Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: 4a07c938 by Markus Koschany at 2023-12-23T22:00:07+01:00 Remove bouncycastle from dla-needed.txt - - - - - 5775dc48 by Markus Koschany at 2023-12-23T22:09:43+01:00 CVE-2023-33202,bouncycastle: Buster is ignored Buster is vulnerable. Just apply the test patch from https://salsa.debian.org/java-team/bouncycastle/-/blob/buster/debian/patches/test-CVE-2023-33202.patch?ref_type=heads to verify it. The ASN1 module has been completely reworked in newer releases and the upstream patch cannot be applied as is. I know that the changes break reverse-dependencies hence I am going to mark this issue as ignored in Buster. - - - - - 15d84ba1 by Markus Koschany at 2023-12-23T22:10:43+01:00 Update squid notes. Claim asterisk in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -5765,6 +5765,7 @@ CVE-2023-33202 (Bouncy Castle for Java before 1.73 contains a potential Denial o - bouncycastle 1.77-1 (bug #1056754) [bookworm] - bouncycastle <no-dsa> (Minor issue) [bullseye] - bouncycastle <no-dsa> (Minor issue) + [buster] - bouncycastle <ignored> (Minor issue) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33202 NOTE: Fixed by https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c (r1rv73) CVE-2023-43123 (On unix-like systems, the temporary directory is shared between all us ...) ===================================== data/dla-needed.txt ===================================== @@ -29,7 +29,7 @@ ansible (rouca) NOTE: 20231217: Begin to triage CVEs (rouca) NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) -- -asterisk +asterisk (Markus Koschany) NOTE: 20231210: Added by Front-Desk (ta) -- bind9 (Thorsten Alteholz) @@ -37,12 +37,6 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231217: almost done with testing -- -bouncycastle (Markus Koschany) - NOTE: 20231127: Added by Front-Desk (Beuc) - NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) - NOTE: 20231128: I can't find changes in PEMParser.java related to CVE-2023-33202, maybe contact upstream (Beuc/front-desk) - NOTE: 20231218: Decision impending. (apo) --- cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) NOTE: 20231205: Triaging CVEs backlog (Beuc) @@ -217,6 +211,7 @@ samba squid (Markus Koschany) NOTE: 20231102: Added by Front-Desk (lamby) NOTE: 20231218: Investigating new CVE. (apo) + NOTE: 20231223: The update requires a few more tests. Intend to release after the holidays. -- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/87fd535340305ac0bdabf6eb1c931776f0599262...15d84ba15106c190afd0ad7cdc8fe1d234b1a1b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/87fd535340305ac0bdabf6eb1c931776f0599262...15d84ba15106c190afd0ad7cdc8fe1d234b1a1b2 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
