[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff
jmm at debian.org
Fri Apr 23 18:23:03 BST 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
38a9e4b4 by Moritz Muehlenhoff at 2021-04-23T19:22:26+02:00
buster triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -41,6 +41,7 @@ CVE-2021-31598
RESERVED
CVE-2021-31597 (The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL c ...)
- node-xmlhttprequest-ssl <unfixed>
+ [buster] - node-xmlhttprequest-ssl <ignored> (Minor issue, should possibly be removed from stable as well)
NOTE: https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2
NOTE: https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt
CVE-2021-31596
@@ -180,6 +181,7 @@ CVE-2021-23215
CVE-2021-23169 [Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer]
RESERVED
- openexr <unfixed>
+ [buster] - openexr <not-affected> (Vulnerable code not present)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28051
NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/ae6d203892cc9311917a7f4f05354ef792b3e58e
CVE-2020-36324 (Wikimedia Quarry analytics-quarry-web before 2020-12-15 allows Reflect ...)
@@ -3247,6 +3249,7 @@ CVE-2021-30147 (DMA Softlab Radius Manager 4.4.0 allows CSRF with impacts such a
NOT-FOR-US: DMA Softlab Radius Manager
CVE-2021-30146 (Seafile 7.0.5 (2019) allows Persistent XSS via the "share of library f ...)
- seafile-client <unfixed> (bug #987282)
+ [buster] - seafile-client <no-dsa> (Minor issue)
NOTE: https://github.com/Security-AVS/CVE-2021-30146
CVE-2021-30145
RESERVED
@@ -4854,10 +4857,12 @@ CVE-2021-29430 (Sydent is a reference Matrix identity server. Sydent does not li
NOT-FOR-US: Matrix Sydent
CVE-2021-29429 (In Gradle before version 7.0, files created with open permissions in t ...)
- gradle <unfixed> (bug #987284)
+ [buster] - gradle <no-dsa> (Minor issue)
[stretch] - gradle <no-dsa> (Minor issue)
NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8
CVE-2021-29428 (In Gradle before version 7.0, on Unix-like systems, the system tempora ...)
- gradle <unfixed> (bug #987284)
+ [buster] - gradle <no-dsa> (Minor issue)
[stretch] - gradle <no-dsa> (Minor issue; sticky bit on /tmp is set by default)
NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336
CVE-2021-29427 (In Gradle from version 5.1 and before version 7.0 there is a vulnerabi ...)
@@ -8462,8 +8467,8 @@ CVE-2021-27906 (A carefully crafted PDF file can trigger an OutOfMemory-Exceptio
NOTE: https://issues.apache.org/jira/browse/PDFBOX-5112
CVE-2021-27905 (The ReplicationHandler (normally registered at "/replication" under a ...)
- lucene-solr <unfixed>
+ [buster] - lucene-solr <ignored> (Minor issue)
NOTE: https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3E
- TODO: check details
CVE-2021-27904 (An issue was discovered in app/Model/SharingGroupServer.php in MISP 2. ...)
NOT-FOR-US: MISP
CVE-2021-27903
@@ -27743,6 +27748,7 @@ CVE-2021-20209
NOTE: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=c62254a686dcd40e3b6e5753d0c7c0308209a7b6 (3.0.29)
CVE-2021-20208 (A flaw was found in cifs-utils in versions before 6.13. A user when mo ...)
- cifs-utils <unfixed> (bug #987308)
+ [buster] - cifs-utils <no-dsa> (Minor issue)
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14651
NOTE: https://lists.samba.org/archive/samba-technical/2021-April/136467.html
NOTE: https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=e461afd8cfa6d0781ae0c5c10e89b6ef1ca6da32
@@ -31097,6 +31103,7 @@ CVE-2020-29600 (In AWStats through 7.7, cgi-bin/awstats.pl?config= accepts an ab
CVE-2020-29599 (ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 mishandles the - ...)
