[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2019-0160,edk2: Stretch is not affected

[Markus Koschany]

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2fea3395 by Markus Koschany at 2021-04-29T12:59:53+02:00
CVE-2019-0160,edk2: Stretch is not affected

The vulnerable code is not present

- - - - -
8045728f by Markus Koschany at 2021-04-29T13:02:53+02:00
Remove no-dsa tags for upcoming edk2 update in Stretch.

- - - - -
a5f13445 by Markus Koschany at 2021-04-29T13:04:37+02:00
Reserve DLA-2645-1 for edk2

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -122327,12 +122327,10 @@ CVE-2019-14588
 CVE-2019-14587 (Logic issue EDK II may allow an unauthenticated user to potentially en ...)
 	- edk2 0~20200229.4c0f6e34-1
 	[buster] - edk2 0~20181115.85588389-3+deb10u1
-	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 CVE-2019-14586 (Use after free vulnerability in EDK II may allow an authenticated user ...)
 	- edk2 0~20200229.4c0f6e34-1
 	[buster] - edk2 0~20181115.85588389-3+deb10u1
-	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 CVE-2019-14585
 	RESERVED
@@ -122362,7 +122360,6 @@ CVE-2019-14576
 CVE-2019-14575 (Logic issue in DxeImageVerificationHandler() for EDK II may allow an a ...)
 	- edk2 0~20200229.4c0f6e34-1 (low; bug #952935)
 	[buster] - edk2 0~20181115.85588389-3+deb10u1
-	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
 CVE-2019-14574 (Out of bounds read in a subsystem for Intel(R) Graphics Driver version ...)
@@ -122390,14 +122387,12 @@ CVE-2019-14564
 CVE-2019-14563 (Integer truncation in EDK II may allow an authenticated user to potent ...)
 	- edk2 0~20200229.4c0f6e34-1 (low; bug #952934)
 	[buster] - edk2 0~20181115.85588389-3+deb10u1
-	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://github.com/tianocore/edk2/commit/322ac05f8bbc1bce066af1dabd1b70ccdbe28891
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2001
 CVE-2019-14562 (Integer overflow in DxeImageVerificationHandler() EDK II may allow an  ...)
 	- edk2 2020.05-4 (bug #968819)
 	[buster] - edk2 0~20181115.85588389-3+deb10u2
-	[stretch] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1869245
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2215
 CVE-2019-14561
@@ -122412,14 +122407,12 @@ CVE-2019-14560 [GetEfiGlobalVariable2() return value not checked]
 CVE-2019-14559 (Uncontrolled resource consumption in EDK II may allow an unauthenticat ...)
 	- edk2 0~20200229.4c0f6e34-1 (bug #952926; low)
 	[buster] - edk2 0~20181115.85588389-3+deb10u1
-	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2550
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2031
 CVE-2019-14558 (Insufficient control flow management in BIOS firmware for 8th, 9th, 10 ...)
 	- edk2 0~20200229.4c0f6e34-1
 	[buster] - edk2 0~20181115.85588389-3+deb10u1
-	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1611
 	NOTE: https://github.com/tianocore/edk2/commit/764e8ba1389a617639d79d2c4f0d53f4ea4a7387
@@ -165941,13 +165934,12 @@ CVE-2019-0162 (Memory access in virtual memory mapping for some microprocessors
 	NOT-FOR-US: F5
 CVE-2019-0161 (Stack overflow in XHCI for EDK II may allow an unauthenticated user to ...)
 	- edk2 0~20180803.dd4cae4d-1 (low)
-	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://github.com/tianocore/edk2/commit/acebdf14c985c5c9f50b37ece0b15ada87767359
 	NOTE: https://github.com/tianocore/edk2/commit/72750e3bf9174f15c17e78f0f117b5e7311bb49f
 CVE-2019-0160 (Buffer overflow in system firmware for EDK II may allow unauthenticate ...)
 	- edk2 0~20181115.85588389-1 (low)
-	[stretch] - edk2 <ignored> (Minor issue)
+	[stretch] - edk2 <not-affected> (vulnerable code is not present)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://github.com/tianocore/edk2/commit/4df8f5bfa28b8b881e506437e8f08d92c1a00370
 	NOTE: https://github.com/tianocore/edk2/commit/b9ae1705adfdd43668027a25a2b03c2e81960219


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[29 Apr 2021] DLA-2645-1 edk2 - security update
+	{CVE-2019-0161 CVE-2019-14558 CVE-2019-14559 CVE-2019-14562 CVE-2019-14563 CVE-2019-14575 CVE-2019-14584 CVE-2019-14586 CVE-2019-14587 CVE-2021-28210 CVE-2021-28211}
+	[stretch] - edk2 0~20161202.7bbe0b3e-1+deb9u2
 [27 Apr 2021] DLA-2644-1 gst-libav1.0 - security update
 	[stretch] - gst-libav1.0 1.10.4-1+deb9u1
 [27 Apr 2021] DLA-2643-1 gst-plugins-ugly1.0 - security update


=====================================
data/dla-needed.txt
=====================================
@@ -44,8 +44,6 @@ curl
   NOTE: 20210405: namely CURLU, CURLUPART_{URL,FRAGMENT,USER,PASSWORD}. (utkarsh)
   NOTE: 20210405: see https://lists.debian.org/debian-lts/2021/04/msg00002.html. (utkarsh)
 --
-edk2 (Markus Koschany)
---
 firmware-nonfree
   NOTE: 20201207: wait for the update in buster and backport that (Emilio)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/69572ae2b235d99bf3afc9a973cc2efaf438327c...a5f13445129371c4b99491d7683d98dda1580c37

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/69572ae2b235d99bf3afc9a973cc2efaf438327c...a5f13445129371c4b99491d7683d98dda1580c37
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210429/f25a6771/attachment.htm>