[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Tue Sep 22 19:03:02 BST 2020



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4c7ffafe by Moritz Muehlenhoff at 2020-09-22T20:02:29+02:00
buster triage
older ntp issue also fixed in sid

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2640,6 +2640,7 @@ CVE-2020-24585 (An issue was discovered in the DTLS handshake implementation in
 	NOTE: https://github.com/wolfSSL/wolfssl/commit/3be7f3ea3a56d178acf0f7f84ee4ae8cbfee8915 (v4.5.0-stable)
 CVE-2020-24584 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10 ...)
 	- python-django 2:2.2.16-1 (bug #969367)
+	[buster] - python-django <postponed> (Fix along in future DSA)
 	[stretch] - python-django <not-affected> (Requires Python 3.7+)
 	NOTE: https://github.com/django/django/commit/1853724acaf17ed7414d54c7d2b5563a25025a71 (master)
 	NOTE: https://github.com/django/django/commit/2b099caa5923afa8cfb5f1e8c0d56b6e0e81915b (3.1.1)
@@ -2647,6 +2648,7 @@ CVE-2020-24584 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 before
 	NOTE: https://github.com/django/django/commit/a3aebfdc8153dc230686b6d2454ccd32ed4c9e6f (2.2.16)
 CVE-2020-24583 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10 ...)
 	- python-django 2:2.2.16-1 (bug #969367)
+	[buster] - python-django <postponed> (Fix along in future DSA)
 	[stretch] - python-django <not-affected> (Requires Python 3.7+)
 	NOTE: https://github.com/django/django/commit/8d7271578d7b153435b40fe40236ebec43cbf1b9 (master)
 	NOTE: https://github.com/django/django/commit/934430d22aa5d90c2ba33495ff69a6a1d997d584 (3.1.1)
@@ -3201,23 +3203,23 @@ CVE-2020-24334
 CVE-2020-24333
 	RESERVED
 CVE-2020-24332 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...)
-	- trousers <unfixed>
-	[stretch] - trousers <ignored> (tss service gets started as non-root user via init script)
+	- trousers <unfixed> (unimportant)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472
 	NOTE: https://sourceforge.net/p/trousers/mailman/message/37015817/
 	NOTE: https://www.openwall.com/lists/oss-security/2020/08/14/1
+	NOTE: In Debian, tcsd gets started under the tss user
 CVE-2020-24331 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...)
-	- trousers <unfixed>
-	[stretch] - trousers <ignored> (tss service gets started as non-root user via init script)
+	- trousers <unfixed> (unimportant)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472
 	NOTE: https://sourceforge.net/p/trousers/mailman/message/37015817/
 	NOTE: https://www.openwall.com/lists/oss-security/2020/08/14/1
+	NOTE: In Debian, tcsd gets started under the tss user
 CVE-2020-24330 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...)
-	- trousers <unfixed>
-	[stretch] - trousers <ignored> (tss service gets started as non-root user via init script)
+	- trousers <unfixed> (unimportant)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472
 	NOTE: https://sourceforge.net/p/trousers/mailman/message/37015817/
 	NOTE: https://www.openwall.com/lists/oss-security/2020/08/14/1
+	NOTE: In Debian, tcsd gets started under the tss user
 CVE-2020-24329
 	RESERVED
 CVE-2020-24328
@@ -19731,6 +19733,7 @@ CVE-2020-16151
 	RESERVED
 CVE-2020-16150 (A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/s ...)
 	- mbedtls <unfixed>
+	[buster] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1
 CVE-2020-16149
 	REJECTED
@@ -42775,6 +42778,7 @@ CVE-2020-7712 (This affects the package json before 10.0.0. It is possible to in
 	NOT-FOR-US: Node json
 CVE-2020-7711 (This affects all versions of package github.com/russellhaering/goxmlds ...)
 	- golang-github-russellhaering-goxmldsig <unfixed> (bug #968928)
+	[buster] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue)
 	NOTE: https://github.com/russellhaering/goxmldsig/issues/48
 CVE-2020-7710 (This affects all versions of package safe-eval. It is possible for an  ...)
 	NOT-FOR-US: Node safe-eval
@@ -147592,8 +147596,8 @@ CVE-2018-8958
 CVE-2018-8957 (CoverCMS v1.1.6 has XSS via the fourth input box to index.php, related ...)
 	NOT-FOR-US: CoverCMS
 CVE-2018-8956 (ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote att ...)
-	- ntp <unfixed> (low)
-	[buster] - ntp <no-dsa> (Minor issue)
+	- ntp 1:4.2.8p14+dfsg-1 (low)
+	[buster] - ntp <ignored> (Minor issue)
 	[stretch] - ntp <no-dsa> (Minor issue)
 	[jessie] - ntp <postponed> (Minor issue, requires being part of same broadcast network, no patch)
 	- ntpsec <not-affected> (Broadcast mode not present, see #961748)


=====================================
data/dsa-needed.txt
=====================================
@@ -11,22 +11,34 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source package.
 
+--
+ansible
 --
 chromium
 --
 curl (ghedo)
 --
+firefox-esr (jmm)
+--
 knot-resolver
   Santiago Ruano Rincón proposed a debdiff for review
 --
 linux (carnil)
   Wait until more issues have piled up
 --
+netty
+--
 python-flask-cors
 --
 rails (jmm)
   Sylvain Beucler proposed to help for the update, remaining CVEs to be done
 --
+samba
+--
+thunderbird (jmm)
+--
 xcftools
   Hugo proposed to work on this update
 --
+xen (jmm)
+--



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c7ffafe1f6ac0a64bb2d498068a05fd78f3cf71

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c7ffafe1f6ac0a64bb2d498068a05fd78f3cf71
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200922/0e266bee/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list