[Git][security-tracker-team/security-tracker][master] buster triage

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
033361dd by Moritz Muehlenhoff at 2021-04-15T19:37:46+02:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1424,9 +1424,10 @@ CVE-2021-3497 [gstreamer-plugins-good: Use-after-free in matroska demuxing]
 	NOTE: https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903
 CVE-2021-3496 [heap-based buffer overflow in Get16u() in exif.c]
 	RESERVED
-	- jhead <unfixed> (bug #986923)
+	- jhead <unfixed> (bug #986923; unimportant)
 	NOTE: https://github.com/Matthias-Wandel/jhead/issues/33
 	NOTE: Fixed by: https://github.com/Matthias-Wandel/jhead/commit/ca2973f4ce79279c15a09cf400648a757c1721b0
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-30641
 	RESERVED
 CVE-2021-30640
@@ -2450,6 +2451,7 @@ CVE-2021-30179
 	RESERVED
 CVE-2020-36314 (fr-archive-libarchive.c in GNOME file-roller through 3.38.0, as used b ...)
 	- file-roller 3.38.1-1
+	[buster] - file-roller <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae
 	NOTE: https://gitlab.gnome.org/GNOME/file-roller/-/issues/108
 CVE-2021-3484
@@ -5198,6 +5200,7 @@ CVE-2021-28965
 	RESERVED
 	- ruby2.7 <unfixed> (bug #986807)
 	- ruby2.5 <removed>
+	[buster] - ruby2.5 <postponed> (Minor issue, can be fixed along with next update)
 	- ruby2.3 <removed>
 	- ruby-rexml <unfixed> (bug #986806)
 	NOTE: https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
@@ -6423,6 +6426,7 @@ CVE-2021-28422
 	RESERVED
 CVE-2021-28421 (FluidSynth 2.1.7 contains a use after free vulnerability in sfloader/f ...)
 	- fluidsynth <unfixed>
+	[buster] - fluidsynth <no-dsa> (Minor issue)
 	NOTE: https://github.com/FluidSynth/fluidsynth/issues/808
 	NOTE: https://github.com/FluidSynth/fluidsynth/pull/810
 CVE-2021-28420 (A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows remote at ...)
@@ -7161,6 +7165,7 @@ CVE-2021-28109 (TranzWare (POI) FIMI before 4.2.20.4.2 allows login_tw.php refle
 CVE-2021-28374 (The Debian courier-authlib package before 0.71.1-2 for Courier Authent ...)
 	{DLA-2625-1}
 	- courier-authlib 0.71.1-2 (bug #984810)
+	[buster] - courier-authlib <no-dsa> (Minor issue)
 	NOTE: Re-introduction of #378571 while migrating from debian/permissions to
 	NOTE: debian/courier-authdaemon.tmpfiles in 0.66.4-2.
 CVE-2021-3426 [Running `pydoc -p` allows other local users to extract arbitrary files. The `/getfile?key=path` URL allows to read arbitrary file on the filesystem.]
@@ -18309,6 +18314,7 @@ CVE-2021-23338 (This affects all versions of package qlib. The workflow function
 	NOT-FOR-US: qlib
 CVE-2021-23337 (Lodash versions prior to 4.17.21 are vulnerable to Command Injection v ...)
 	- node-lodash 4.17.21+dfsg+~cs8.31.173-1 (bug #985086)
+	[buster] - node-lodash <no-dsa> (Minor issue)
 	[stretch] - node-lodash <end-of-life> (Nodejs in stretch not covered by security support)
 	NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1040724
 CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0 and be ...)
@@ -26416,8 +26422,8 @@ CVE-2021-20312 [Integer overflow in WriteTHUMBNAILImage of coders/thumbnail.c]
 	NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e53e24b078f7fa586f9cc910491b8910f5bdad2e
 CVE-2021-20311 [Division by zero in sRGBTransformImage() in MagickCore/colorspace.c]
 	RESERVED
+	- imagemagick <not-affected> (Specific to IM7)
 	NOTE: https://github.com/ImageMagick/ImageMagick/commit/70aa86f5d5d8aa605a918ed51f7574f433a18482
-	TODO: Check whether specific to IM7
 CVE-2021-20310 [Division by zero in ConvertXYZToJzazbz() of MagickCore/colorspace.c]
 	RESERVED
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/3295
@@ -34191,6 +34197,7 @@ CVE-2020-28501 (This affects the package es6-crawler-detect before 3.1.3. No lim
 	NOT-FOR-US: Node es6-crawler-detect
 CVE-2020-28500 (Lodash versions prior to 4.17.21 are vulnerable to Regular Expression  ...)
 	- node-lodash 4.17.21+dfsg+~cs8.31.173-1 (bug #985086)
+	[buster] - node-lodash <no-dsa> (Minor issue)
 	[stretch] - node-lodash <end-of-life> (Nodejs in stretch not covered by security support)
 	NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1018905
 CVE-2020-28499 (All versions of package merge are vulnerable to Prototype Pollution vi ...)
@@ -40287,6 +40294,7 @@ CVE-2020-26893 (An issue was discovered in ClamXAV 3 before 3.1.1. A malicious a
 	NOT-FOR-US: ClamXAV
 CVE-2020-26892 (The JWT library in NATS nats-server before 2.1.9 has Incorrect Access  ...)