{DLA-2523-1}
- imagemagick 8:6.9.11.57+dfsg-1 (bug #977205)
+ [buster] - imagemagick <no-dsa> (Minor issue, 200-disable-ghostscript-formats.patch addresses this)
NOTE: https://github.com/ImageMagick/ImageMagick/discussions/2851
NOTE: https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/a9e63436aa04c805fe3f9e2ed242dfa4621df823
@@ -35041,6 +35048,7 @@ CVE-2020-28502 (This affects the package xmlhttprequest before 1.7.0; all versio
- node-xmlhttprequest 1.8.0-1
[stretch] - node-xmlhttprequest <end-of-life> (Nodejs in stretch not covered by security support)
- node-xmlhttprequest-ssl <unfixed>
+ [buster] - node-xmlhttprequest-ssl <ignored> (Minor issue, should possibly be removed from stable as well)
[stretch] - node-xmlhttprequest-ssl <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935
NOTE: https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936
@@ -38334,9 +38342,11 @@ CVE-2020-27830 [Linux kernel NULL-ptr deref bug in spk_ttyio_receive_buf2]
NOTE: https://git.kernel.org/linus/f0992098cadb4c9c6a00703b66cafe604e178fea
CVE-2020-27829 (A heap based buffer overflow in coders/tiff.c may result in program cr ...)
- imagemagick 8:6.9.11.57+dfsg-1
+ [buster] - imagemagick <not-affected> (Vulnerable code not present)
[stretch] - imagemagick <not-affected> (vulnerable code was introduced later)
NOTE: https://github.com/ImageMagick/ImageMagick/commit/6ee5059cd3ac8d82714a1ab1321399b88539abf0
NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e30be60bd97313b80e2701239728a3f47c570817
+ NOTE: Introduced in https://github.com/ImageMagick/ImageMagick6/commit/b874d50070557eb98bdc6a3095ef4769af583dd2
CVE-2020-27828 (There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Cr ...)
- jasper <removed>
NOTE: https://github.com/jasper-software/jasper/issues/252
@@ -38683,6 +38693,7 @@ CVE-2020-27753 (There are several memory leaks in the MIFF coder in /coders/miff
NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/6f5d3d2cd94eb8361e07546c4bf72cb60681b984
CVE-2020-27752 (A flaw was found in ImageMagick in MagickCore/quantum-private.h. An at ...)
- imagemagick 8:6.9.11.24+dfsg-1
+ [buster] - imagemagick <ignored> (Minor issue)
[stretch] - imagemagick <ignored> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1752
NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/a9d563d3d73874312080d30dc4ba07cecad56192
@@ -43970,6 +43981,7 @@ CVE-2020-25675 (In the CropImage() and CropImageToTiles() routines of MagickCore
CVE-2020-25674 (WriteOnePNGImage() from coders/png.c (the PNG coder) has a for loop wi ...)
{DLA-2523-1}
- imagemagick 8:6.9.11.24+dfsg-1
+ [buster] - imagemagick <no-dsa> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1715
NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/67b871032183a29d3ca0553db6ce1ae80fddb9aa
NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/2fdff8e040cd4401498d89f3c3d1f89cffd118b0
@@ -48036,6 +48048,7 @@ CVE-2020-23923
RESERVED
CVE-2020-23922 (An issue was discovered in giflib through 5.1.4. DumpScreen2RGB in gif ...)
- giflib <unfixed>
+ [buster] - giflib <no-dsa> (Minor issue)
[stretch] - giflib <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/giflib/bugs/151/
CVE-2020-23921 (An issue was discovered in fast_ber through v0.4. yy::yylex() in asn_c ...)
@@ -66802,6 +66815,7 @@ CVE-2020-15079 (In PrestaShop from version 1.5.0.0 and before version 1.7.6.6, t
CVE-2020-15078
RESERVED
- openvpn <unfixed> (bug #987380)
+ [buster] - openvpn <no-dsa> (Minor issue)
NOTE: https://github.com/OpenVPN/openvpn/commit/f7b3bf067ffce72e7de49a4174fd17a3a83f0573 (v2.5.2)
NOTE: https://github.com/OpenVPN/openvpn/commit/3d18e308c4e7e6f7ab7c2826c70d2d07b031c18a (v2.5.2)
NOTE: https://github.com/OpenVPN/openvpn/commit/3aca477a1b58714754fea3a26d0892fffc51db6b (v2.5.2)
=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,14 @@ condor
--
gst-plugins-good1.0 (jmm)
--
+gst-libav1.0 (jmm)
+--
+gst-plugins-bad1.0 (jmm)
+--
+gst-plugins-base1.0 (jmm)
+--
+gst-plugins-ugly1.0 (jmm)
+--
libhibernate3-java
Markus Koschany proposed debdiff for review: <15258f788bac283a47d84c2beab73e17b805ba46.camel at debian.org>
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38a9e4b41bbf3d245b9b0c99d5b11cb7b4686822
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38a9e4b41bbf3d245b9b0c99d5b11cb7b4686822
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210423/fdec35cb/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list