Bastien Roucariès pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
91cb9787 by Bastien Roucariès at 2025-01-17T23:50:44+00:00
Reserve DLA-4018-1 for ruby2.7
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -39899,7 +39899,6 @@ CVE-2024-43398 (REXML is an XML toolkit for Ruby. The
REXML gem before 3.3.6 has
- ruby3.1 <unfixed> (bug #1083190)
[bookworm] - ruby3.1 <no-dsa> (Minor issue)
- ruby2.7 <removed>
- [bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
NOTE:
https://github.com/ruby/rexml/security/advisories/GHSA-vmwr-mc7x-5vc3
NOTE:
https://github.com/ruby/rexml/commit/7cb5eaeb221c322b9912f724183294d8ce96bae3
(v3.3.6)
CVE-2024-43331 (Missing Authorization vulnerability in VeronaLabs WP SMS.This
issue af ...)
@@ -45411,7 +45410,6 @@ CVE-2024-41946 (REXML is an XML toolkit for Ruby. The
REXML gem 3.3.2 has a DoS
- ruby3.1 <unfixed> (bug #1083190)
[bookworm] - ruby3.1 <no-dsa> (Minor issue)
- ruby2.7 <removed>
- [bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
NOTE:
https://github.com/ruby/rexml/security/advisories/GHSA-5866-49gr-22v4
NOTE:
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/
NOTE: https://github.com/ruby/rexml/pull/187
@@ -45434,7 +45432,6 @@ CVE-2024-41123 (REXML is an XML toolkit for Ruby. The
REXML gem before 3.3.2 has
- ruby3.1 <unfixed> (bug #1083190)
[bookworm] - ruby3.1 <no-dsa> (Minor issue)
- ruby2.7 <removed>
- [bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
NOTE:
https://github.com/ruby/rexml/security/advisories/GHSA-r55c-59qm-vjw6
NOTE:
https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/
NOTE: https://github.com/ruby/rexml/issues/232#issuecomment-2585211411
@@ -49307,7 +49304,6 @@ CVE-2024-39908 (REXML is an XML toolkit for Ruby. The
REXML gem before 3.3.1 has
- ruby3.1 <unfixed> (bug #1076768)
[bookworm] - ruby3.1 <no-dsa> (Minor issue)
- ruby2.7 <removed>
- [bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
NOTE:
https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
NOTE: https://github.com/advisories/GHSA-4xqq-m2hx-25v8
NOTE: https://github.com/ruby/rexml/issues/232#issuecomment-2585211411
@@ -68852,7 +68848,6 @@ CVE-2024-35176 (REXML is an XML toolkit for Ruby. The
REXML gem before 3.2.6 has
- ruby3.1 <unfixed> (bug #1071626)
[bookworm] - ruby3.1 <no-dsa> (Minor issue)
- ruby2.7 <removed>
- [bullseye] - ruby2.7 <postponed> (Minor issue, DoS)
- ruby2.5 <removed>
NOTE:
https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
NOTE: Fixed by:
https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb
(v3.2.7)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[17 Jan 2025] DLA-4018-1 ruby2.7 - security update
+ {CVE-2024-35176 CVE-2024-39908 CVE-2024-41123 CVE-2024-41946
CVE-2024-43398 CVE-2024-49761}
+ [bullseye] - ruby2.7 2.7.4-1+deb11u3
[18 Jan 2025] DLA-4015-2 rsync - security update
[bullseye] - rsync 3.2.3-4+deb11u3
[17 Jan 2025] DLA-4017-1 tomcat9 - security update
=====================================
data/dla-needed.txt
=====================================
@@ -238,15 +238,6 @@ ruby-sinatra
NOTE: 20241122: Was awaiting approved upstream fix; still working on
package. (lamby)
NOTE: 20241204: Returning to pool; have prepared patch for CVE-2024-21510
but tests fail in a way that requires someone better at Ruby than myself.
(lamby)
--
-ruby2.7 (rouca)
- NOTE: 20241130: Added by Front-Desk (ta)
- NOTE: 20241130: See also postponed issues.
- NOTE: 20241208: 6 CVEs in REXML that should all be fixed, Ruby and XML
knowledge required. (bunk)
- NOTE: 20250105: Fixed CVE-2024-35176, CVE-2024-41946, CVE-2024-49761,
CVE-2024-43398 waiting upstream for more information for remaining (rouca)
- NOTE: 20250111: See https://github.com/ruby/rexml/issues/232 (rouca)
- NOTE: 20250112: Wait review
https://lists.debian.org/debian-lts/2025/01/msg00011.html
- NOTE: 20250117: Review done some cosmetic modification (rouca)
---
shadow
NOTE: 20250105: Added by Front-Desk (apo)
NOTE: 20250105: shadow is a high-profile package. Upstream discussion for
CVE-2024-56433 is
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91cb97879639bcb0e9e2c59dc64d16d6f64120e2
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91cb97879639bcb0e9e2c59dc64d16d6f64120e2
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
