[Git][security-tracker-team/security-tracker][master] 3 commits: Triage CVE-2023-5678/openssl as postponed for buster

[Emilio Pozuelo Monfort (@pochu)]

Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a20d208f by Emilio Pozuelo Monfort at 2023-11-08T12:58:49+01:00
Triage CVE-2023-5678/openssl as postponed for buster

- - - - -
eeb3ad01 by Emilio Pozuelo Monfort at 2023-11-08T12:58:51+01:00
Mark gpac issues as EOL for buster

- - - - -
d3d23685 by Emilio Pozuelo Monfort at 2023-11-08T12:58:51+01:00
lts: add ruby-sanitize

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -56,6 +56,7 @@ CVE-2023-46483 (Cross Site Scripting vulnerability in timetec 
AWDMS v.2.0 allows
        NOT-FOR-US: timetec AWDMS
 CVE-2023-46001 (Buffer Overflow vulnerability in gpac MP4Box 
v.2.3-DEV-rev573-g2013208 ...)
        - gpac <unfixed>
+       [buster] - gpac <end-of-life> (EOL in buster LTS)
        NOTE: https://github.com/gpac/gpac/issues/2629
        NOTE: 
https://github.com/gpac/gpac/commit/e79b0cf7e72404750630bc01340e999f3940dbc4
 CVE-2023-45380 (In the module "Order Duplicator " Clone and Delete Existing 
Order" (or ...)
@@ -100,6 +101,7 @@ CVE-2023-45283 [path/filepath: recognize \??\ as a Root 
Local Device path prefix
        TODO: check if it should be considered "windows only" or still tracked 
due to issue in path parsing for windows paths
 CVE-2023-5998 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 
2.3.0-DEV.)
        - gpac <unfixed>
+       [buster] - gpac <end-of-life> (EOL in buster LTS)
        NOTE: https://huntr.com/bounties/ea02a231-b688-422b-a881-ef415bcf6113
        NOTE: 
https://github.com/gpac/gpac/commit/db74835944548fc3bdf03121b0e012373bdebb3e
 CVE-2023-5996
@@ -1982,6 +1984,7 @@ CVE-2023-5678 (Issue summary: Generating excessively long 
X9.42 DH keys or check
        - openssl <unfixed> (bug #1055473)
        [bookworm] - openssl <no-dsa> (Minor issue; can be fixed along with 
future update)
        [bullseye] - openssl <no-dsa> (Minor issue; can be fixed along with 
future update)
+       [buster] - openssl <postponed> (Minor issue; can be fixed along with 
future update)
        NOTE: https://www.openssl.org/news/secadv/20231106.txt
        NOTE: 
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017
 (for 3.0.y)
        NOTE: 
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=710fee740904b6290fef0dd5536fbcedbc38ff0c
 (for 1.1.1y)


=====================================
data/dla-needed.txt
=====================================
@@ -210,6 +210,9 @@ ring
   NOTE: 20230903: Added by Front-Desk (gladk)
   NOTE: 20230928: will be likely hard to fix see 
https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca)
 --
+ruby-sanitize
+  NOTE: 20231108: Added by Front-Desk (pochu)
+--
 salt
   NOTE: 20220814: Added by Front-Desk (gladk)
   NOTE: 20220814: I am not sure, whether it is possible to fix issues



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ae562751e0b0d6af6c0c1b1491503bccec316f2...d3d23685c73af8d3add9a9f03dc68533d34ec01f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ae562751e0b0d6af6c0c1b1491503bccec316f2...d3d23685c73af8d3add9a9f03dc68533d34ec01f
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits