Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3723dd23 by Sylvain Beucler at 2025-04-18T20:57:30+02:00
Reserve DLA-4130-1 for shadow
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -158877,7 +158877,6 @@ CVE-2023-4649 (Session Fixation in GitHub repository
instantsoft/icms2 prior to
CVE-2023-4641 (A flaw was found in shadow-utils. When asking for a new
password, shad ...)
- shadow 1:4.13+dfsg1-2 (bug #1051062)
[bookworm] - shadow <no-dsa> (Minor issue)
- [bullseye] - shadow <no-dsa> (Minor issue)
[buster] - shadow <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2215945
NOTE:
https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904
(4.14.0-rc1)
@@ -178993,7 +178992,6 @@ CVE-2014-125094 (A vulnerability classified as
problematic was found in phpMiniA
CVE-2023-29383 (In Shadow 4.13, it is possible to inject control characters
into field ...)
- shadow 1:4.13+dfsg1-2 (bug #1034482)
[bookworm] - shadow <no-dsa> (Minor issue)
- [bullseye] - shadow <no-dsa> (Minor issue)
[buster] - shadow <no-dsa> (Minor issue)
NOTE: https://github.com/shadow-maint/shadow/pull/687
NOTE: Fixed by:
https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d
(4.14.0-rc1)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[18 Apr 2025] DLA-4130-1 shadow - security update
+ {CVE-2023-4641 CVE-2023-29383}
+ [bullseye] - shadow 1:4.8.1-1+deb11u1
[17 Apr 2025] DLA-4129-1 libapache2-mod-auth-openidc - security update
{CVE-2025-31492}
[bullseye] - libapache2-mod-auth-openidc 2.4.9.4-0+deb11u5
=====================================
data/dla-needed.txt
=====================================
@@ -264,13 +264,6 @@ rubygems (kanashiro)
NOTE: 20250407: CVE-2025-27221 is already fixed in src:rubygems/sid,trixie.
(kanashiro)
NOTE: 20250407: It needs to be fixed in src:ruby3.3 (there are 3 copies of
the uri gem, affected by this CVE). (kanashiro)
--
-shadow (Sylvain Beucler)
- NOTE: 20250105: Added by Front-Desk (apo)
- NOTE: 20250105: shadow is a high-profile package. Upstream discussion for
CVE-2024-56433 is
- NOTE: 20250105: ongoing. I'm adding it to dla-needed.txt to keep it on our
radar.
- NOTE: 20250409: CVE-2024-56433 disputed and stalled, but see postponed
issues (Beuc/front-desk)
- NOTE: 20250418: Upcoming PU:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102139 (Beuc)
---
simplesamlphp
NOTE: 20250331: Added by Front-Desk (apo)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3723dd23455ecb8629b9274f625ceb98972f353c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3723dd23455ecb8629b9274f625ceb98972f353c
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
