[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Tue Apr 6 18:31:43 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
cfb4f210 by Moritz Muehlenhoff at 2021-04-06T19:31:23+02:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -439,6 +439,7 @@ CVE-2021-30002 (An issue was discovered in the Linux kernel before 5.11.3 when a
 CVE-2021-3482 [heap-based buffer overflow in Jp2Image::readMetadata() in jp2image.cpp]
 	RESERVED
 	- exiv2 <unfixed>
+	[buster] - exiv2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/1522
 CVE-2021-3481 [Out of bounds read in function QRadialFetchSimd from crafted svg file]
 	RESERVED
@@ -1962,6 +1963,7 @@ CVE-2021-3469
 CVE-2021-3468 [Local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket]
 	RESERVED
 	- avahi <unfixed> (bug #984938)
+	[buster] - avahi <no-dsa> (Minor issue)
 	NOTE: https://github.com/lathiat/avahi/pull/330
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939614#c3
 CVE-2021-29262
@@ -15661,6 +15663,7 @@ CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0
 	- python3.5 <removed>
 	- python2.7 <unfixed>
 	[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
+	[buster] - python2.7 <no-dsa> (Minor issue)
 	- pypy3 7.3.3+dfsg-3
 	[buster] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/python/cpython/pull/24297
@@ -20130,6 +20133,7 @@ CVE-2020-35922 (An issue was discovered in the mio crate before 0.7.6 for Rust.
 	TODO: check
 CVE-2020-35920 (An issue was discovered in the socket2 crate before 0.3.16 for Rust. I ...)
 	- rust-socket2 0.3.19-1
+	[buster] - rust-socket2 <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0079.html
 	NOTE: https://github.com/rust-lang/socket2-rs/issues/119
 CVE-2020-35918 (An issue was discovered in the branca crate before 0.10.0 for Rust. De ...)
@@ -23649,8 +23653,9 @@ CVE-2021-20310
 CVE-2021-20309
 	RESERVED
 CVE-2021-20308 (Integer overflow in the htmldoc 1.9.11 and before may allow attackers  ...)
-	- htmldoc <unfixed>
+	- htmldoc <unfixed> (unimportant)
 	NOTE: https://github.com/michaelrsweet/htmldoc/issues/423
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-20307 (Format string vulnerability in panoFileOutputNamesCreate() in libpano1 ...)
 	- libpano13 2.9.20~rc3+dfsg-1 (bug #985249)
 	[buster] - libpano13 2.9.19+dfsg-3+deb10u1
@@ -23659,6 +23664,7 @@ CVE-2021-20306
 	RESERVED
 CVE-2021-20305 (A flaw was found in Nettle in versions before 3.7.2, where several Net ...)
 	- nettle 3.7.2-1 (bug #985652)
+	[buster] - nettle <no-dsa> (Minor issue)
 	NOTE: https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009457.html
 	NOTE: New functions ecc_mod_mul_canonical and ecc_mod_sqr_canonical:
 	NOTE: https://git.lysator.liu.se/nettle/nettle/-/commit/a63893791280d441c713293491da97c79c0950fe
@@ -23932,11 +23938,12 @@ CVE-2021-20244 (A flaw was found in ImageMagick in MagickCore/visual-effects.c.
 	NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/329dd528ab79531d884c0ba131e97d43f872ab5d
 	NOTE: In IM6 the code seems to be in magick/fx.c
 CVE-2021-20243 (A flaw was found in ImageMagick in MagickCore/resize.c. An attacker wh ...)
-	- imagemagick <undetermined>
+	- imagemagick <unfixed>
+	[bullseye] - imagemagick <ignored> (Minor issue)
 	[buster] - imagemagick <ignored> (Minor issue)
 	NOTE: https://github.com/ImageMagick/ImageMagick/pull/3193
 	NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/9751bd619872c8e58609fbed56c4827afa083b40
-	TODO: check
+	NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/53cb91b3e7bf95d0e372cbc745e0055ac6054745	 (resize.c hunk)
 CVE-2021-20242
 	REJECTED
 CVE-2021-20241 (A flaw was found in ImageMagick in coders/jp2.c. An attacker who submi ...)
@@ -40200,6 +40207,7 @@ CVE-2020-25694 (A flaw was found in PostgreSQL versions before 13.1, before 12.5
 CVE-2020-25693 (A flaw was found in CImg in versions prior to 2.9.3. Integer overflows ...)
 	{DLA-2462-1}
 	- cimg 2.9.4+dfsg-2 (bug #973770)
+	[buster] - cimg <no-dsa> (Minor issue)
 	NOTE: https://github.com/dtschump/CImg/pull/295
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/cimg/+bug/1900983
 	NOTE: Fixed by: https://github.com/dtschump/CImg/commit/4f184f89f9ab6785a6c90fd238dbaa6d901d3505
@@ -70559,6 +70567,7 @@ CVE-2020-12365 (Untrusted pointer dereference in some Intel(R) Graphics Drivers
 CVE-2020-12364 (Null pointer reference in some Intel(R) Graphics Drivers for Windows*  ...)
 	- linux <unfixed>
 	- firmware-nonfree 20210208-1
+	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: Short of details: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html
 	NOTE: Per Intel, this was fixed by a firmware update. v49.0.1 of the
 	NOTE: firmware is required. The new firmware requires a kernel patch
@@ -70567,6 +70576,7 @@ CVE-2020-12364 (Null pointer reference in some Intel(R) Graphics Drivers for Win
 CVE-2020-12363 (Improper input validation in some Intel(R) Graphics Drivers for Window ...)
 	- linux <unfixed>
 	- firmware-nonfree 20210208-1
+	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: Short of details: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html
 	NOTE: Per Intel, this was fixed by a firmware update. v49.0.1 of the
 	NOTE: firmware is required. The new firmware requires a kernel patch
@@ -70575,6 +70585,7 @@ CVE-2020-12363 (Improper input validation in some Intel(R) Graphics Drivers for
 CVE-2020-12362 (Integer overflow in the firmware for some Intel(R) Graphics Drivers fo ...)
 	- linux <unfixed>
 	- firmware-nonfree 20210208-1
+	[buster] - firmware-nonfree <no-dsa> (Non-free not supported)
 	NOTE: Short of details: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00438.html
 	NOTE: Per Intel, this was fixed by a firmware update. v49.0.1 of the
 	NOTE: firmware is required. The new firmware requires a kernel patch


=====================================
data/dsa-needed.txt
=====================================
@@ -25,6 +25,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v4.19.y versions.
 --
+netty9
+--
 python-bleach
 --
 python-pysaml2 (jmm)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfb4f210fec4c71a5d80b21d6a014d8cf77b270a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfb4f210fec4c71a5d80b21d6a014d8cf77b270a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210406/f399fef9/attachment.htm>

More information about the debian-security-tracker-commits mailing list