[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Tue Nov 3 19:59:24 GMT 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a12e5d69 by Moritz Muehlenhoff at 2020-11-03T20:59:06+01:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -364,6 +364,7 @@ CVE-2020-28031 (eramba through c2.8.1 allows HTTP Host header injection with (fo
 	NOT-FOR-US: eramba
 CVE-2020-28030 (In Wireshark 3.2.0 to 3.2.7, the GQUIC dissector could crash. This was ...)
 	- wireshark <unfixed>
+	[buster] - wireshark <postponed> (Minor issue, can be fixed along in next DSA)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/b287e7165e8aa89cde6ae37e7c257c5d87d16b9b
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16887
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-15.html
@@ -1146,8 +1147,7 @@ CVE-2020-27745
 CVE-2020-27744 (An issue was discovered on Western Digital My Cloud NAS devices before ...)
 	NOT-FOR-US: Western Digital My Cloud NAS devices
 CVE-2020-27743 (libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAN ...)
-	- libpam-tacplus <unfixed> (bug #973250)
-	[stretch] - libpam-tacplus <not-affected> (support for RAND_pseudo_bytes added later)
+	- libpam-tacplus <not-affected> (Vulnerable code added later)
 	NOTE: https://github.com/kravietz/pam_tacplus/pull/163
 	NOTE: https://github.com/kravietz/pam_tacplus/security/advisories/GHSA-rp3p-jm35-jv76
 CVE-2020-27742 (An Insecure Direct Object Reference vulnerability in Citadel WebCit th ...)
@@ -1168,6 +1168,7 @@ CVE-2020-27735
 	RESERVED
 CVE-2018-21269 (checkpath in OpenRC through 0.42.1 might allow local users to take own ...)
 	- openrc <unfixed> (bug #973245)
+	[buster] - openrc <no-dsa> (Minor issue)
 	NOTE: https://github.com/OpenRC/openrc/issues/201
 	NOTE: http://michael.orlitzky.com/cves/cve-2018-21269.xhtml
 CVE-2020-27734
@@ -1813,6 +1814,7 @@ CVE-2020-27618 [iconv when processing invalid multi-byte input sequences fails t
 CVE-2020-27617 [net: an assert failure via eth_get_gso_type]
 	RESERVED
 	- qemu <unfixed> (bug #973324)
+	[buster] - qemu <postponed> (Fix along in future DSA)
 	[stretch] - qemu <postponed> (Minor issue, fix along in future DLA)
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg06023.html
 CVE-2020-27616 [ati-vga: potential crash via invalid x y parameter values]
@@ -6119,6 +6121,7 @@ CVE-2020-25634
 CVE-2020-25633 (A flaw was found in RESTEasy client in all versions of RESTEasy up to  ...)
 	- resteasy <unfixed> (bug #970585)
 	- resteasy3.0 <unfixed>
+	[buster] - resteasy3.0 <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1879042
 CVE-2020-25632
 	RESERVED
@@ -27926,6 +27929,7 @@ CVE-2020-15251 (In the Channelmgnt plug-in for Sopel (a Python IRC bot) before v
 CVE-2020-15250 (In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryF ...)
 	{DLA-2426-1}
 	- junit4 4.13.1-1 (bug #972231)
+	[buster] - junit4 <no-dsa> (Minor issue)
 	NOTE: https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp
 	NOTE: https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae
 CVE-2020-15249


=====================================
data/dsa-needed.txt
=====================================
@@ -25,6 +25,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v4.19.y versions.
 --
+mupdf
+--
 netty
 --
 pdns-recursor



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a12e5d6953fad1bf60da05d606cfc8969bae885e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a12e5d6953fad1bf60da05d606cfc8969bae885e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201103/31944426/attachment.html>

More information about the debian-security-tracker-commits mailing list