 	- golang-github-nats-io-jwt <unfixed>
+	[buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue)
 	NOTE: https://advisories.nats.io/CVE/CVE-2020-26892.txt
 CVE-2020-26891 (AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS d ...)
 	- matrix-synapse 1.21.1-1
@@ -41122,6 +41130,7 @@ CVE-2020-26522 (A cross-site request forgery (CSRF) vulnerability in mod/user/ac
 	NOT-FOR-US: Garfield Petshop
 CVE-2020-26521 (The JWT library in NATS nats-server before 2.1.9 allows a denial of se ...)
 	- golang-github-nats-io-jwt <unfixed>
+	[buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue)
 	NOTE: https://advisories.nats.io/CVE/CVE-2020-26521.txt
 CVE-2020-26520
 	RESERVED
@@ -65804,6 +65813,7 @@ CVE-2020-15137 (All versions of HoRNDIS are affected by an integer overflow in t
 CVE-2020-15136 (In ectd before versions 3.4.10 and 3.3.23, gateway TLS authentication  ...)
 	[experimental] - etcd 3.3.25+dfsg-1
 	- etcd 3.3.25+dfsg-5 (bug #968752)
+	[buster] - etcd <no-dsa> (Minor issue)
 	NOTE: https://github.com/etcd-io/etcd/security/advisories/GHSA-wr2v-9rpq-c35q
 CVE-2020-15135 (save-server (npm package) before version 1.05 is affected by a CSRF vu ...)
 	NOT-FOR-US: Node save-server
@@ -65863,18 +65873,22 @@ CVE-2020-15116
 CVE-2020-15115 (etcd before versions 3.3.23 and 3.4.10 does not perform any password l ...)
 	[experimental] - etcd 3.3.25+dfsg-1
 	- etcd 3.3.25+dfsg-5 (bug #968740)
+	[buster] - etcd <no-dsa> (Minor issue)
 	NOTE: https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh
 CVE-2020-15114 (In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is a simpl ...)
 	[experimental] - etcd 3.3.25+dfsg-1
 	- etcd 3.3.25+dfsg-5 (bug #968740)
+	[buster] - etcd <no-dsa> (Minor issue)
 	NOTE: https://github.com/etcd-io/etcd/security/advisories/GHSA-2xhq-gv6c-p224
 CVE-2020-15113 (In etcd before versions 3.3.23 and 3.4.10, certain directory paths are ...)
 	[experimental] - etcd 3.3.25+dfsg-1
 	- etcd 3.3.25+dfsg-5 (bug #968740)
+	[buster] - etcd <no-dsa> (Minor issue)
 	NOTE: https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92
 CVE-2020-15112 (In etcd before versions 3.3.23 and 3.4.10, it is possible to have an e ...)
 	[experimental] - etcd 3.3.25+dfsg-1
 	- etcd 3.3.25+dfsg-5 (bug #968740)
+	[buster] - etcd <no-dsa> (Minor issue)
 	NOTE: https://github.com/etcd-io/etcd/security/advisories/GHSA-m332-53r6-2w93
 CVE-2020-15111 (In Fiber before version 1.12.6, the filename that is given in c.Attach ...)
 	NOT-FOR-US: Fiber
@@ -65893,6 +65907,7 @@ CVE-2020-15107 (In openenclave before 0.10.0, enclaves that use x87 FPU operatio
 CVE-2020-15106 (In etcd before versions 3.3.23 and 3.4.10, a large slice causes panic  ...)
 	[experimental] - etcd 3.3.25+dfsg-1
 	- etcd 3.3.25+dfsg-5 (bug #968740)
+	[buster] - etcd <no-dsa> (Minor issue)
 	NOTE: https://github.com/etcd-io/etcd/security/advisories/GHSA-p4g4-wgrh-qrg2
 CVE-2020-15105 (Django Two-Factor Authentication before 1.12, stores the user's passwo ...)
 	NOT-FOR-US: Django Two-Factor Authentication
@@ -69197,6 +69212,7 @@ CVE-2020-13960 (D-Link DSL 2730-U IN_1.10 and IN_1.11 and DIR-600M 3.04 devices
 CVE-2020-13959 (The default error page for VelocityView in Apache Velocity Tools prior ...)
 	{DLA-2597-1}
 	- velocity-tools 2.0-8 (bug #985221)
+	[buster] - velocity-tools <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/03/10/2
 	NOTE: Fixed by: https://github.com/apache/velocity-tools/commit/e141828a4eb03e4b0224535eed12b5c463a24152
 CVE-2020-13958 (A vulnerability in Apache OpenOffice scripting events allows an attack ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -27,7 +27,9 @@ linux (carnil)
 --
 ndpi
 --
-netty9
+jetty9
+--
+php-pear
 --
 python-bleach (carnil)
 --
@@ -37,6 +39,8 @@ salt
 --
 webkit2gtk
 --
+wpa
+--
 xorg-server (carnil)
   Wait a bit for the fix beeing exposed in unstable before deciding on further action
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/033361dd2965e55169db717d7c73cabfd6c169eb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/033361dd2965e55169db717d7c73cabfd6c169eb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210415/8dd87a14/attachment-0001.htm>