Bug#1036467: virtuoso-opensource: CVE-2023-31607 CVE-2023-31608 CVE-2023-31609 CVE-2023-31610 CVE-2023-31611 CVE-2023-31612 CVE-2023-31613 CVE-2023-31614 CVE-2023-31615 CVE-2023-31616 CVE-2023-31617 C
Control: severity -1 serious Hi Andreas, On Thu, Mar 14, 2024 at 09:08:50PM +0100, Salvatore Bonaccorso wrote: > Hi Andreas, > > On Thu, Mar 14, 2024 at 03:22:58PM +0100, Andreas Beckmann wrote: > > Control: severity -1 important > > On Sun, 21 May 2023 20:43:40 +0200 Salvatore Bonaccorso > > wrote: > > > Source: virtuoso-opensource > > > Version: 7.2.5.1+dfsg1-0.3 > > > Severity: grave > > > > Downgrading the severity since all CVEs are marked as no-dsa (minor issue). > > This is actually orthogonal. We might indicate with a RC severity that > we think the next stable release should not ship with these issues > unfixed. And in fact the package was not in testing. > > Lowering the severity makes it actually re-enter testing next (well > actually once it is possible I guess as the migration is yet blocked). > > Please reconsider the lowering of the severity with that information > (but I will not setting it back myself but rather open it for > discussion with the above and maybe maintainers will comment as well). I'm reconsidering the above statement of myself. As this in meanwhile has been fixed in experimental, and in my point of view, it is to be considered a batch of issues which we want to see fixed in trixie I'm going to raise the severity again to RC, to make clear the intention. Andreas, I hope this is still fine with you, and making clear we should have the version in experimental to go to trixie. Again this is orthogonal to a no-dsa marking perspective. Regards, Salvatore
Bug#1036467: virtuoso-opensource: CVE-2023-31607 CVE-2023-31608 CVE-2023-31609 CVE-2023-31610 CVE-2023-31611 CVE-2023-31612 CVE-2023-31613 CVE-2023-31614 CVE-2023-31615 CVE-2023-31616 CVE-2023-31617 C
Hi Andreas, On Thu, Mar 14, 2024 at 03:22:58PM +0100, Andreas Beckmann wrote: > Control: severity -1 important > On Sun, 21 May 2023 20:43:40 +0200 Salvatore Bonaccorso > wrote: > > Source: virtuoso-opensource > > Version: 7.2.5.1+dfsg1-0.3 > > Severity: grave > > Downgrading the severity since all CVEs are marked as no-dsa (minor issue). This is actually orthogonal. We might indicate with a RC severity that we think the next stable release should not ship with these issues unfixed. And in fact the package was not in testing. Lowering the severity makes it actually re-enter testing next (well actually once it is possible I guess as the migration is yet blocked). Please reconsider the lowering of the severity with that information (but I will not setting it back myself but rather open it for discussion with the above and maybe maintainers will comment as well). Regards, Salvatore
Bug#1036467: virtuoso-opensource: CVE-2023-31607 CVE-2023-31608 CVE-2023-31609 CVE-2023-31610 CVE-2023-31611 CVE-2023-31612 CVE-2023-31613 CVE-2023-31614 CVE-2023-31615 CVE-2023-31616 CVE-2023-31617 C
Control: severity -1 important On Sun, 21 May 2023 20:43:40 +0200 Salvatore Bonaccorso wrote: Source: virtuoso-opensource Version: 7.2.5.1+dfsg1-0.3 Severity: grave Downgrading the severity since all CVEs are marked as no-dsa (minor issue). Andreas
Bug#1036467: virtuoso-opensource: CVE-2023-31607 CVE-2023-31608 CVE-2023-31609 CVE-2023-31610 CVE-2023-31611 CVE-2023-31612 CVE-2023-31613 CVE-2023-31614 CVE-2023-31615 CVE-2023-31616 CVE-2023-31617 C
Source: virtuoso-opensource Version: 7.2.5.1+dfsg1-0.3 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for virtuoso-opensource. CVE-2023-31607[0]: | An issue in the __libc_malloc component of openlink virtuoso- | opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) | via crafted SQL statements. CVE-2023-31608[1]: | An issue in the artm_div_int component of openlink virtuoso-opensource | v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted | SQL statements. CVE-2023-31609[2]: | An issue in the dfe_unit_col_loci component of openlink virtuoso- | opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) | via crafted SQL statements. CVE-2023-31610[3]: | An issue in the _IO_default_xsputn component of openlink virtuoso- | opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) | via crafted SQL statements. CVE-2023-31611[4]: | An issue in the __libc_longjmp component of openlink virtuoso- | opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) | via crafted SQL statements. CVE-2023-31612[5]: | An issue in the dfe_qexp_list component of openlink virtuoso- | opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) | via crafted SQL statements. CVE-2023-31613[6]: | An issue in the __nss_database_lookup component of openlink virtuoso- | opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) | via crafted SQL statements. CVE-2023-31614[7]: | An issue in the mp_box_deserialize_string function in openlink | virtuoso-opensource v7.2.9 allows attackers to cause a Denial of | Service (DoS) after running a SELECT statement. CVE-2023-31615[8]: | An issue in the chash_array component of openlink virtuoso-opensource | v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted | SQL statements. CVE-2023-31616[9]: | An issue in the bif_mod component of openlink virtuoso-opensource | v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted | SQL statements. CVE-2023-31617[10]: | An issue in the dk_set_delete component of openlink virtuoso- | opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) | via crafted SQL statements. CVE-2023-31618[11]: | An issue in the sqlc_union_dt_wrap component of openlink virtuoso- | opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) | via crafted SQL statements. CVE-2023-31619[12]: | An issue in the sch_name_to_object component of openlink virtuoso- | opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) | via crafted SQL statements. CVE-2023-31620[13]: | An issue in the dv_compare component of openlink virtuoso-opensource | v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted | SQL statements. CVE-2023-31621[14]: | An issue in the kc_var_col component of openlink virtuoso-opensource | v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted | SQL statements. CVE-2023-31622[15]: | An issue in the sqlc_make_policy_trig component of openlink virtuoso- | opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) | via crafted SQL statements. CVE-2023-31623[16]: | An issue in the mp_box_copy component of openlink virtuoso-opensource | v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted | SQL statements. CVE-2023-31624[17]: | An issue in the sinv_check_exp component of openlink virtuoso- | opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) | via crafted SQL statements. CVE-2023-31625[18]: | An issue in the psiginfo component of openlink virtuoso-opensource | v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted | SQL statements. CVE-2023-31626[19]: | An issue in the gpf_notice component of openlink virtuoso-opensource | v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted | SQL statements. CVE-2023-31627[20]: | An issue in the strhash component of openlink virtuoso-opensource | v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted | SQL statements. CVE-2023-31628[21]: | An issue in the stricmp component of openlink virtuoso-opensource | v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted | SQL statements. CVE-2023-31629[22]: | An issue in the sqlo_union_scope component of openlink virtuoso- | opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) | via crafted SQL statements. CVE-2023-31630[23]: | An issue in the sqlo_query_spec component of openlink virtuoso- | opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) | via crafted SQL statements. CVE-2023-31631[24]: | An issue in the sqlo_preds_contradiction component of openlink | virtuoso-opensource v7.2.9 allows attackers to cause a Denial of | Service (DoS) via crafted SQL statements. If you fix the