[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Mon Apr 12 16:52:45 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
60b72eb0 by Moritz Muehlenhoff at 2021-04-12T17:52:31+02:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -85,18 +85,22 @@ CVE-2021-30473
 CVE-2021-30472
 	RESERVED
 	- libpodofo <unfixed> (bug #986794)
+	[buster] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/podofo/tickets/132/
 CVE-2021-30471
 	RESERVED
 	- libpodofo <unfixed> (bug #986793)
+	[buster] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/podofo/tickets/131/
 CVE-2021-30470
 	RESERVED
 	- libpodofo <unfixed> (bug #986792)
+	[buster] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/podofo/tickets/130/
 CVE-2021-30469
 	RESERVED
 	- libpodofo <unfixed> (bug #986791)
+	[buster] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/podofo/tickets/129/
 CVE-2021-30468
 	RESERVED
@@ -120,6 +124,8 @@ CVE-2021-30459
 	RESERVED
 CVE-2021-30458 (An issue was discovered in Wikimedia Parsoid before 0.11.1 and 0.12.x  ...)
 	- mediawiki 1:1.35.2-1
+	[buster] - mediawiki <not-affected> (Only applies to 1.35 and later)
+	[stretch] - mediawiki <not-affected> (Only applies to 1.35 and later)
 	NOTE: https://phabricator.wikimedia.org/T279451
 CVE-2021-30457 (An issue was discovered in the id-map crate through 2021-02-26 for Rus ...)
 	NOT-FOR-US: Rust crate id-map
@@ -675,6 +681,7 @@ CVE-2021-30185 (CERN Indico before 2.3.4 can use an attacker-supplied Host heade
 	NOT-FOR-US: CERN Indico
 CVE-2021-30184 (GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted ...)
 	- gnuchess <unfixed> (bug #986801)
+	[buster] - gnuchess <no-dsa> (Minor issue)
 	NOTE: https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00000.html
 	NOTE: https://lists.gnu.org/archive/html/bug-gnu-chess/2021-04/msg00001.html
 CVE-2021-30183
@@ -766,6 +773,7 @@ CVE-2020-36310 (An issue was discovered in the Linux kernel before 5.8. arch/x86
 	NOTE: https://git.kernel.org/linus/e72436bc3a5206f95bb384e741154166ddb3202e
 CVE-2020-36309 (ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in OpenResty ...)
 	- nginx <unfixed> (bug #986787)
+	[buster] - nginx <no-dsa> (Minor issue)
 	NOTE: https://github.com/openresty/lua-nginx-module/pull/1654
 CVE-2020-36308 (Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers to discov ...)
 	- redmine 4.0.7-1
@@ -21786,6 +21794,7 @@ CVE-2020-35637
 	RESERVED
 CVE-2020-35636 (A code execution vulnerability exists in the Nef polygon-parsing funct ...)
 	- cgal 5.2-3 (bug #985671)
+	[buster] - cgal <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
 CVE-2020-35635
 	RESERVED
@@ -21803,6 +21812,7 @@ CVE-2020-35629
 	RESERVED
 CVE-2020-35628 (A code execution vulnerability exists in the Nef polygon-parsing funct ...)
 	- cgal 5.2-3 (bug #985671)
+	[buster] - cgal <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
 CVE-2021-21433 (Discord Recon Server is a bot that allows you to do your reconnaissanc ...)
 	NOT-FOR-US: Discord Recon Server
@@ -21870,6 +21880,7 @@ CVE-2021-21405
 	RESERVED
 CVE-2021-21404 (Syncthing is a continuous file synchronization program. In Syncthing b ...)
 	- syncthing <unfixed> (bug #986593)
+	[buster] - syncthing <no-dsa> (Minor issue)
 	NOTE: https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h
 	NOTE: https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97
 CVE-2021-21403 (In github.com/kongchuanhujiao/server before version 1.3.21 there is an ...)
@@ -21935,12 +21946,15 @@ CVE-2021-21375 (PJSIP is a free and open source multimedia communication library
 	NOTE: https://github.com/pjsip/pjproject/commit/97b3d7addbaa720b7ddb0af9bf6f3e443e664365
 CVE-2021-21374 (Nimble is a package manager for the Nim programming language. In Nim r ...)
 	- nim <unfixed>
+	[buster] - nim <no-dsa> (Minor issue)
 	NOTE: https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
 CVE-2021-21373 (Nimble is a package manager for the Nim programming language. In Nim r ...)
