Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2b9097a0 by Markus Koschany at 2024-06-21T23:02:02+02:00
Reassign DLA-3834-1 to netty from unbound
Assigning DLA-3834-1 to unbound was premature. Fix that by using the number for
netty.
- - - - -
aad481bc by Markus Koschany at 2024-06-21T23:02:02+02:00
Remove netty from dla-needed.txt
- - - - -
5593e2fa by Markus Koschany at 2024-06-21T23:02:03+02:00
CVE-2024-33655,unbound: mark buster as ignored.
Reasoning: Unbound itself is not affected by the DoS attack but it could be
part of a distributed denial of service attack against other services/servers
provided all conditions are met which is non-trivial to do.
Ideally we could fix this scenario too. However the patch introduced new
configuration options which in turn rely on features which are not present in
1.9. For instance there is no cookie support and there is also no distinction
when unbound is used in a proxy scenario. My patch removed the cookie part of
the patch and ignored the remote_addr / client_addr part and just used the UDP
IP addr. I don't feel confident enough that this is a proper solution to the
problem though. Since there is no imminent risk for unbound users I am going to
mark this problem as ignored.
- - - - -
fc60451a by Markus Koschany at 2024-06-21T23:02:05+02:00
CVE-2024-33869,CVE-2024-33870,ghostscript: buster is not affected
The gp_validate_path_len function was introduced later.
- - - - -
0a202c98 by Markus Koschany at 2024-06-21T23:02:05+02:00
Return ghostscript and let someone else double-check the package.
- - - - -
01d5f4db by Markus Koschany at 2024-06-21T23:13:20+02:00
Claim tryton and dlt-daemon in dla-needed.txt
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -15350,8 +15350,8 @@ CVE-2024-0445 (The The Plus Addons for Elementor plugin
for WordPress is vulnera
CVE-2023-6327 (The ShopLentor (formerly WooLentor) plugin for WordPress is
vulnerable ...)
NOT-FOR-US: WordPress plugin
CVE-2024-33655 (The DNS protocol in RFC 1035 and updates allows remote
attackers to ca ...)
- {DLA-3834-1}
- unbound 1.20.0-1
+ [buster] - unbound <ignored> (Not affected by DoS, intrusive changes)
NOTE: https://nlnetlabs.nl/downloads/unbound/CVE-2024-33655.txt
NOTE: Fixed by:
https://github.com/NLnetLabs/unbound/commit/c3206f4568f60c486be6d165b1f2b5b254fea3de
(release-1.20.0rc1)
CVE-2024-4693 (A flaw was found in the QEMU Virtio PCI Bindings
(hw/virtio/virtio-pci ...)
@@ -15424,12 +15424,14 @@ CVE-2024-33871
CVE-2024-33870
{DSA-5692-1}
- ghostscript 10.03.1~dfsg~git20240518-1
+ [buster] - ghostscript <not-affected> (The vulnerable code was
introduced later)
NOTE: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html
NOTE:
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=79aef19c685984dc3da2dc090450407d9fbcff80
(ghostpdl-10.03.1)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707686
CVE-2024-33869
{DSA-5692-1}
- ghostscript 10.03.1~dfsg~git20240518-1
+ [buster] - ghostscript <not-affected> (The vulnerable code was
introduced later)
NOTE: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html
NOTE:
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=5ae2e320d69a7d0973011796bd388cd5befa1a43
(ghostpdl-10.03.1)
NOTE:
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=f5336e5b4154f515ac83bc5b9eba94302e6618d4
(ghostpdl-10.03.1)
@@ -31093,10 +31095,10 @@ CVE-2024-29650 (An issue in @thi.ng/paths v.5.1.62
and before allows a remote at
CVE-2024-29515 (File Upload vulnerability in lepton v.7.1.0 allows a remote
authentica ...)
NOT-FOR-US: Lepton CMS
CVE-2024-29025 (Netty is an asynchronous event-driven network application
framework fo ...)
