[Git][security-tracker-team/security-tracker][master] 2 commits: new rustc issues

Moritz Muehlenhoff jmm at debian.org
Mon Apr 12 10:09:01 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ee0c0dd1 by Moritz Muehlenhoff at 2021-04-12T10:51:04+02:00
new rustc issues
erlang, retroarch n/a

- - - - -
323574b9 by Moritz Muehlenhoff at 2021-04-12T11:08:28+02:00
new nginx issue
ffmpeg n/a

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -43,7 +43,9 @@ CVE-2021-30483
 CVE-2021-30482
 	RESERVED
 CVE-2021-30481 (Valve Steam through 2021-04-10, when a Source engine game is installed ...)
-	TODO: check
+	NOT-FOR-US: Valve Steam
+	NOTE: Debian ships an installer as src:steam, but it auto-updates whenever Steam
+	NOTE: is started, so nothing really to be updated there
 CVE-2021-3492
 	RESERVED
 CVE-2021-3491
@@ -765,7 +767,8 @@ CVE-2020-36310 (An issue was discovered in the Linux kernel before 5.8. arch/x86
 	- linux 5.8.7-1
 	NOTE: https://git.kernel.org/linus/e72436bc3a5206f95bb384e741154166ddb3202e
 CVE-2020-36309 (ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty ...)
-	TODO: check
+	- nginx <unfixed> (bug #986787)
+	NOTE: https://github.com/openresty/lua-nginx-module/pull/1654
 CVE-2020-36308 (Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discov ...)
 	- redmine 4.0.7-1
 	TODO: check fixing commit, fixed in 4.0.7
@@ -2864,7 +2867,7 @@ CVE-2021-29223
 CVE-2021-29222
 	RESERVED
 CVE-2021-29221 (A local privilege escalation vulnerability was discovered in Erlang/OT ...)
-	TODO: check
+	- erlang <not-affected> (Windows-specific)
 CVE-2021-29220
 	RESERVED
 CVE-2021-29219
@@ -3531,7 +3534,7 @@ CVE-2021-28929
 CVE-2021-28928
 	RESERVED
 CVE-2021-28927 (The text-to-speech engine in libretro RetroArch for Windows 0.11 passe ...)
-	TODO: check
+	- retroarch <not-affected> (Windows-specific)
 CVE-2021-28926
 	RESERVED
 CVE-2021-28925 (SQL injection vulnerability in Nagios Network Analyzer before 2.4.3 vi ...)
@@ -3629,15 +3632,24 @@ CVE-2021-28881
 CVE-2021-28880
 	RESERVED
 CVE-2021-28879 (In the standard library in Rust before 1.52.0, the Zip implementation  ...)
-	TODO: check
+	- rustc <unfixed>
+	NOTE: https://github.com/rust-lang/rust/issues/82282
+	NOTE: https://github.com/rust-lang/rust/pull/82289
 CVE-2021-28878 (In the standard library in Rust before 1.52.0, the Zip implementation  ...)
-	TODO: check
+	- rustc <unfixed>
+	NOTE: https://github.com/rust-lang/rust/issues/82291
+	NOTE: https://github.com/rust-lang/rust/pull/82292
 CVE-2021-28877 (In the standard library in Rust before 1.51.0, the Zip implementation  ...)
-	TODO: check
+	- rustc <unfixed>
+	NOTE: https://github.com/rust-lang/rust/pull/80670
 CVE-2021-28876 (In the standard library in Rust before 1.52.0, the Zip implementation  ...)
-	TODO: check
+	- rustc <unfixed>
+	NOTE: https://github.com/rust-lang/rust/issues/81740
+	NOTE: https://github.com/rust-lang/rust/pull/81741
 CVE-2021-28875 (In the standard library in Rust before 1.50.0, read_to_end() does not  ...)
-	TODO: check
+	- rustc <unfixed>
+	NOTE: https://github.com/rust-lang/rust/issues/80894
+	NOTE: https://github.com/rust-lang/rust/pull/80895
 CVE-2021-28874 (SerenityOS fixed as of c9f25bca048443e317f1994ba9b106f2386688c3 contai ...)
 	NOT-FOR-US: SerenityOS
 CVE-2021-28873
@@ -42888,14 +42900,14 @@ CVE-2020-24996 (There is an invalid memory access in the function TextString::~T
 	- xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed)
 	NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=42028
 CVE-2020-24995 (Buffer overflow vulnerability in sniff_channel_order function in aacde ...)
-	- ffmpeg <undetermined>
+	- ffmpeg <not-affected> (Only affects 4.4 development branches)
 	NOTE: https://trac.ffmpeg.org/ticket/8845
 	NOTE: https://trac.ffmpeg.org/ticket/8859
 	NOTE: https://trac.ffmpeg.org/ticket/8860
 	NOTE: Support for 22.2 / channel_config 13 introduced in:
 	NOTE: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=9c0beaf0d3bb72f6e83b3b155a598a9ec28c8468
 	NOTE: Fixed by: http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6f293353c94c7ce200f6e0975ae3de49787f91f
-	TODO: check if issue introduced only when introducign support for Support for 22.2 / channel_config 13
+	NOTE: Introduced in http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=9c0beaf0d3bb72f6e83b3b155a598a9ec28c8468
 CVE-2020-24994 (Stack overflow in the parse_tag function in libass/ass_parse.c in liba ...)
 	- libass 1:0.15.0-1
 	[buster] - libass <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f798e5170888514f307e1aa314df740f19b3cf3b...323574b9c4ccfbaa47c7284257d42e4383559bb1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f798e5170888514f307e1aa314df740f19b3cf3b...323574b9c4ccfbaa47c7284257d42e4383559bb1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210412/a5e4892b/attachment.htm>

More information about the debian-security-tracker-commits mailing list