Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits: 08e3e4cc by Sylvain Beucler at 2022-05-27T10:02:22+02:00 dla: add thunderbird - - - - - e7f136de by Sylvain Beucler at 2022-05-27T10:02:22+02:00 dla: add smarty3 - - - - - a4d0aac5 by Sylvain Beucler at 2022-05-27T10:02:23+02:00 CVE-2022-1851/vim: stretch postponed - - - - - d2d6e354 by Sylvain Beucler at 2022-05-27T10:04:17+02:00 dla: add qemu - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -539,6 +539,7 @@ CVE-2022-1851 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ... - vim <unfixed> [bullseye] - vim <no-dsa> (Minor issue) [buster] - vim <no-dsa> (Minor issue) + [stretch] - vim <postponed> (Minor issue, OOB read) NOTE: https://huntr.dev/bounties/f8af901a-9a46-440d-942a-8f815b59394d NOTE: https://github.com/vim/vim/commit/78d52883e10d71f23ab72a3d8b9733b00da8c9ad (v8.2.5013) CVE-2022-1850 (Path Traversal in GitHub repository filegator/filegator prior to 7.8.0 ...) ===================================== data/dla-needed.txt ===================================== @@ -198,6 +198,10 @@ postgresql-9.6 puppet-module-puppetlabs-firewall NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc/front-desk) -- +qemu + NOTE: 20220527: a few new CVEs since last DLA, and buster got no updates since 2 years, + NOTE: 20220527: so maybe coordinate to start anticipating the next LTS (Beuc/front-desk) +-- request-tracker4 NOTE: 20220524: Harmonize with Debian 10.11 (1 CVE) (Beuc/front-desk) -- @@ -230,6 +234,10 @@ sleuthkit slurm-llnl (Thorsten Alteholz) NOTE: 20220516: Checking the code it looks like the patches will apply so the code is clearly vulnerable. -- +smarty3 + NOTE: 20220527: upcoming DSA by apo, but last DLA is recent (this month); + NOTE: 20220527: sync or postpone depending on severity (Beuc/front-desk) +-- snapd NOTE: 20220308: seems vulnerable at least to setup_private_mount, NOTE: 20220308: but double check (pochu) @@ -254,6 +262,10 @@ systemd NOTE: 20220524: nor DLA-2715-1; the issue looks somewhat invasive to fix but at the NOTE: 20220524: same time is severe and was fixed in other old distros (Beuc/front-desk) -- +thunderbird + NOTE: 20220527: DSA-5141-1 & DLA-3020-1 were just released, but thunderbird + NOTE: 20220527: is back in dsa-needed.txt with 2 new CVEs (Beuc/front-desk) +-- tiff (Utkarsh) NOTE: 20220404: jessie upload at https://salsa.debian.org/lts-team/packages/tiff. NOTE: 20220404: if that works out well, I'll roll the same for stretch. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6b5b6f74a1a28cfa8f6a06083cd7e7cfbf6a9d88...d2d6e354c6f6111c596effee91b9d4e666499742 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6b5b6f74a1a28cfa8f6a06083cd7e7cfbf6a9d88...d2d6e354c6f6111c596effee91b9d4e666499742 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits