[Git][security-tracker-team/security-tracker][master] 3 commits: Claim libxstream-java in dla-needed.txt

[Markus Koschany]

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f66a5967 by Markus Koschany at 2021-04-03T19:29:25+02:00
Claim libxstream-java in dla-needed.txt

- - - - -
bd187864 by Markus Koschany at 2021-04-03T19:29:48+02:00
Remove netty from dla-needed.txt

- - - - -
2d129cf0 by Markus Koschany at 2021-04-03T19:32:42+02:00
CVE-2021-21295,CVE-2021-21409,netty: Mark as ignored for Stretch

The fix for both CVE requires a backport of the new HTTP2 API. There have been
major changes between the current version in Stretch 4.1.7 and the most recent
release 4.1.60. Since the logic changed and the API is marked as "unstable" in
certain places, a backport poses a significant risk to break any project that
still relies on the old logic. In contrast the security risk is low. Hence
these issues are ignored in Stretch.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -20896,6 +20896,7 @@ CVE-2021-21410
 	RESERVED
 CVE-2021-21409 (Netty is an open-source, asynchronous event-driven network application ...)
 	- netty 1:4.1.48-4 (bug #986217)
+	[stretch] - netty <ignored> (Minor issue, fix requires major changes of HTTP2 module)
 	NOTE: Fixed by: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
 	NOTE: https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
 	NOTE: Is a followup to: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
@@ -21172,6 +21173,7 @@ CVE-2021-21296 (Fleet is an open source osquery manager. In Fleet before version
 	NOT-FOR-US: Fleet
 CVE-2021-21295 (Netty is an open-source, asynchronous event-driven network application ...)
 	- netty 1:4.1.48-3 (bug #984948)
+	[stretch] - netty <ignored> (Minor issue, fix requires major changes of HTTP2 module)
 	NOTE: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
 	NOTE: https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4
 CVE-2021-21294 (Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface f ...)


=====================================
data/dla-needed.txt
=====================================
@@ -68,14 +68,12 @@ libebml (Thorsten Alteholz)
   NOTE: 20210307: testing package
   NOTE: 20210321: preparing buster debdiff as well
 --
-libxstream-java
+libxstream-java (Markus Koschany)
 --
 linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
 --
-netty (Markus Koschany)
---
 opendmarc
   NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten)
   NOTE: 20201217: patch for CVE-2020-12460 has become available (roberto)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4734874bc96bc87d1e2ccee0307e5e8238b276e6...2d129cf084b92bb17a5785e0712cc8cd1880ecc6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4734874bc96bc87d1e2ccee0307e5e8238b276e6...2d129cf084b92bb17a5785e0712cc8cd1880ecc6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210403/9b784859/attachment-0001.htm>