[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Wed Apr 7 18:43:51 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e96acccb by Moritz Muehlenhoff at 2021-04-07T19:43:28+02:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -410,6 +410,7 @@ CVE-2021-30005
 	RESERVED
 CVE-2021-30004 (In wpa_supplicant and hostapd 2.9, forging attacks may occur because A ...)
 	- wpa <unfixed>
+	[buster] - wpa <no-dsa> (Minor issue)
 	NOTE: https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15
 CVE-2021-30003 (An issue was discovered on Nokia G-120W-F 3FE46606AGAB91 devices. Ther ...)
 	NOT-FOR-US: Nokia G-120W-F 3FE46606AGAB91 devices
@@ -1711,6 +1712,7 @@ CVE-2021-29422
 	RESERVED
 CVE-2021-29421 (models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Pyth ...)
 	- pikepdf <unfixed> (bug #986274)
+	[buster] - pikepdf <no-dsa> (Minor issue)
 	NOTE: https://github.com/pikepdf/pikepdf/commit/3f38f73218e5e782fe411ccbb3b44a793c0b343a (v2.10.0)
 CVE-2021-29420
 	RESERVED
@@ -2333,6 +2335,7 @@ CVE-2021-29137
 	RESERVED
 CVE-2021-29136 (Open Container Initiative umoci before 0.4.7 allows attackers to overw ...)
 	- umoci 0.4.7+ds-1
+	[buster] - umoci <no-dsa> (Minor issue)
 	NOTE: https://github.com/opencontainers/umoci/security/advisories/GHSA-9m95-8hx6-7p9v
 	NOTE: https://github.com/opencontainers/umoci/commit/d9efc31daf2206f7d3fdb839863cf7a576a2eb57 (v0.4.7)
 CVE-2021-29135
@@ -2636,6 +2639,7 @@ CVE-2021-28995
 	RESERVED
 CVE-2021-28994 (kopano-ical (formerly zarafa-ical) in Kopano Groupware Core through 8. ...)
 	- kopanocore <unfixed> (bug #986272)
+	[buster] - kopanocore <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/03/19/6
 CVE-2021-28993
 	RESERVED
@@ -3383,6 +3387,7 @@ CVE-2021-28658 (In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3
 	NOTE: https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2 (2.2.20)
 CVE-2021-28657 (A carefully crafted or corrupt file may trigger an infinite loop in Ti ...)
 	- tika <unfixed>
+	[buster] - tika <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/03/30/3
 CVE-2021-28656
 	RESERVED
@@ -9053,10 +9058,12 @@ CVE-2021-3309 (packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can proce
 	NOT-FOR-US: Wekan
 CVE-2021-26272 (It was possible to execute a ReDoS-type attack inside CKEditor 4 befor ...)
 	- ckeditor 4.16.0+dfsg-1 (bug #982587)
+	[buster] - ckeditor <no-dsa> (Minor issue)
 	[stretch] - ckeditor <postponed> (Fix along next DLA)
 	NOTE: https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
 CVE-2021-26271 (It was possible to execute a ReDoS-type attack inside CKEditor 4 befor ...)
 	- ckeditor 4.16.0+dfsg-1 (bug #982587)
+	[buster] - ckeditor <no-dsa> (Minor issue)
 	[stretch] - ckeditor <postponed> (Fix along next DLA)
 	NOTE: https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
 CVE-2021-26270
@@ -9402,10 +9409,12 @@ CVE-2021-26121
 CVE-2021-26120 (Smarty before 3.1.39 allows code injection via an unexpected function  ...)
 	{DLA-2618-1}
 	- smarty3 3.1.39-1
+	[buster] - smarty3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/smarty-php/smarty/commit/4f634c0097ab4a8b2adc2a97caacd1676e88f9c8
 CVE-2021-26119 (Smarty before 3.1.39 allows a Sandbox Escape because $smarty.template_ ...)
 	{DLA-2618-1}
 	- smarty3 3.1.39-1
+	[buster] - smarty3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/smarty-php/smarty/commit/c9272058d972045dda9c99c64a82acb21c93c6ad
 CVE-2021-26118 (While investigating ARTEMIS-2964 it was found that the creation of adv ...)
 	NOT-FOR-US: Apache ActiveMQ Artemis
@@ -23969,6 +23978,7 @@ CVE-2021-20270 (An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 m
 CVE-2021-20269 [incorrect permissions on kdump dmesg file]
 	RESERVED
 	- kexec-tools <unfixed> (bug #985105)
+	[buster] - kexec-tools <no-dsa> (Minor issue)
 	[stretch] - kexec-tools <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/03/11/2
 CVE-2021-20268 (An out-of-bounds access flaw was found in the Linux kernel's implement ...)
@@ -39107,6 +39117,7 @@ CVE-2020-26216 (TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2
 CVE-2020-26215 (Jupyter Notebook before version 6.1.5 has an Open redirect vulnerabili ...)
 	{DLA-2477-1}
 	- jupyter-notebook 6.1.5-1
+	[buster] - jupyter-notebook <no-dsa> (Minor issue)
 	NOTE: https://github.com/jupyter/notebook/security/advisories/GHSA-c7vm-f5p4-8fqh
 	NOTE: https://github.com/jupyter/notebook/commit/2e1c56b0c4a903606d4a2eb13e32409296b9799d
 CVE-2020-26214 (In Alerta before version 8.1.0, users may be able to bypass LDAP authe ...)
@@ -43345,6 +43356,7 @@ CVE-2020-24456 (Incorrect default permissions in the Intel(R) Board ID Tool vers
 	NOT-FOR-US: Intel
 CVE-2020-24455 (Missing initialization of a variable in the TPM2 source may allow a pr ...)
 	- tpm2-tss 3.0.1-1
+	[buster] - tpm2-tss <no-dsa> (Minor issue)
 	NOTE: https://github.com/tpm2-software/tpm2-tss/commit/0cc5f0e12694f3780a8512fc37a7dbc542ea4330 (master)
 	NOTE: https://github.com/tpm2-software/tpm2-tss/commit/9536b79cd5a13884a7e4de7a571f72530180c20b (3.0.1)
 	NOTE: https://github.com/tpm2-software/tpm2-tss/commit/bf24b0ef0fa8de9300a323f70a097a1afd818439 (2.4.5)
@@ -205699,6 +205711,7 @@ CVE-2017-17743 (Improper input sanitization within the restricted administration
 CVE-2017-17742 (Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x befo ...)
 	{DSA-4259-1 DLA-2330-1 DLA-2027-1 DLA-1421-1 DLA-1359-1 DLA-1358-1}
 	- jruby <unfixed> (bug #972230)
+	[buster] - jruby <no-dsa> (Minor issue)
 	- ruby2.5 2.5.1-1
 	- ruby2.3 <removed>
 	- ruby2.1 <removed>


=====================================
data/dsa-needed.txt
=====================================
@@ -25,6 +25,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v4.19.y versions.
 --
+ndpi
+--
 netty9
 --
 python-bleach



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e96acccbaf4a4fbd0610fe9a8335f67da9d962ce

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e96acccbaf4a4fbd0610fe9a8335f67da9d962ce
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210407/a4bbc0e6/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list