnish to dla-needed.txt - - - - - 56e1eb6f by Markus Koschany at 2023-11-17T12:58:37+01:00 CVE-2023-44487,varnish: link to upstream issue - - - - - c4d23181 by Markus Koschany at 2023-11-17T13:02:35+01:00 Add zlib to dla-needed.txt - - - - - 75f5bceb by Markus Koschany at 2023-11-17T13:06:42+01:00 CVE-2023-45853: minizip is also affected - - - - - dd2ed1c6 by Markus Koschany at 2023-11-17T13:08:22+01:00 Add minizip to dla-needed.txt - - - - - 3f64dc16 by Markus Koschany at 2023-11-17T13:29:08+01:00 Add gimp to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -5927,6 +5927,7 @@ CVE-2023-45855 (qdPM 9.2 allows Directory Traversal to list files and directorie NOT-FOR-US: qdPM CVE-2023-45853 (MiniZip in zlib through 1.3 has an integer overflow and resultant heap ...) - zlib <unfixed> (bug #1054290) + - minizip <unfixed> NOTE: https://github.com/madler/zlib/pull/843 NOTE: https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c CVE-2023-45852 (In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticat ...) @@ -7020,6 +7021,7 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource NOTE: netty: https://github.com/netty/netty/security/advisories/GHSA-xpw8-rcwv-8f8p NOTE: netty: https://github.com/netty/netty/commit/58f75f665aa81a8cbcf6ffa74820042a285c5e61 (netty-4.1.100.Final) NOTE: varnish: https://varnish-cache.org/security/VSV00013.html + NOTE: varnish: https://github.com/varnishcache/varnish-cache/issues/3996 NOTE: Unaffected implementations not requiring code changes: NOTE: - rust-hyper: https://seanmonstar.com/post/730794151136935936/hyper-http2-rapid-reset-unaffected NOTE: - apache2: https://chaos.social/@icing/111210915918780532 @@ -8814,6 +8816,7 @@ CVE-2023-44446 [MXF demuxer use-after-free] NOTE: Fixed by: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/7dfaa57b6f9b55f17ffe824bd8988bb71ae11353 (1.22.7) CVE-2023-44429 [AV1 codec parser buffer overflow] - gst-plugins-bad1.0 <unfixed> (bug #1056102) + [buster] - gst-plugins-bad1.0 <not-affected> (Vulnerable code was introduced later) - gst-plugins-bad0.10 <removed> NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0009.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5634 ===================================== data/dla-needed.txt ===================================== @@ -80,6 +80,12 @@ galera-3 (Adrian Bunk) NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk) NOTE: 20231113: Investigating whether vulnerability already existed before commit introducing current code. (bunk) -- +gimp + NOTE: 20231117: Added by Front-Desk (apo) +-- +gnutls28 + NOTE: 20231117: Added by Front-Desk (apo) +-- horizon NOTE: 20231101: Added by Front-Desk (lamby) NOTE: 20231101: Sync with bullseye (CVE-2022-45582). (lamby) @@ -130,6 +136,9 @@ lwip mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- +minizip + NOTE: 20231117: Added by Front-Desk (apo) +-- netty (Markus Koschany) NOTE: 20231104: Added by Front-Desk (lamby) NOTE: 20231104: For, at least, CVE-2023-44487. (lamby) @@ -246,6 +255,9 @@ suricata (Adrian Bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) -- +varnish + NOTE: 20231117: Added by Front-Desk (apo) +-- vlc NOTE: 20231106: Added by Front-Desk (pochu) NOTE: 20231106: Follow bullseye and update to 3.0.20 (pochu) @@ -253,3 +265,6 @@ vlc zabbix NOTE: 20231015: Added by Front-Desk (ta) -- +zlib + NOTE: 20231117: Added by Front-Desk (apo) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f94cf8c879dce13ad5e9adf9fdf12b42f398d5b3...3f64dc160be59799aefb332345bb3a33996253bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f94cf8c879dce13ad5e9adf9fdf12b42f398d5b3...3f64dc160be59799aefb332345bb3a33996253bd You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits