Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits: 8ad8336e by Markus Koschany at 2023-11-24T19:40:42+01:00 Remove curl from dla-needed.txt This was a bit confusing. Apparently curl was added to dla-needed.txt and afterwards someone triaged the two open CVE as no-dsa. I reviewed the decision to mark CVE-2023-27534 and CVE-2023-28322 and I believe no-dsa is the correct decision. CVE-2023-28322 does not affect the command line tool and even a use after free is not present in libcurl. This is a rather theoretical behavior violation. CVE-2023-27534 requires the new internal dnybuf functions which are not present in Buster's curl version. The described scenario is unlikely because sftp users are usually restricted by the ssh server and a buggy client can't just simply access a file in another user's home directory. - - - - - 658354ca by Markus Koschany at 2023-11-24T19:40:42+01:00 Claim rabbitmq-server in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: ===================================== data/dla-needed.txt ===================================== @@ -43,10 +43,6 @@ cinder cryptojs (guilhem) NOTE: 20231119: Added by Front-Desk (apo) -- -curl (Markus Koschany) - NOTE: 20231103: Added by Front-Desk (lamby) - NOTE: 20231103: Sync with stable. (lamby) --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) @@ -188,7 +184,7 @@ python-requestbuilder NOTE: 20231108: Added by Front-Desk (santiago) NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70 -- -rabbitmq-server +rabbitmq-server (Markus Koschany) NOTE: 20231119: Added by Front-Desk (apo) -- rails View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7e00cf6fe4933a4259a4e230e870dcbaa59337e3...658354ca67fe6ddab6709e10ebf22a55c4c7c53e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7e00cf6fe4933a4259a4e230e870dcbaa59337e3...658354ca67fe6ddab6709e10ebf22a55c4c7c53e You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits