[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2021-31810 & CVE-2021-32066 in jruby for stretch LTS.

Mon Aug 2 10:48:50 BST 2021


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
08c92095 by Chris Lamb at 2021-08-02T10:45:10+01:00
Triage CVE-2021-31810 & CVE-2021-32066 in jruby for stretch LTS.

- - - - -
80eafa05 by Chris Lamb at 2021-08-02T10:46:38+01:00
data/dla-needed.txt: Correct ordering

- - - - -
259473f8 by Chris Lamb at 2021-08-02T10:46:46+01:00
data/dla-needed.txt: Triage vlc for stretch LTS (CVE-2021-25801)

- - - - -
252101d3 by Chris Lamb at 2021-08-02T10:47:30+01:00
data/dla-needed.txt: Claim vlc.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -13074,6 +13074,7 @@ CVE-2021-32066 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7
 	- ruby2.3 <removed>
 	- jruby <unfixed>
 	[buster] - jruby <no-dsa> (Minor issue)
+	[stretch] - jruby <no-dsa> (Minor issue)
 	NOTE: https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
 	NOTE: https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a (2.7)
 CVE-2021-32065
@@ -13983,6 +13984,7 @@ CVE-2021-31810 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7
 	- ruby2.3 <removed>
 	- jruby <unfixed>
 	[buster] - jruby <no-dsa> (Minor issue)
+	[stretch] - jruby <no-dsa> (Minor issue)
 	NOTE: https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
 	NOTE: https://github.com/ruby/ruby/commit/3ca1399150ed4eacfd2fe1ee251b966f8d1ee469 (2.7)
 CVE-2021-31809


=====================================
data/dla-needed.txt
=====================================
@@ -76,9 +76,6 @@ python-babel
   NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith)
   NOTE: 20210620: Revisit when it have an assigned CVE Id. (abhijith)
 --
-ruby2.3 (Utkarsh Gupta)
-  NOTE: 20210802: Utkarsh already uploaded a fix for sid/bullseye. (utkarsh)
---
 ruby-kaminari
   NOTE: 20200819: The source in Debian (at least in LTS) appears to have a different lineage to
   NOTE: 20200819: the one upstream or in its many forks. For example, both dthe
@@ -93,6 +90,9 @@ ruby-kaminari
   NOTE: 20210719: I believe the fix is just adding and extending the blacklist for ruby-kaminari.
   NOTE: 20210719: Will discuss this with Utkarsh (maintainer) shortly.
 --
+ruby2.3 (Utkarsh Gupta)
+  NOTE: 20210802: Utkarsh already uploaded a fix for sid/bullseye. (utkarsh)
+--
 salt
   NOTE: 20210329: WIP (utkarsh)
   NOTE: 20210510: patches ready; reviewing and testing with donfede, damien, and bdrung. (utkarsh)
@@ -111,3 +111,5 @@ tomcat8 (Markus Koschany)
 --
 varnish (Adrian Bunk)
 --
+vlc (Chris Lamb)
+--



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bc555ca9f836a96dba148362ae885ef8cbeaa279...252101d317c727dfefa95cd107c9f2bd450f0564

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/bc555ca9f836a96dba148362ae885ef8cbeaa279...252101d317c727dfefa95cd107c9f2bd450f0564
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210802/f4a92dfa/attachment-0001.htm>