 	- nim <unfixed>
+	[buster] - nim <no-dsa> (Minor issue)
 	NOTE: https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
 CVE-2021-21372 (Nimble is a package manager for the Nim programming language. In Nim r ...)
 	- nim <unfixed>
+	[buster] - nim <no-dsa> (Minor issue)
 	NOTE: https://consensys.net/diligence/vulnerabilities/nim-insecure-ssl-tls-defaults-remote-code-execution/
 CVE-2021-21371 (Tenable for Jira Cloud is an open source project designed to pull Tena ...)
 	NOT-FOR-US: Tenable for Jira Cloud
@@ -31263,9 +31277,11 @@ CVE-2021-1406 (A vulnerability in Cisco Unified Communications Manager (Unified
 	NOT-FOR-US: Cisco
 CVE-2021-1405 (A vulnerability in the PDF parsing module in Clam AntiVirus (ClamAV) S ...)
 	- clamav <unfixed> (bug #986790)
+	[buster] - clamav <no-dsa> (clamav is updated via -updates)
 	NOTE: https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html
 CVE-2021-1404 (A vulnerability in the email parsing module in Clam AntiVirus (ClamAV) ...)
 	- clamav <unfixed> (bug #986790)
+	[buster] - clamav <no-dsa> (clamav is updated via -updates)
 	NOTE: https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html
 CVE-2021-1403 (A vulnerability in the web UI feature of Cisco IOS XE Software could a ...)
 	NOT-FOR-US: Cisco
@@ -31571,6 +31587,7 @@ CVE-2021-1253 (Multiple vulnerabilities in the web-based management interface of
 	NOT-FOR-US: Cisco
 CVE-2021-1252 (A vulnerability in the Excel XLM macro parsing module in Clam AntiViru ...)
 	- clamav <unfixed> (bug #986790)
+	[buster] - clamav <no-dsa> (clamav is updated via -updates)
 	NOTE: https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html
 CVE-2021-1251 (Multiple vulnerabilities exist in the Link Layer Discovery Protocol (L ...)
 	NOT-FOR-US: Cisco
@@ -31837,6 +31854,7 @@ CVE-2020-28637
 	RESERVED
 CVE-2020-28636 (A code execution vulnerability exists in the Nef polygon-parsing funct ...)
 	- cgal 5.2-3 (bug #985671)
+	[buster] - cgal <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
 CVE-2020-28635
 	RESERVED
@@ -31908,6 +31926,7 @@ CVE-2020-28602
 	RESERVED
 CVE-2020-28601 (A code execution vulnerability exists in the Nef polygon-parsing funct ...)
 	- cgal 5.2-3 (bug #985671)
+	[buster] - cgal <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1225
 CVE-2020-28600
 	RESERVED
@@ -32385,6 +32404,7 @@ CVE-2020-28470 (This affects the package @scullyio/scully before 1.0.9. The tran
 CVE-2020-28469
 	RESERVED
 	- node-glob-parent <unfixed>
+	[buster] - node-glob-parent <no-dsa> (Minor issue)
 	NOTE: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
 	NOTE: https://github.com/gulpjs/glob-parent/commit/f9231168b0041fea3f8f954b3cceb56269fc6366
 CVE-2020-28468 (This affects the package pwntools before 4.3.1. The shellcraft generat ...)
@@ -71133,6 +71153,7 @@ CVE-2020-12461 (PHP-Fusion 9.03.50 allows SQL Injection because maincore.php has
 	NOT-FOR-US: PHP-Fusion
 CVE-2020-12460 (OpenDMARC through 1.3.2 and 1.4.x through 1.4.0-Beta1 has improper nul ...)
 	- opendmarc 1.4.0~beta1+dfsg-3 (bug #966464)
+	[buster] - opendmarc <no-dsa> (Minor issue)
 	NOTE: https://github.com/trusteddomainproject/OpenDMARC/issues/64
 	NOTE: https://github.com/trusteddomainproject/OpenDMARC/commit/50d28af25d8735504b6103537228ce7f76ad765f
 CVE-2020-12459 (In certain Red Hat packages for Grafana 6.x through 6.3.6, the configu ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -33,7 +33,7 @@ python-pysaml2 (jmm)
 --
 salt
 --
-tomcat9
+tomcat9 (jmm)
 --
 webkit2gtk
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60b72eb05642ce56964d635acf70d6dc9c618df6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60b72eb05642ce56964d635acf70d6dc9c618df6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210412/b5ed6cd9/attachment.htm>

More information about the debian-security-tracker-commits mailing list