[Git][security-tracker-team/security-tracker][master] 5 commits: Triage CVE-2020-27743 in libpam-tacplus for stretch LTS.

Mon Nov 2 09:44:33 GMT 2020


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
411ccec1 by Chris Lamb at 2020-11-02T09:36:44+00:00
Triage CVE-2020-27743 in libpam-tacplus for stretch LTS.

- - - - -
1ea25d95 by Chris Lamb at 2020-11-02T09:38:13+00:00
data/dla-needed.txt: Correct ordering

- - - - -
750155ac by Chris Lamb at 2020-11-02T09:38:17+00:00
data/dla-needed.txt: Triage pacemaker for stretch LTS (CVE-2020-25654).

- - - - -
261c1111 by Chris Lamb at 2020-11-02T09:40:16+00:00
Triage CVE-2020-27617 in qemu for stretch LTS.

- - - - -
bf2009ba by Chris Lamb at 2020-11-02T09:41:24+00:00
data/dla-needed.txt: Triage webcit for stretch LTS (CVE-2020-27739, CVE-2020-27740, CVE-2020-27741 & CVE-2020-27742).

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -833,6 +833,7 @@ CVE-2020-27744 (An issue was discovered on Western Digital My Cloud NAS devices
 	NOT-FOR-US: Western Digital My Cloud NAS devices
 CVE-2020-27743 (libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAN ...)
 	- libpam-tacplus <unfixed> (bug #973250)
+	[stretch] - libpam-tacplus <not-affected> (support for RAND_pseudo_bytes added later)
 	NOTE: https://github.com/kravietz/pam_tacplus/pull/163
 CVE-2020-27742 (An Insecure Direct Object Reference vulnerability in Citadel WebCit th ...)
 	- webcit <unfixed> (bug #973385)
@@ -1495,6 +1496,7 @@ CVE-2020-27618
 CVE-2020-27617 [net: an assert failure via eth_get_gso_type]
 	RESERVED
 	- qemu <unfixed> (bug #973324)
+	[stretch] - qemu <postponed> (Minor issue, fix along in future DLA)
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg06023.html
 CVE-2020-27616
 	RESERVED


=====================================
data/dla-needed.txt
=====================================
@@ -87,6 +87,8 @@ jupyter-notebook (Abhijith PA)
 lemonldap-ng
   NOTE: 20200910: Released a DLA for CVE-2020-24660 a few days ago, so could defer. (lamby)
 --
+libdatetime-timezone-perl (Adrian Bunk)
+---
 libonig (Markus Koschany)
   NOTE: 20201026: Fix for CVE-2020-26159 is too trivial. Besides that, please consider
   NOTE: 20201026: fixing other errors mentioned in https://github.com/kkos/oniguruma/issues/207
@@ -96,8 +98,6 @@ libonig (Markus Koschany)
 libproxy (Emilio)
   NOTE: 20201026: patch not sanctioned upstream yet (Emilio)
 --
-libdatetime-timezone-perl (Adrian Bunk)
----
 linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
@@ -116,6 +116,8 @@ open-build-service
 opendmarc
   NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten)
 --
+pacemaker
+--
 php-horde-trean
   NOTE: 20200829: Reconsidering CVE-2019-12095 and what has been written in https://bugs.horde.org/ticket/14926 (sunweaver)
   NOTE: 20200829: We may not expect too much activity regarding this by upstream. (sunweaver)
@@ -186,6 +188,8 @@ sympa
   NOTE: 20201007: I won't have time to do more this month (Beuc)
   NOTE: 20201015: See #972189. (lamby)
 --
+webcit
+--
 wireshark (Adrian Bunk)
   NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be great to include
   NOTE: 20201007: those fixes as well! \o/ (utkarsh)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/26bfbfa7eb756663570ed240d5544067609be2b0...bf2009ba5862877ade6e9267e2dfa8b6cbe073e1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/26bfbfa7eb756663570ed240d5544067609be2b0...bf2009ba5862877ade6e9267e2dfa8b6cbe073e1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201102/4f0602fb/attachment-0001.html>
