[Git][security-tracker-team/security-tracker][master] 2 commits: buster triage

Moritz Muehlenhoff jmm at debian.org
Tue Apr 20 08:22:54 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b3b7d03f by Moritz Muehlenhoff at 2021-04-20T09:11:57+02:00
buster triage

- - - - -
befcdf44 by Moritz Muehlenhoff at 2021-04-20T09:22:11+02:00
cvelist.el: new defun to add <not-affected>

- - - - -


3 changed files:

- conf/cvelist.el
- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
conf/cvelist.el
=====================================
@@ -41,6 +41,16 @@
   (beginning-of-line)
   (insert (concat "\t[buster] - " srcpkg " <no-dsa> (" reason ")\n" )))
 
+; TODO: Read supported distros from central config and prompt for applicable suites
+(defun debian-cvelist-insert-not-affected ()
+  "Insert not-affected comment based on the current source entry."
+  (interactive)
+  (setq reason (read-string "Reason for not-affected: " "Vulnerable code not present"))
+  (setq srcpkg (thing-at-point 'filename))
+  (next-line)
+  (beginning-of-line)
+  (insert (concat "\t[buster] - " srcpkg " <not-affected> (" reason ")\n" )))
+
 ; TODO: Parse existing source entries for buffer tab completion
 (defun debian-cvelist-insert-srcentry ()
   "Insert new source package entry."
@@ -63,6 +73,7 @@
      (define-key map (kbd "C-c C-c") 'debian-cvelist-cvesearch)
      (define-key map (kbd "C-c C-l") 'debian-cvelist-insert-nodsa)
      (define-key map (kbd "C-c C-a") 'debian-cvelist-insert-srcentry)
+     (define-key map (kbd "C-c C-x") 'debian-cvelist-insert-not-affected)
      map)
    "Keymap for `debian-cvelist-mode'.")
 


=====================================
data/CVE/list
=====================================
@@ -4828,6 +4828,7 @@ CVE-2021-29339
 	RESERVED
 CVE-2021-29338 (Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash t ...)
 	- openjpeg2 <unfixed>
+	[buster] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1338
 CVE-2021-29337
 	RESERVED
@@ -9021,6 +9022,7 @@ CVE-2021-27516 (URI.js (aka urijs) before 1.19.6 mishandles certain uses of back
 	NOT-FOR-US: urijs
 CVE-2021-27515 (url-parse before 1.5.0 mishandles certain uses of backslash such as ht ...)
 	- node-url-parse 1.5.1-1 (bug #985110)
+	[buster] - node-url-parse <no-dsa> (Minor issue)
 	[stretch] - node-url-parse <no-dsa> (Minor issue)
 	NOTE: https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0 (1.5.0)
 	NOTE: https://github.com/unshiftio/url-parse/pull/197
@@ -27289,6 +27291,7 @@ CVE-2021-20237 [Memory leaks via metadata messages processed by PUB sockets]
 CVE-2021-20236 [Stack overflow on server running PUB/XPUB socket]
 	RESERVED
 	- zeromq3 4.3.3-1
+	[buster] - zeromq3 <no-dsa> (Minor issue)
 	[stretch] - zeromq3 <ignored> (Minor issue, too intrusive to backport)
 	NOTE: https://github.com/zeromq/libzmq/pull/3959
 	NOTE: https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
@@ -27296,12 +27299,14 @@ CVE-2021-20236 [Stack overflow on server running PUB/XPUB socket]
 CVE-2021-20235 (There's a flaw in the zeromq server in versions before 4.3.3 in src/de ...)
 	{DLA-2588-1}
 	- zeromq3 4.3.3-1
+	[buster] - zeromq3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/zeromq/libzmq/pull/3902
 	NOTE: https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21984
 CVE-2021-20234 (An uncontrolled resource consumption (memory leak) flaw was found in t ...)
 	{DLA-2588-1}
 	- zeromq3 4.3.3-1
+	[buster] - zeromq3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/zeromq/libzmq/pull/3918
 	NOTE: https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22037
@@ -46819,6 +46824,7 @@ CVE-2020-24362
 CVE-2020-24361 (SNMPTT before 1.4.2 allows attackers to execute shell code via EXEC, P ...)
 	{DLA-2393-1}
 	- snmptt 1.4.2-1
+	[buster] - snmptt <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/snmptt/git/ci/f6aef5223bc9ed8126268a273ac9f5c341af835a
 CVE-2020-24360 (An issue with ARP packets in Arista’s EOS affecting the 7800R3,  ...)
 	NOT-FOR-US: Arista
@@ -70853,18 +70859,23 @@ CVE-2020-13579 (An exploitable integer overflow vulnerability exists in the Plan
 	NOT-FOR-US: SoftMaker
 CVE-2020-13578 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...)
 	- gsoap 2.8.104-3 (bug #983596)
+	[buster] - gsoap <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1189
 CVE-2020-13577 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...)
 	- gsoap 2.8.104-3 (bug #983596)
+	[buster] - gsoap <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1188
 CVE-2020-13576 (A code execution vulnerability exists in the WS-Addressing plugin func ...)
 	- gsoap 2.8.104-3 (bug #983596)
+	[buster] - gsoap <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1187
 CVE-2020-13575 (A denial-of-service vulnerability exists in the WS-Addressing plugin f ...)
 	- gsoap 2.8.104-3 (bug #983596)
+	[buster] - gsoap <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1186
 CVE-2020-13574 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...)
 	- gsoap 2.8.104-3 (bug #983596)
+	[buster] - gsoap <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1185
 CVE-2020-13573 (A denial-of-service vulnerability exists in the Ethernet/IP server fun ...)
 	NOT-FOR-US: Rockwell Automation RSLinx Classic
@@ -86822,6 +86833,7 @@ CVE-2020-7925 (Incorrect validation of user input in the role name parser may le
 	NOTE: Introduced by: https://github.com/mongodb/mongo/commit/3ca76fd569c94de72c4daf6eef27fbf9bf51233b (v3.6.18)
 CVE-2020-7924 (Usage of specific command line parameter in MongoDB Tools which was or ...)
 	- mongo-tools <unfixed>
+	[buster] - mongo-tools <no-dsa> (Minor issue)
 	NOTE: https://jira.mongodb.org/browse/TOOLS-2587
 CVE-2020-7923 (A user authorized to perform database queries may cause denial of serv ...)
 	{DLA-2344-1}


=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,8 @@ condor
 --
 firefox-esr (jmm)
 --
+gst-plugins-good1.0 (jmm)
+--
 libhibernate3-java
 --
 linux (carnil)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b3d8311a98788626454edb87a5e5af67ad735ae9...befcdf4422b6adce9a5c4aeaab83782ee37193f0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b3d8311a98788626454edb87a5e5af67ad735ae9...befcdf4422b6adce9a5c4aeaab83782ee37193f0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210420/e54d2873/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list