Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
08e3e4cc by Sylvain Beucler at 2022-05-27T10:02:22+02:00
dla: add thunderbird
- - - - -
e7f136de by Sylvain Beucler at 2022-05-27T10:02:22+02:00
dla: add smarty3
- - - - -
a4d0aac5 by Sylvain Beucler at 2022-05-27T10:02:23+02:00
CVE-2022-1851/vim: stretch postponed
- - - - -
d2d6e354 by Sylvain Beucler at 2022-05-27T10:04:17+02:00
dla: add qemu
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -539,6 +539,7 @@ CVE-2022-1851 (Out-of-bounds Read in GitHub repository
vim/vim prior to 8.2. ...
- vim <unfixed>
[bullseye] - vim <no-dsa> (Minor issue)
[buster] - vim <no-dsa> (Minor issue)
+ [stretch] - vim <postponed> (Minor issue, OOB read)
NOTE: https://huntr.dev/bounties/f8af901a-9a46-440d-942a-8f815b59394d
NOTE:
https://github.com/vim/vim/commit/78d52883e10d71f23ab72a3d8b9733b00da8c9ad
(v8.2.5013)
CVE-2022-1850 (Path Traversal in GitHub repository filegator/filegator prior
to 7.8.0 ...)
=====================================
data/dla-needed.txt
=====================================
@@ -198,6 +198,10 @@ postgresql-9.6
puppet-module-puppetlabs-firewall
NOTE: 20220402: no Debian maintainers activity since 2018 (Beuc/front-desk)
--
+qemu
+ NOTE: 20220527: a few new CVEs since last DLA, and buster got no updates
since 2 years,
+ NOTE: 20220527: so maybe coordinate to start anticipating the next LTS
(Beuc/front-desk)
+--
request-tracker4
NOTE: 20220524: Harmonize with Debian 10.11 (1 CVE) (Beuc/front-desk)
--
@@ -230,6 +234,10 @@ sleuthkit
slurm-llnl (Thorsten Alteholz)
NOTE: 20220516: Checking the code it looks like the patches will apply so
the code is clearly vulnerable.
--
+smarty3
+ NOTE: 20220527: upcoming DSA by apo, but last DLA is recent (this month);
+ NOTE: 20220527: sync or postpone depending on severity (Beuc/front-desk)
+--
snapd
NOTE: 20220308: seems vulnerable at least to setup_private_mount,
NOTE: 20220308: but double check (pochu)
@@ -254,6 +262,10 @@ systemd
NOTE: 20220524: nor DLA-2715-1; the issue looks somewhat invasive to fix but
at the
NOTE: 20220524: same time is severe and was fixed in other old distros
(Beuc/front-desk)
--
+thunderbird
+ NOTE: 20220527: DSA-5141-1 & DLA-3020-1 were just released, but thunderbird
+ NOTE: 20220527: is back in dsa-needed.txt with 2 new CVEs (Beuc/front-desk)
+--
tiff (Utkarsh)
NOTE: 20220404: jessie upload at
https://salsa.debian.org/lts-team/packages/tiff.
NOTE: 20220404: if that works out well, I'll roll the same for stretch.
(utkarsh)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6b5b6f74a1a28cfa8f6a06083cd7e7cfbf6a9d88...d2d6e354c6f6111c596effee91b9d4e666499742
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6b5b6f74a1a28cfa8f6a06083cd7e7cfbf6a9d88...d2d6e354c6f6111c596effee91b9d4e666499742
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
