[Git][security-tracker-team/security-tracker][master] 5 commits: LTS: mark xen CVEs as EOL

Wed Dec 16 00:02:01 GMT 2020


Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2c93185c by Roberto C. Sánchez at 2020-12-15T18:38:07-05:00
LTS: mark xen CVEs as EOL

- - - - -
28e63f24 by Roberto C. Sánchez at 2020-12-15T18:40:28-05:00
LTS: triage firefox-esr and thunderbird for stretch

- - - - -
4f181fb9 by Roberto C. Sánchez at 2020-12-15T18:47:26-05:00
LTS: triage node-ini for stretch

- - - - -
28c9af2f by Roberto C. Sánchez at 2020-12-15T19:00:02-05:00
fix broken link for commit related to CVE-2017-6888/flac

- - - - -
76ae31a5 by Roberto C. Sánchez at 2020-12-15T19:01:38-05:00
LTS: triage flac for stretch

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2529,10 +2529,12 @@ CVE-2020-29572 (app/View/Elements/genericElements/SingleViews/Fields/genericFiel
 CVE-2020-29571 (An issue was discovered in Xen through 4.14.x. A bounds check common t ...)
 	{DSA-4812-1}
 	- xen 4.14.0+88-g1d1d1f5391-1
+	[stretch] - xen <end-of-life> (DSA 4602-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-359.html
 CVE-2020-29570 (An issue was discovered in Xen through 4.14.x. Recording of the per-vC ...)
 	{DSA-4812-1}
 	- xen 4.14.0+88-g1d1d1f5391-1
+	[stretch] - xen <end-of-life> (DSA 4602-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-358.html
 CVE-2020-29569 (An issue was discovered in the Linux kernel through 5.10.1, as used wi ...)
 	- linux <unfixed>
@@ -2548,6 +2550,7 @@ CVE-2020-29567 (An issue was discovered in Xen 4.14.x. When moving IRQs between
 CVE-2020-29566 (An issue was discovered in Xen through 4.14.x. When they require assis ...)
 	{DSA-4812-1}
 	- xen 4.14.0+88-g1d1d1f5391-1
+	[stretch] - xen <end-of-life> (DSA 4602-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-348.html
 CVE-2020-29565 (An issue was discovered in OpenStack Horizon before 15.3.2, 16.x befor ...)
 	- horizon 3:18.6.1-1 (bug #976872)
@@ -2928,34 +2931,42 @@ CVE-2020-29487 (An issue was discovered in Xen XAPI before 2020-12-15. Certain x
 CVE-2020-29486 (An issue was discovered in Xen through 4.14.x. Nodes in xenstore have  ...)
 	{DSA-4812-1}
 	- xen 4.14.0+88-g1d1d1f5391-1
+	[stretch] - xen <end-of-life> (DSA 4602-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-352.html
 CVE-2020-29485 (An issue was discovered in Xen 4.6 through 4.14.x. When acting upon a  ...)
 	{DSA-4812-1}
 	- xen 4.14.0+88-g1d1d1f5391-1
+	[stretch] - xen <end-of-life> (DSA 4602-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-330.html
 CVE-2020-29484 (An issue was discovered in Xen through 4.14.x. When a Xenstore watch f ...)
 	{DSA-4812-1}
 	- xen 4.14.0+88-g1d1d1f5391-1
+	[stretch] - xen <end-of-life> (DSA 4602-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-324.html
 CVE-2020-29483 (An issue was discovered in Xen through 4.14.x. Xenstored and guests co ...)
 	{DSA-4812-1}
 	- xen 4.14.0+88-g1d1d1f5391-1
+	[stretch] - xen <end-of-life> (DSA 4602-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-325.html
 CVE-2020-29482 (An issue was discovered in Xen through 4.14.x. A guest may access xens ...)
 	{DSA-4812-1}
 	- xen 4.14.0+88-g1d1d1f5391-1
+	[stretch] - xen <end-of-life> (DSA 4602-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-323.html
 CVE-2020-29481 (An issue was discovered in Xen through 4.14.x. Access rights of Xensto ...)
 	{DSA-4812-1}
 	- xen 4.14.0+88-g1d1d1f5391-1
+	[stretch] - xen <end-of-life> (DSA 4602-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-322.html
 CVE-2020-29480 (An issue was discovered in Xen through 4.14.x. Neither xenstore implem ...)
 	{DSA-4812-1}
 	- xen 4.14.0+88-g1d1d1f5391-1
+	[stretch] - xen <end-of-life> (DSA 4602-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-115.html
 CVE-2020-29479 (An issue was discovered in Xen through 4.14.x. In the Ocaml xenstored  ...)
 	{DSA-4812-1}
 	- xen 4.14.0+88-g1d1d1f5391-1
+	[stretch] - xen <end-of-life> (DSA 4602-1)
 	NOTE: https://xenbits.xen.org/xsa/advisory-353.html
 CVE-2020-29478
 	RESERVED
@@ -221269,7 +221280,8 @@ CVE-2017-6888 (An error in the "read_metadata_vorbiscomment_()" function (src/li
 	[jessie] - flac <no-dsa> (Minor issue)
 	[wheezy] - flac <no-dsa> (Minor issue)
 	NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/
-	NOTE: https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67
+	NOTE: https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67 (broken link)
+	NOTE: https://android.googlesource.com/platform/external/flac/+/4f47b63e9c971e6391590caf00a0f2a5ed612e67
 CVE-2017-6887 (A boundary error within the "parse_tiff_ifd()" function (internal/dcra ...)
 	{DSA-3950-1 DLA-1057-1}
 	- libraw 0.18.2-2 (bug #864183)


=====================================
data/dla-needed.txt
=====================================
@@ -52,9 +52,15 @@ f2fs-tools
   NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to
   NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver)
 --
+firefox-esr (Emilio)
+--
 firmware-nonfree
   NOTE: 20201207: wait for the update in buster and backport that (Emilio)
 --
+flac
+  NOTE: 20201215: when preparing fix/advisory note that the same code change fixes both CVE-2020-0487 and CVE-2017-6888 (roberto)
+  NOTE: 20201215: stretch and buster versions are very close; perhaps consider coordinating with security team and helping them by preparing an update for buster (roberto)
+--
 golang-websocket
 --
 imagemagick (Sylvain Beucler)
@@ -95,6 +101,8 @@ mumble
   NOTE: 20200504: discussion going on with team at security.debian.org and mumble maintainer (abhijith)
   NOTE: 20200723: https://lists.debian.org/debian-lts/2020/05/msg00008.html (abhijith)
 --
+node-ini
+--
 open-build-service
   NOTE: 20201001: upstream is yet to work on CVE-2020-8021. Pinged them.
   NOTE: 20201001: cf: https://bugzilla.suse.com/show_bug.cgi?id=1171649 (utkarsh)
@@ -177,6 +185,8 @@ sympa (Sylvain Beucler)
   NOTE: 20201009: Requested CVE-2020-29668, will fix in stretch (Beuc)
   NOTE: 20201012: Prepared stable debdiff with maintainer to sync with LTS, sent to team at s.d.o (Beuc)
 --
+thunderbird (Emilio)
+--
 tomcat8 (Utkarsh)
 --
 wireshark



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3ff50092c2cf91a8522d019d66f14dd4343e48da...76ae31a53dbe1e5262686dccb42a84959b262c32

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3ff50092c2cf91a8522d019d66f14dd4343e48da...76ae31a53dbe1e5262686dccb42a84959b262c32
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201216/452733da/attachment-0001.html>
