[Git][security-tracker-team/security-tracker][master] 4 commits: Triage python-bleach for stretch

Utkarsh Gupta utkarsh at debian.org
Mon Apr 5 01:35:27 BST 2021 


Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9492244e by Utkarsh Gupta at 2021-04-05T05:59:43+05:30
Triage python-bleach for stretch

- - - - -
5dfe3191 by Utkarsh Gupta at 2021-04-05T06:00:23+05:30
Mark CVE-2021-XXXX/plinth as no-dsa for stretch

- - - - -
621a79ca by Utkarsh Gupta at 2021-04-05T06:01:30+05:30
Mark CVE-2021-29424/libnet-netmask-perl as no-dsa for stretch

- - - - -
4773d226 by Utkarsh Gupta at 2021-04-05T06:04:58+05:30
Mark several openexr issues as no-dsa; follow buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1037,18 +1037,21 @@ CVE-2021-3480
 CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in versions bef ...)
 	- openexr <unfixed>
 	[buster] - openexr <no-dsa> (Minor issue)
+	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830
 CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in versi ...)
 	- openexr <unfixed>
 	[buster] - openexr <no-dsa> (Minor issue)
+	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939160
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a
 CVE-2021-3477 (There's a flaw in OpenEXR's deep tile sample size calculations in vers ...)
 	- openexr <unfixed>
 	[buster] - openexr <no-dsa> (Minor issue)
+	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26956
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939159
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642efbbe6bdace558079f68c16acb1
@@ -1497,11 +1500,13 @@ CVE-2021-29425
 CVE-2021-3476 (A flaw was found in OpenEXR's B44 uncompression functionality in versi ...)
 	- openexr <unfixed>
 	[buster] - openexr <no-dsa> (Minor issue)
+	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24787
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9
 CVE-2021-3475 (There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker  ...)
 	- openexr <unfixed>
 	[buster] - openexr <no-dsa> (Minor issue)
+	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25297
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753
 CVE-2021-3474 (There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted inp ...)
@@ -1515,6 +1520,7 @@ CVE-2021-29662 (The Data::Validate::IP module through 0.29 for Perl does not pro
 CVE-2021-29424 (The Net::Netmask module before 2.0000 for Perl does not properly consi ...)
 	- libnet-netmask-perl <unfixed> (bug #986135)
 	[buster] - libnet-netmask-perl <no-dsa> (Minor issue)
+	[stretch] - libnet-netmask-perl <no-dsa> (Minor issue)
 	NOTE: https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
 	NOTE: https://metacpan.org/changes/distribution/Net-Netmask#L11-22
 	NOTE: https://github.com/jmaslak/Net-Netmask/commit/9023b403682f1eaadadf6cb71ba0117a1fa4f163
@@ -1836,6 +1842,7 @@ CVE-2021-XXXX [first_boot: Use session to verify first boot welcome step]
 	- freedombox 21.4.2
 	- plinth <removed>
 	[buster] - plinth <no-dsa> (Minor issue)
+	[stretch] - plinth <no-dsa> (Minor issue)
 	NOTE: https://salsa.debian.org/freedombox-team/freedombox/-/issues/2074 (not yet public)
 	NOTE: https://salsa.debian.org/freedombox-team/freedombox/-/commit/f2005f56aa44d15c0fb82c5211c548a575961b03
 CVE-2021-29273
@@ -23596,6 +23603,7 @@ CVE-2021-20297 [Setting match.path and activating a profiles crashes NetworkMana
 CVE-2021-20296 (A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted i ...)
 	- openexr <unfixed>
 	[buster] - openexr <no-dsa> (Minor issue)
+	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24854
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/b0c63c0b96eb9b0d3998f603e12f9f414fb0d44a
 CVE-2021-20295 [Regression of CVE-2020-10756 fix in virt:rhel/qemu-kvm in Red Hat Enterprise Linux 8.3]


=====================================
data/dla-needed.txt
=====================================
@@ -98,6 +98,8 @@ python3.5 (Anton Gladky)
   NOTE: 20210320: https://salsa.debian.org/lts-team/packages/python3.5 (gladk)
   NOTE: 20210404: Almost ready for upload (gladk)
 --
+python-bleach
+--
 qemu (Markus Koschany)
 --
 ruby-actionpack-page-caching



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0d426f85caaad5728761ad3fc1d65f965cccba26...4773d22653505bc704be78b018c2070ca7d12952

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0d426f85caaad5728761ad3fc1d65f965cccba26...4773d22653505bc704be78b018c2070ca7d12952
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210405/df98ff20/attachment.htm>

More information about the debian-security-tracker-commits mailing list