+ {DLA-3834-1}
- netty 1:4.1.48-10 (bug #1068110)
[bookworm] - netty <postponed> (Minor issue, fix along with future
update)
[bullseye] - netty <postponed> (Minor issue, fix along with future
update)
- [buster] - netty <postponed> (Minor issue, HTTP multipart DoS, fix
along with future update)
NOTE:
https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v
NOTE:
https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c
(netty-4.1.108.Final)
NOTE: https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3
=====================================
data/DLA/list
=====================================
@@ -15,8 +15,8 @@
[17 Jun 2024] DLA-3835-1 roundcube - security update
{CVE-2024-37383 CVE-2024-37384}
[buster] - roundcube 1.3.17+dfsg.1-1~deb10u6
-[17 Jun 2024] DLA-3834-1 unbound - security update
- {CVE-2024-33655}
+[17 Jun 2024] DLA-3834-1 netty - security update
+ {CVE-2024-29025}
[buster] - unbound 1.9.0-2+deb10u5
[17 Jun 2024] DLA-3833-1 php7.3 - security update
{CVE-2024-5458}
=====================================
data/dla-needed.txt
=====================================
@@ -49,7 +49,7 @@ cyrus-imapd
dcmtk (Adrian Bunk)
NOTE: 20240428: Added by Front-Desk (ta)
--
-dlt-daemon
+dlt-daemon (Markus Koschany)
NOTE: 20240519: Added by Front-Desk (utkarsh)
NOTE: 20240519: 1 buffer-overflow, 1 memory leak, and 2 crashes. I think we
NOTE: 20240519: can postpone these but I am in split mind. Will take it
myself
@@ -104,9 +104,13 @@ freeimage
NOTE: 20240412: ELTS also have a need to update this package.
NOTE: 20240412: We should open upstream bug reports and push fixes. See
above email discussion. (ola)
--
-ghostscript (Markus Koschany)
+ghostscript
NOTE: 20240510: Added by Front-Desk (ta)
- NOTE: 20240610: Doing some final tests. (apo)
+ NOTE: 20240621: I am returning the package so that someone else can assess
+ NOTE: 20240621: whether we can fix the problems or have to ignore them.
+ NOTE: 20240621: The patches rely on newly introduced API,e.g.
+ NOTE: 20240621: gs_activate_path_control,gs_is_path_control_active. I don't
+ NOTE: 20240621: think it makes sense to introduce those changes without
those functions.
--
git (Sean Whitton)
NOTE: 20240519: Added by Front-Desk (utkarsh)
@@ -187,10 +191,6 @@ mariadb-10.3
NOTE: 20240610: This version is EOL and I could not find a targeted patch
for the
NOTE: 20240610: problem which appears to be not too serious. (apo)
--
-netty (Markus Koschany)
- NOTE: 20240511: Added by (apo)
- NOTE: 20240610: Doing some final tests. (apo)
---
nodejs (rouca)
NOTE: 20240406: Added by Front-Desk (lamby)
--
@@ -305,12 +305,12 @@ tinymce
NOTE: 20231216: upstream's patch is backportable, as the code has changed a
NOTE: 20231216: lot. (spwhitton)
--
-tryton-client
+tryton-client (Markus Koschany)
NOTE: 20240618: Added by coordinator (santiago)
NOTE: 20240618: bookworm pu by maintainer was accepted. LTS Team should take
care of bullseye pu along with buster, as suggested by maintainer (santiago)
NOTE: 20240618:
https://salsa.debian.org/tryton-team/tryton-client/-/commit/dfa889381d572f5ee229c3eec32cbdff8084d36c
--
-tryton-server
+tryton-server (Markus Koschany)
NOTE: 20240421: Added by Front-Desk (apo)
NOTE: 20240421: Fix causes regressions in tryton client. Waiting for that
NOTE: 20240421: being resolved upstream.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a6624d77f131b34abef764fb3074fc51448461da...01d5f4db5384365753993280820d9439c2ac3fed
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a6624d77f131b34abef764fb3074fc51448461da...01d5f4db5384365753993280820d9439c2ac3fed
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
