[Git][security-tracker-team/security-tracker][master] buster triage

Wed Apr 21 18:20:19 BST 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d4722c65 by Moritz Muehlenhoff at 2021-04-21T19:16:11+02:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -7500,7 +7500,7 @@ CVE-2021-28158
 CVE-2021-28157 (An SQL Injection issue in Devolutions Server before 2021.1 and Devolut ...)
 	NOT-FOR-US: Devolutions Server
 CVE-2021-28156 (HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit log can be ...)
-	- consul <unfixed>
+	- consul <not-affected> (Only affects Enterprise version)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1950492
 	NOTE: https://github.com/hashicorp/consul/pull/10030
 CVE-2021-28155
@@ -10002,6 +10002,7 @@ CVE-2021-27105
 CVE-2021-3407 (A flaw was found in mupdf 1.18.0. Double free of object during lineari ...)
 	{DLA-2589-1}
 	- mupdf 1.17.0+ds1-1.3 (bug #983684)
+	[buster] - mupdf <no-dsa> (Minor issue)
 	NOTE: http://git.ghostscript.com/?p=mupdf.git;h=cee7cefc610d42fd383b3c80c12cbc675443176a
 	NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=703366 (not public yet)
 CVE-2021-3406 (A flaw was found in keylime 5.8.1 and older. The issue in the Keylime  ...)
@@ -17032,6 +17033,7 @@ CVE-2021-24116
 	RESERVED
 CVE-2021-24115 (In Botan before 2.17.3, constant-time computations are not used for ce ...)
 	- botan 2.17.3+dfsg-1
+	[buster] - botan <no-dsa> (Minor issue)
 	- botan1.10 <removed>
 	[stretch] - botan1.10 <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/randombit/botan/pull/2549
@@ -24357,6 +24359,7 @@ CVE-2021-21367 (Switchboard Bluetooth Plug for elementary OS from version 2.3.0
 	NOT-FOR-US: Switchboard Bluetooth Plug for elementary OS
 CVE-2021-21366 (xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core)  ...)
 	- node-xmldom 0.5.0-1
+	[buster] - node-xmldom <no-dsa> (Minor issue)
 	NOTE: https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv
 	NOTE: https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135
 CVE-2021-21365
@@ -34891,6 +34894,7 @@ CVE-2020-28497
 	RESERVED
 CVE-2020-28496 (This affects the package three before 0.125.0. This can happen when ha ...)
 	- three.js <unfixed>
+	[buster] - three.js <no-dsa> (Minor issue)
 	[stretch] - three.js <no-dsa> (can be fixed along in next DLA)
 	NOTE: https://github.com/mrdoob/three.js/pull/21143/commits/4a582355216b620176a291ff319d740e619d583e
 	NOTE: https://github.com/mrdoob/three.js/issues/21132
@@ -43295,6 +43299,7 @@ CVE-2020-25865
 	RESERVED
 CVE-2020-25864 (HashiCorp Consul and Consul Enterprise up to version 1.9.4 key-value ( ...)
 	- consul <unfixed>
+	[buster] - consul <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1950275
 	NOTE: https://github.com/hashicorp/consul/pull/10023
 CVE-2020-25863 (In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and 2.6.0 to 2.6.20, the ...)
@@ -43698,6 +43703,7 @@ CVE-2020-25711 (A flaw was found in infinispan 10 REST API, where authorization
 CVE-2020-25708 (A divide by zero issue was found to occur in libvncserver-0.9.12. A ma ...)
 	{DLA-2451-1}
 	- libvncserver 0.9.13+dfsg-1
+	[buster] - libvncserver <no-dsa> (Minor issue)
 	NOTE: https://github.com/LibVNC/libvncserver/issues/409
 	NOTE: https://github.com/LibVNC/libvncserver/commit/673c07a75ed844d74676f3ccdcfdc706a7052dba
 CVE-2020-25707
@@ -43972,18 +43978,21 @@ CVE-2020-25654 (An ACL bypass flaw was found in pacemaker. An attacker having a
 CVE-2020-25653 (A race condition vulnerability was found in the way the spice-vdagentd ...)
 	{DLA-2524-1}
 	- spice-vdagent 0.20.0-2 (bug #973769)
+	[buster] - spice-vdagent <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/1
 	NOTE: https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/51c415df82a52e9ec033225783c77df95f387891
 	NOTE: https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/5c50131797e985d0a5654c1fd7000ae945ed29a7
 CVE-2020-25652 (A flaw was found in the spice-vdagentd daemon, where it did not proper ...)
 	{DLA-2524-1}
 	- spice-vdagent 0.20.0-2 (bug #973769)
+	[buster] - spice-vdagent <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/1
 	NOTE: https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/91caa9223857708475d29df1768208fed1675340
 	NOTE: https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/812ca777469a377c84b9861d7d326bfc72563304
 CVE-2020-25651 (A flaw was found in the SPICE file transfer protocol. File data from t ...)
 	{DLA-2524-1}
 	- spice-vdagent 0.20.0-2 (bug #973769)
+	[buster] - spice-vdagent <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/1
 	NOTE: https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/1a8b93ca6ac0b690339ab7f0afc6fc45d198d332
 	NOTE: https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/9d35d8a86fb310fc1f29d428c0a96995948d2357
@@ -43992,6 +44001,7 @@ CVE-2020-25651 (A flaw was found in the SPICE file transfer protocol. File data
 CVE-2020-25650 (A flaw was found in the way the spice-vdagentd daemon handled file tra ...)
 	{DLA-2524-1}
 	- spice-vdagent 0.20.0-2 (bug #973769)
+	[buster] - spice-vdagent <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/1
 	NOTE: https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/1a8b93ca6ac0b690339ab7f0afc6fc45d198d332
 	NOTE: https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/9d35d8a86fb310fc1f29d428c0a96995948d2357
@@ -81350,8 +81360,11 @@ CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in sctp_load_a
 	NOTE: https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467
 CVE-2020-10187 (Doorkeeper version 5.0.0 and later contains an information disclosure  ...)
 	- ruby-doorkeeper 5.0.3-1 (bug #959903)
+	[buster] - ruby-doorkeeper <not-affected> (Vulnerable code not present)
+	[stretch] - ruby-doorkeeper <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6
 	NOTE: https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9
+	NOTE: Introduced in https://github.com/doorkeeper-gem/doorkeeper/commit/4acc923dc77fa00928268136f54136d5a6a865dc (v5.0.0.rc1)
 CVE-2020-10186
 	RESERVED
 CVE-2020-10185 (The sync endpoint in YubiKey Validation Server before 2.40 allows remo ...)
@@ -129149,6 +129162,7 @@ CVE-2019-12401 (Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4
 	NOTE: when parsing specially crafted XML data.
 CVE-2019-12400 (In version 2.0.3 Apache Santuario XML Security for Java, a caching mec ...)
 	- libxml-security-java <unfixed> (bug #935548)
+	[buster] - libxml-security-java <no-dsa> (Minor issue)
 	[stretch] - libxml-security-java <not-affected> (Vulnerable code introduced in 2.0.3)
 	[jessie] - libxml-security-java <not-affected> (Vulnerable code introduced in 2.0.3)
 	NOTE: http://santuario.apache.org/secadv.data/CVE-2019-12400.asc


=====================================
data/dsa-needed.txt
=====================================
@@ -29,6 +29,8 @@ ndpi
 --
 jetty9
 --
+openjdk-11 (jmm)
+--
 python-pysaml2 (jmm)
 --
 salt



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4722c65f23140063413305dd7e591694879e103

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4722c65f23140063413305dd7e591694879e103
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210421/7dce7ed2/attachment-0001.htm>
