[Git][security-tracker-team/security-tracker][master] 16 commits: Mark CVE-2021-22930/nodejs as end-of-life for stretch
Utkarsh Gupta (@utkarsh)
utkarsh at debian.org
Mon Aug 2 00:57:08 BST 2021
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker
Commits:
4cf5dd3d by Utkarsh Gupta at 2021-08-02T04:55:08+05:30
Mark CVE-2021-22930/nodejs as end-of-life for stretch
- - - - -
12c68775 by Utkarsh Gupta at 2021-08-02T04:56:24+05:30
Mark CVE-2021-20333/mongodb as end-of-life for stretch
- - - - -
6bcbc433 by Utkarsh Gupta at 2021-08-02T04:57:15+05:30
Mark CVE-2021-3652/389-ds-base as no-dsa for stretch
- - - - -
21c556d3 by Utkarsh Gupta at 2021-08-02T04:57:45+05:30
Mark CVE-2021-3658/bluez as no-dsa for stretch
- - - - -
d40a72db by Utkarsh Gupta at 2021-08-02T04:58:23+05:30
Mark CVE-2020-19497/libmatio as no-dsa for stretch
- - - - -
d62818df by Utkarsh Gupta at 2021-08-02T04:58:51+05:30
Mark CVE-2021-24119/mbedtls as no-dsa for stretch
- - - - -
1b9845dd by Utkarsh Gupta at 2021-08-02T05:00:21+05:30
Mark CVE-2021-3664/node-url-parse as end-of-life for stretch
- - - - -
3b3da357 by Utkarsh Gupta at 2021-08-02T05:02:07+05:30
Mark CVE-2021-36091/otrs2 as no-dsa for stretch
- - - - -
7e6636b7 by Utkarsh Gupta at 2021-08-02T05:02:34+05:30
Mark CVE-2021-36092/otrs2 as no-dsa for stretch
- - - - -
a6afa475 by Utkarsh Gupta at 2021-08-02T05:03:09+05:30
Mark CVE-2020-36420/polipo as ignored for stretch
- - - - -
bfe86e31 by Utkarsh Gupta at 2021-08-02T05:03:39+05:30
Mark CVE-2021-32823/ruby-bindata as no-dsa for stretch
- - - - -
1c00c406 by Utkarsh Gupta at 2021-08-02T05:04:26+05:30
Mark CVE-2021-37600/util-linux as no-dsa for stretch
- - - - -
7c981647 by Utkarsh Gupta at 2021-08-02T05:18:13+05:30
Add exiv2 to dla-needed
- - - - -
4f69f643 by Utkarsh Gupta at 2021-08-02T05:19:38+05:30
Add ruby2.3 to dla-needed
- - - - -
1cd4d182 by Utkarsh Gupta at 2021-08-02T05:22:30+05:30
Add varnish to dla-needed
- - - - -
2ca1600c by Utkarsh Gupta at 2021-08-02T05:26:28+05:30
Mark CVE-2019-25050/gdal as not-affected for stretch
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -337,6 +337,7 @@ CVE-2021-3668
CVE-2021-37600 (An integer overflow in util-linux through 2.37.1 can potentially cause ...)
- util-linux 2.36.1-8 (low; bug #991619)
[buster] - util-linux <no-dsa> (Minor issue)
+ [stretch] - util-linux <no-dsa> (Minor issue)
NOTE: https://github.com/karelzak/util-linux/issues/1395
NOTE: https://github.com/karelzak/util-linux/commit/1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c
CVE-2021-37598
@@ -733,6 +734,7 @@ CVE-2021-3665
CVE-2021-3664 (url-parse is vulnerable to URL Redirection to Untrusted Site ...)
- node-url-parse 1.5.3-1 (bug #991577)
[buster] - node-url-parse <no-dsa> (Minor issue)
+ [stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://huntr.dev/bounties/1625557993985-unshiftio/url-parse/
NOTE: https://github.com/unshiftio/url-parse/commit/81ab967889b08112d3356e451bf03e6aa0cbb7e0
CVE-2021-26250
@@ -1145,6 +1147,7 @@ CVE-2021-3658
- bluez <unfixed> (bug #991596)
[bullseye] - bluez <no-dsa> (Minor issue)
[buster] - bluez <no-dsa> (Minor issue)
+ [stretch] - bluez <no-dsa> (Minor issue)
NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=b497b5942a8beb8f89ca1c359c54ad67ec843055
CVE-2021-37216
RESERVED
@@ -2040,6 +2043,7 @@ CVE-2019-25051 (objstack in GNU Aspell 0.60.8 has a heap-based buffer overflow i
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18462
CVE-2019-25050 (netCDF in GDAL 2.4.2 through 3.0.4 has a stack-based buffer overflow i ...)
- gdal 3.1.0+dfsg-1
+ [stretch] - gdal <not-affected> (Vulnerable code not present)
NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2020-420.yaml
NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/gdal/OSV-2020-392.yaml
NOTE: https://github.com/OSGeo/gdal/commit/767e3a56144f676ca738ef8f700e0e56035bd05a (v3.1.0RC1)
@@ -2156,6 +2160,7 @@ CVE-2021-3652 [CRYPT password hash with asterisk allows any bind attempt to succ
- 389-ds-base <unfixed> (bug #991405)
[bullseye] - 389-ds-base <no-dsa> (Minor issue)
[buster] - 389-ds-base <no-dsa> (Minor issue)
+ [stretch] - 389-ds-base <no-dsa> (Minor issue)
NOTE: https://github.com/389ds/389-ds-base/issues/4817
NOTE: https://github.com/389ds/389-ds-base/commit/aeb90eb0c41fc48541d983f323c627b2e6c328c7 (master)
NOTE: https://github.com/389ds/389-ds-base/commit/c1926dfc6591b55c4d33f9944de4d7ebe077e964 (1.4.4.x)
@@ -2213,6 +2218,7 @@ CVE-2021-36746 (Blackboard Learn through 9.1 allows XSS by an authenticated user
CVE-2020-36420 (** UNSUPPORTED WHEN ASSIGNED ** Polipo through 1.1.1 allows denial of ...)
