Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker
Commits: 52f72bfe by Helmut Grohne at 2023-09-20T21:06:37+02:00 reserve DLA-3575-1 for python2.7 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -3928,8 +3928,7 @@ CVE-2022-48565 (An XML External Entity (XXE) issue was discovered in Python thro CVE-2022-48564 (read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a po ...) - python3.9 3.9.1~rc1-1 - python3.7 <removed> - - python2.7 <removed> - [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications) + - python2.7 <not-affected> (In 2.7, the plistlib parser only supports XML and not the affected binary format) NOTE: https://bugs.python.org/issue42103 NOTE: https://github.com/python/cpython/issues/86269 NOTE: https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f (v3.10.0a2) @@ -38302,7 +38301,6 @@ CVE-2023-24329 (An issue in the urllib.parse component of Python before 3.11.4 a [buster] - python3.7 <ignored> (Cf. related CVE-2022-0391) - python2.7 <removed> [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications) - [buster] - python2.7 <ignored> (Cf. related CVE-2022-0391) NOTE: https://pointernull.com/security/python-url-parse-problem.html NOTE: https://github.com/python/cpython/pull/99421 NOTE: https://github.com/python/cpython/pull/99446 (backport for 3.11 branch) @@ -118560,7 +118558,6 @@ CVE-2022-0391 (A flaw was found in Python, specifically within the urllib.parse - python3.4 <removed> - python2.7 <removed> [bullseye] - python2.7 <ignored> (Unsupported in Bullseye, only included to build a few applications) - [buster] - python2.7 <ignored> (Minor issue, different approach to sanitization; regressions reports) NOTE: https://bugs.python.org/issue43882 NOTE: Regressions reported for django, boto-core and cloud-init NOTE: Fixed by: https://github.com/python/cpython/commit/76cd81d60310d65d01f9d7b48a8985d8ab89c8b4 (v3.10.0b1) @@ -189199,7 +189196,6 @@ CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 [experimental] - python2.7 2.7.18-13.1~exp1 - python2.7 2.7.18-13.1 [bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support) - [buster] - python2.7 <ignored> (Will break existing applications, don't backport to released suites) - pypy3 7.3.3+dfsg-3 [buster] - pypy3 <no-dsa> (Minor issue) NOTE: https://github.com/python/cpython/pull/24297 ===================================== data/DLA/list ===================================== @@ -1,3 +1,6 @@ +[20 Sep 2023] DLA-3575-1 python2.7 - security update + {CVE-2021-23336 CVE-2022-0391 CVE-2022-48560 CVE-2022-48565 CVE-2022-48566 CVE-2023-24329 CVE-2023-40217} + [buster] - python2.7 2.7.16-2+deb10u3 [20 Sep 2023] DLA-3574-1 mutt - security update {CVE-2023-4874 CVE-2023-4875} [buster] - mutt 1.10.1-2.1+deb10u7 ===================================== data/dla-needed.txt ===================================== @@ -166,13 +166,6 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -python2.7 (Helmut Grohne) - NOTE: 20230826: Added by Front-Desk (utkarsh) - NOTE: 20230826: some traces of vulnerable code found. My hunch is that it's not-affected but it needs - NOTE: 20230826: a deeper triage. Also CVE-2023-24329 is vulnerable and was partially fixed in some suites - NOTE: 20230826: and wasn't fixed in Debian, but the extra patch is now available and can be fixed now. (utkarsh) - NOTE: 20230826: contact Utkarsh in case you're unable to find the supplementary patch. (utkarsh) --- qt4-x11 NOTE: 20230822: Re-added for one remaining open CVE (roberto) NOTE: 20230822: CVE-2021-28025 maybe a dup of CVE-2021-3481; once resolved, fix or remove entry from this file (roberto) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f72bfe89dd993081fb80d3c93717553ae809e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f72bfe89dd993081fb80d3c93717553ae809e0 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits