Ola Lundqvist pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f20876c2 by Ola Lundqvist at 2024-03-10T23:07:51+01:00
Removed runc from dla-needed since no CVEs remain to be fixed.
- - - - -
e722a127 by Ola Lundqvist at 2024-03-10T23:09:22+01:00
Reverted decision to remove qemu from dla-needed.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -9128,6 +9128,8 @@ CVE-2024-21626 (runc is a CLI tool for spawning and
running containers on Linux
NOTE:
https://github.com/opencontainers/runc/commit/89c93ddf289437d5c8558b37047c54af6a0edb48
NOTE:
https://github.com/opencontainers/runc/commit/ee73091a8d28692fa4868bac81aa40a0b05f9780
NOTE:
https://github.com/opencontainers/runc/commit/d8edada9f252873b88043279a71099db71941dea
+ NOTE: For buster DLA-3735-1 do not completely fix the issue. The rest
requires
+ NOTE: backport that is hard to do so that will not be done.
CVE-2024-24579 (stereoscope is a go library for processing container images
and simula ...)
NOT-FOR-US: stereoscope
CVE-2024-24566 (Lobe Chat is a chatbot framework that supports speech
synthesis, multi ...)
@@ -44668,7 +44670,7 @@ CVE-2023-3354 (A flaw was found in the QEMU built-in
VNC server. When a client c
- qemu 1:8.0.4+dfsg-1
[bookworm] - qemu 1:7.2+dfsg-7+deb12u2
[bullseye] - qemu 1:5.2+dfsg-11+deb11u3
- [buster] - qemu <ignored> (Minor issue)
+ [buster] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2216478
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg01014.html
NOTE: Fixed by:
https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62
(v8.0.4)
=====================================
data/dla-needed.txt
=====================================
@@ -192,6 +192,10 @@ python-asyncssh
NOTE: 20240116: Added by Front-Desk (lamby)
NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and
in Git, but one test is failing. Waiting for feedback before release. (dleidert)
--
+qemu (Adrian Bunk)
+ NOTE: 20240119: Added by Front-Desk (lamby)
+ NOTE: 20240119: CVE-2023-1544 and CVE-2023-3354 already fixed in bullseye
via DSA or point releases; to be fixed or <ignored>. (lamby)
+--
rails
NOTE: 20220909: Re-added due to regression (abhijith)
NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)
@@ -213,13 +217,6 @@ ring
ruby-rack (Adrian Bunk)
NOTE: 20240306: Added by Front-Desk (opal)
--
-runc
- NOTE: 20240204: Added by Front-Desk (ta)
- NOTE: 20240219: Complete fix for CVE-2024-21626 would require backport of
- NOTE: 20240219:
https://github.com/opencontainers/runc/commit/284ba3057e428f8d6c7afcc3b0ac752e525957df
and
- NOTE: 20240219:
https://github.com/opencontainers/runc/commit/e9665f4d606b64bf9c4652ab2510da368bfbd951.
- NOTE: 20240219: But it uses a link to internal/poll.IsPollDescriptor,
introduced in Go 1.12, which I cannot backport (dleidert).
---
samba
NOTE: 20230918: Added by Front-Desk (apo)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/82315a7e28b28c15b606431bf909fe71a023f769...e722a12799f2fe393d12ee0eccee2fc385d6da2b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/82315a7e28b28c15b606431bf909fe71a023f769...e722a12799f2fe393d12ee0eccee2fc385d6da2b
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