- polipo <removed>
[buster] - polipo <ignored> (Minor issue)
+ [stretch] - polipo <ignored> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/11/18/1
CVE-2021-36745
RESERVED
@@ -3620,12 +3626,14 @@ CVE-2021-36092 (It's possible to create an email which contains specially crafte
- otrs2 <unfixed> (bug #991593)
[bullseye] - otrs2 <no-dsa> (Non-free not supported)
[buster] - otrs2 <no-dsa> (Non-free not supported)
+ [stretch] - otrs2 <no-dsa> (Non-free not supported)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-15/
NOTE: Reference is for OTRS, no reference for znuny yet (in bullseye src:otrs2 is the znuny fork)
CVE-2021-36091 (Agents are able to list appointments in the calendars without required ...)
- otrs2 <unfixed> (bug #991593)
[bullseye] - otrs2 <no-dsa> (Non-free not supported)
[buster] - otrs2 <no-dsa> (Non-free not supported)
+ [stretch] - otrs2 <no-dsa> (Non-free not supported)
NOTE: https://otrs.com/release-notes/otrs-security-advisory-2021-14/
NOTE: Reference is for OTRS, no reference for znuny yet (in bullseye src:otrs2 is the znuny fork)
CVE-2021-3632
@@ -11178,6 +11186,7 @@ CVE-2021-32823 (In the bindata RubyGem before version 2.4.10 there is a potentia
- ruby-bindata <unfixed> (bug #990577)
[bullseye] - ruby-bindata <no-dsa> (Minor issue)
[buster] - ruby-bindata <no-dsa> (Minor issue)
+ [stretch] - ruby-bindata <no-dsa> (Minor issue)
NOTE: https://github.com/dmendel/bindata/commit/d99f050b88337559be2cb35906c1f8da49531323
NOTE: https://about.gitlab.com/releases/2021/06/01/security-release-gitlab-13-12-2-released/#update-bindata-dependency
NOTE: https://github.com/dmendel/bindata/blob/v2.4.10/ChangeLog.rdoc#version-2410-2021-05-18-
@@ -32606,6 +32615,7 @@ CVE-2021-24119 (In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerabilit
- mbedtls <unfixed>
[bullseye] - mbedtls <no-dsa> (Minor issue)
[buster] - mbedtls <no-dsa> (Minor issue)
+ [stretch] - mbedtls <no-dsa> (Minor issue)
NOTE: Fixed in 2.26.0: https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0
CVE-2021-24118
RESERVED
@@ -35292,6 +35302,7 @@ CVE-2021-22931
CVE-2021-22930 [Use after free on close http2 on stream canceling]
RESERVED
- nodejs 12.22.4~dfsg-1
+ [stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/nodejs/node/commit/b263f2585ab53f56e0e22b46cf1f8519a8af8a05
NOTE: https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22930
NOTE: Possible incomplete fix (at least for v12): https://github.com/nodejs/node/issues/38964#issuecomment-889936936
@@ -42774,6 +42785,7 @@ CVE-2021-20334 (A malicious 3rd party with local access to the Windows machine w
NOT-FOR-US: MongoDB Compass
CVE-2021-20333 (Sending specially crafted commands to a MongoDB Server may result in a ...)
- mongodb <removed>
+ [stretch] - mongodb <end-of-life> (https://lists.debian.org/debian-lts/2020/11/msg00058.html)
NOTE: https://jira.mongodb.org/browse/SERVER-50605
CVE-2021-20332
RESERVED
@@ -73058,6 +73070,7 @@ CVE-2020-19498 (Floating point exception in function Fraction in libheif 1.4.0,
CVE-2020-19497 (Integer overflow vulnerability in Mat_VarReadNextInfo5 in mat5.c in tb ...)
- libmatio 1.5.19-2
[buster] - libmatio <no-dsa> (Minor issue)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/commit/5fa49ef9fc4368fe3d19b5fdaa36d8fa5e7f4606 (v1.5.18)
NOTE: https://github.com/tbeu/matio/issues/121
CVE-2020-19496
=====================================
data/dla-needed.txt
=====================================
@@ -32,6 +32,9 @@ commons-io (Markus Koschany)
--
curl (Adrian Bunk)
--
+exiv2 (Utkarsh Gupta)
+ NOTE: 20210801: check further; some no-dsa issues have piled up, too. (utkarsh)
+--
ffmpeg (Anton Gladky)
NOTE: 20210607: stretch was following the 3.2.x release line, but 3.2.15
NOTE: 20210607: (released 2020-07-02) was the last on this branch. There are
@@ -73,6 +76,9 @@ python-babel
NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith)
NOTE: 20210620: Revisit when it have an assigned CVE Id. (abhijith)
--
+ruby2.3 (Utkarsh Gupta)
+ NOTE: 20210802: Utkarsh already uploaded a fix for sid/bullseye. (utkarsh)
+--
ruby-kaminari
NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
@@ -103,3 +109,5 @@ shiro (Roberto C. Sánchez)
--
tomcat8 (Markus Koschany)
--
+varnish
+--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/37e914d2a3332b22c063bb4fde4ef0dce809cebf...2ca1600cfd4c169affeffe90bf2d78cc1d355ce9
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/37e914d2a3332b22c063bb4fde4ef0dce809cebf...2ca1600cfd4c169affeffe90bf2d78cc1d355ce9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210801/439c3879/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list