[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Wed Nov 18 18:38:17 GMT 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
089d7ba7 by Moritz Muehlenhoff at 2020-11-18T19:38:07+01:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4210,6 +4210,7 @@ CVE-2020-28169
 	RESERVED
 CVE-2020-28168 (Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) ...)
 	- node-axios <unfixed>
+	[buster] - node-axios <no-dsa> (Minor issue)
 	NOTE: https://github.com/axios/axios/issues/3369
 CVE-2020-28167
 	RESERVED
@@ -5306,6 +5307,7 @@ CVE-2020-27747 (An issue was discovered in Click Studios Passwordstate 8.9 (Buil
 CVE-2020-27746 [X11 forwarding - avoid unsafe use of magic cookie as arg to xauth command]
 	RESERVED
 	- slurm-llnl <unfixed> (bug #974722)
+	[buster] - slurm-llnl <no-dsa> (Minor issue)
 	[stretch] - slurm-llnl <no-dsa> (Minor issue)
 	NOTE: https://www.schedmd.com/news.php?id=240
 	NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2020/000045.html
@@ -5313,6 +5315,7 @@ CVE-2020-27746 [X11 forwarding - avoid unsafe use of magic cookie as arg to xaut
 CVE-2020-27745 [PMIx - fix potential buffer overflows from use of unpackmem()]
 	RESERVED
 	- slurm-llnl <unfixed> (bug #974721)
+	[buster] - slurm-llnl <no-dsa> (Minor issue)
 	[stretch] - slurm-llnl <no-dsa> (Minor issue)
 	NOTE: https://www.schedmd.com/news.php?id=240
 	NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2020/000045.html
@@ -5328,12 +5331,16 @@ CVE-2020-27743 (libtac in pam_tacplus through 1.5.1 lacks a check for a failure
 	NOTE: Fixed by: https://github.com/kravietz/pam_tacplus/commit/bceaab0cd51a09b88f40f19da799ac7390264bf8 (v1.6.1)
 CVE-2020-27742 (An Insecure Direct Object Reference vulnerability in Citadel WebCit th ...)
 	- webcit <unfixed> (bug #973385)
+	[buster] - webcit <ignored> (Minor issue)
 CVE-2020-27741 (Multiple cross-site scripting (XSS) vulnerabilities in Citadel WebCit  ...)
 	- webcit <unfixed> (bug #973385)
+	[buster] - webcit <ignored> (Minor issue)
 CVE-2020-27740 (Citadel WebCit through 926 allows unauthenticated remote attackers to  ...)
 	- webcit <unfixed> (bug #973385)
+	[buster] - webcit <ignored> (Minor issue)
 CVE-2020-27739 (A Weak Session Management vulnerability in Citadel WebCit through 926  ...)
 	- webcit <unfixed> (bug #973385)
+	[buster] - webcit <ignored> (Minor issue)
 CVE-2020-27738
 	RESERVED
 CVE-2020-27737
@@ -10178,6 +10185,7 @@ CVE-2020-25713 [Out of bounds read leads to segfault in raptor_xml_writer_start_
 	RESERVED
 	- raptor <removed>
 	- raptor2 <unfixed> (bug #974664)
+	[buster] - raptor2 <no-dsa> (Minor issue)
 	NOTE: https://bugs.librdf.org/mantis/view.php?id=650
 CVE-2020-25712
 	RESERVED
@@ -10193,10 +10201,12 @@ CVE-2020-25708 [libvncserver/rfbserver.c has a divide by zero which could result
 CVE-2020-25707 [infinite loop in e1000e_write_packet_to_guest() in hw/net/e1000e_core.c]
 	RESERVED
 	- qemu <unfixed> (bug #974687)
+	[buster] - qemu <postponed> (Fix along in future DSA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1893895
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg03552.html
 CVE-2020-25706 (A cross-site scripting (XSS) vulnerability exists in templates_import. ...)
 	- cacti 1.2.14+ds1-1
+	[buster] - cacti <no-dsa> (Minor issue)
 	[stretch] - cacti <no-dsa> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/issues/3723
 	NOTE: https://github.com/Cacti/cacti/commit/39458efcd5286d50e6b7f905fedcdc1059354e6e
@@ -29990,6 +30000,7 @@ CVE-2020-16126 (An Ubuntu-specific modification to AccountsService in versions b
 CVE-2020-16125 (gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup  ...)
 	{DLA-2434-1}
 	- gdm3 3.38.2-1
+	[buster] - gdm3 <no-dsa> (Minor issue on Debian)
 	NOTE: https://github.com/GNOME/gdm/commit/dc8235128c3a1fcd5da8f30ab6839d413d353f28
 	NOTE: https://gitlab.gnome.org/GNOME/gdm/-/issues/642
 CVE-2020-16124 (Integer Overflow or Wraparound vulnerability in the XML RPC library of ...)
@@ -34719,6 +34730,7 @@ CVE-2020-14383 [An authenticated user can crash the DCE/RPC DNS with easily craf
 	RESERVED
 	[experimental] - samba 2:4.13.2+dfsg-1
 	- samba <unfixed> (bug #973398)
+	[buster] - samba <no-dsa> (Minor issue)
 	NOTE: https://www.samba.org/samba/security/CVE-2020-14383.html
 	NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14472
 CVE-2020-14382 (A vulnerability was found in upstream release cryptsetup-2.2.0 where,  ...)
@@ -34991,6 +35003,7 @@ CVE-2020-14324 (A high severity vulnerability was found in all active versions o
 CVE-2020-14323 (A null pointer dereference flaw was found in samba's Winbind service i ...)
 	[experimental] - samba 2:4.13.2+dfsg-1
 	- samba <unfixed> (bug #973399)
+	[buster] - samba <no-dsa> (Minor issue)
 	NOTE: https://www.samba.org/samba/security/CVE-2020-14323.html
 	NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14436
 CVE-2020-14322
@@ -35005,6 +35018,7 @@ CVE-2020-14318 [Missing handle permissions check in SMB1/2/3 ChangeNotify]
 	RESERVED
 	[experimental] - samba 2:4.13.2+dfsg-1
 	- samba <unfixed> (bug #973400)
+	[buster] - samba <no-dsa> (Minor issue)
 	NOTE: https://www.samba.org/samba/security/CVE-2020-14318.html
 	NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14434
 CVE-2020-14317


=====================================
data/dsa-needed.txt
=====================================
@@ -21,6 +21,8 @@ firefox-esr (jmm)
 knot-resolver
   Santiago Ruano Rincón proposed a debdiff for review
 --
+krb5 (jmm)
+--
 libproxy
 --
 linux (carnil)
@@ -33,6 +35,8 @@ netty
 --
 pdns-recursor
 --
+salt
+--
 thunderbird (jmm)
 --
 xcftools



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/089d7ba7e1b12c290ab2b7b83e381feefa569c89

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/089d7ba7e1b12c290ab2b7b83e381feefa569c89
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201118/20d15229/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list