[Git][security-tracker-team/security-tracker][master] reserve DLA-3575-1 for python2.7

[Helmut Grohne (@helmutg)]

Helmut Grohne pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
52f72bfe by Helmut Grohne at 2023-09-20T21:06:37+02:00
reserve DLA-3575-1 for python2.7

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3928,8 +3928,7 @@ CVE-2022-48565 (An XML External Entity (XXE) issue was 
discovered in Python thro
 CVE-2022-48564 (read_ints in plistlib.py in Python through 3.9.1 is vulnerable 
to a po ...)
        - python3.9 3.9.1~rc1-1
        - python3.7 <removed>
-       - python2.7 <removed>
-       [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only 
included to build a few applications)
+       - python2.7 <not-affected> (In 2.7, the plistlib parser only supports 
XML and not the affected binary format)
        NOTE: https://bugs.python.org/issue42103
        NOTE: https://github.com/python/cpython/issues/86269
        NOTE: 
https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f
 (v3.10.0a2)
@@ -38302,7 +38301,6 @@ CVE-2023-24329 (An issue in the urllib.parse component 
of Python before 3.11.4 a
        [buster] - python3.7 <ignored> (Cf. related CVE-2022-0391)
        - python2.7 <removed>
        [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only 
included to build a few applications)
-       [buster] - python2.7 <ignored> (Cf. related CVE-2022-0391)
        NOTE: https://pointernull.com/security/python-url-parse-problem.html
        NOTE: https://github.com/python/cpython/pull/99421
        NOTE: https://github.com/python/cpython/pull/99446 (backport for 3.11 
branch)
@@ -118560,7 +118558,6 @@ CVE-2022-0391 (A flaw was found in Python, 
specifically within the urllib.parse
        - python3.4 <removed>
        - python2.7 <removed>
        [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only 
included to build a few applications)
-       [buster] - python2.7 <ignored> (Minor issue, different approach to 
sanitization; regressions reports)
        NOTE: https://bugs.python.org/issue43882
        NOTE: Regressions reported for django, boto-core and cloud-init
        NOTE: Fixed by: 
https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4
 (v3.10.0b1)
@@ -189199,7 +189196,6 @@ CVE-2021-23336 (The package python/cpython from 0 and 
before 3.6.13, from 3.7.0
        [experimental] - python2.7 2.7.18-13.1~exp1
        - python2.7 2.7.18-13.1
        [bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by 
security support)
-       [buster] - python2.7 <ignored> (Will break existing applications, don't 
backport to released suites)
        - pypy3 7.3.3+dfsg-3
        [buster] - pypy3 <no-dsa> (Minor issue)
        NOTE: https://github.com/python/cpython/pull/24297


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[20 Sep 2023] DLA-3575-1 python2.7 - security update
+       {CVE-2021-23336 CVE-2022-0391 CVE-2022-48560 CVE-2022-48565 
CVE-2022-48566 CVE-2023-24329 CVE-2023-40217}
+       [buster] - python2.7 2.7.16-2+deb10u3
 [20 Sep 2023] DLA-3574-1 mutt - security update
        {CVE-2023-4874 CVE-2023-4875}
        [buster] - mutt 1.10.1-2.1+deb10u7


=====================================
data/dla-needed.txt
=====================================
@@ -166,13 +166,6 @@ python-os-brick
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, 
python-os-brick, nova and cinder.
 --
-python2.7 (Helmut Grohne)
-  NOTE: 20230826: Added by Front-Desk (utkarsh)
-  NOTE: 20230826: some traces of vulnerable code found. My hunch is that it's 
not-affected but it needs
-  NOTE: 20230826: a deeper triage. Also CVE-2023-24329 is vulnerable and was 
partially fixed in some suites
-  NOTE: 20230826: and wasn't fixed in Debian, but the extra patch is now 
available and can be fixed now. (utkarsh)
-  NOTE: 20230826: contact Utkarsh in case you're unable to find the 
supplementary patch. (utkarsh)
---
 qt4-x11
   NOTE: 20230822: Re-added for one remaining open CVE (roberto)
   NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, 
fix or remove entry from this file (roberto)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f72bfe89dd993081fb80d3c93717553ae809e0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f72bfe89dd993081fb80d3c93717553ae809e0
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits