- Added strongswan to dla-needed. It has been fixed for stable and has a potential for remote arbitrary code execution.
- Added firefox-esr to dla-needed. Already fixed in bullseye.
- Added thunderbird to dla-needed. Same problems as in firefox-esr and firefox-esr has already been fixed in bullseye.
- Marked the following CVEs as no-dsa following decision for bullseye.
- CVE-2022-46337
- CVE-2023-48161
- CVE-2023-46445
- CVE-2023-46446
- CVE-2016-1243
- CVE-2016-1244
- CVE-2023-40030
- Started to sort out whether gimp-dds should be fixed or not. Not that easy to conclude. Will continue.
- Added tinymce to dla-needed.
- Analyzed httpie. It is not clear if there is a vulnerability. When the tool is tested the verification works. It is not clear from the description what kind of verification is missing. It points to two things:
- No verification when fetching the package version data for httpie itself. This can be considered minor.
- Disabled warnings in client.py. Here it claims that it disables validation but it seems to work fine when tested. This should be investigated further.
- Marked snort CVE-2023-20246 as not-affected for buster since only 3.x versions are affected. This applies to all Debian releases, but I'm letting the regular security team to do that work.
- Marked CVE-2023-49208 as not affected for buster.
- Investigated bouncycastle a little. DoS class vulnerability. The question is whether it is important enough or not. It depends on what it is used for. Will continue analysis.
- Postponed 5 CVEs for freeimage following decision for bullseye.