[Git][security-tracker-team/security-tracker][master] 8 commits: data/dla-needed.txt: Triage asterisk for stretch LTS (CVE-2021-32558)

Wed Aug 4 09:41:18 BST 2021


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
51f05f29 by Chris Lamb at 2021-08-04T09:40:15+01:00
data/dla-needed.txt: Triage asterisk for stretch LTS (CVE-2021-32558)

- - - - -
ea07e5cd by Chris Lamb at 2021-08-04T09:40:15+01:00
data/dla-needed.txt: Claim asterisk.

- - - - -
23e1f33e by Chris Lamb at 2021-08-04T09:40:16+01:00
Triage CVE-2021-37746 in claws-mail for stretch LTS.

- - - - -
e2df920a by Chris Lamb at 2021-08-04T09:40:17+01:00
Triage CVE-2021-37746 in sylpheed for stretch LTS.

- - - - -
de900ab3 by Chris Lamb at 2021-08-04T09:40:18+01:00
Triage CVE-2021-37601 in prosody for stretch LTS.

- - - - -
d878edcc by Chris Lamb at 2021-08-04T09:40:19+01:00
Triage CVE-2020-36421, CVE-2020-36422, CVE-2020-36423, CVE-2020-36424, CVE-2020-36425 & CVE-2020-36426 in mbedtls for stretch LTS.

- - - - -
1e724bfb by Chris Lamb at 2021-08-04T09:40:20+01:00
Triage CVE-2021-32785, CVE-2021-32786, CVE-2021-32791 & CVE-2021-32792 in libapache2-mod-auth-openidc for stretch LTS.

- - - - -
adaa8d08 by Chris Lamb at 2021-08-04T09:40:56+01:00
data/dla-needed.txt: Triage pjproject for stretch LTS (CVE-2021-32686)

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -713,8 +713,10 @@ CVE-2021-37747
 CVE-2021-37746 (textview_uri_security_check in textview.c in Claws Mail before 3.18.0, ...)
 	- claws-mail <unfixed> (bug #991722)
 	[buster] - claws-mail <no-dsa> (Minor issue)
+	[stretch] - claws-mail <no-dsa> (Minor issue)
 	- sylpheed <unfixed> (bug #991723)
 	[buster] - sylpheed <no-dsa> (Minor issue)
+	[stretch] - sylpheed <no-dsa> (Minor issue)
 	NOTE: https://git.claws-mail.org/?p=claws.git;a=commit;h=ac286a71ed78429e16c612161251b9ea90ccd431
 CVE-2021-3672
 	RESERVED
@@ -1430,6 +1432,7 @@ CVE-2021-23183
 CVE-2021-37601 (muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers t ...)
 	- prosody 0.11.9-2
 	[buster] - prosody <no-dsa> (Minor issue)
+	[stretch] - prosody <no-dsa> (Minor issue)
 	NOTE: https://prosody.im/security/advisory_20210722/
 CVE-2021-37404
 	RESERVED
@@ -2806,24 +2809,30 @@ CVE-2020-36427 (GNOME gThumb before 3.10.1 allows an application crash via a mal
 CVE-2020-36426 (An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtls_x509_cr ...)
 	- mbedtls 2.16.9-0.1
 	[buster] - mbedtls <no-dsa> (Minor issue)
+	[stretch] - mbedtls <no-dsa> (Minor issue)
 CVE-2020-36425 (An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly  ...)
 	- mbedtls 2.16.9-0.1
 	[buster] - mbedtls <no-dsa> (Minor issue)
+	[stretch] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://github.com/ARMmbed/mbedtls/issues/3340
 	NOTE: https://github.com/ARMmbed/mbedtls/pull/3433
 CVE-2020-36424 (An issue was discovered in Arm Mbed TLS before 2.24.0. An attacker can ...)
 	- mbedtls 2.16.9-0.1
 	[buster] - mbedtls <no-dsa> (Minor issue)
+	[stretch] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-2
 CVE-2020-36423 (An issue was discovered in Arm Mbed TLS before 2.23.0. A remote attack ...)
 	- mbedtls 2.16.9-0.1
 	[buster] - mbedtls <no-dsa> (Minor issue)
+	[stretch] - mbedtls <no-dsa> (Minor issue)
 CVE-2020-36422 (An issue was discovered in Arm Mbed TLS before 2.23.0. A side channel  ...)
 	- mbedtls 2.16.9-0.1
 	[buster] - mbedtls <no-dsa> (Minor issue)
+	[stretch] - mbedtls <no-dsa> (Minor issue)
 CVE-2020-36421 (An issue was discovered in Arm Mbed TLS before 2.23.0. Because of a si ...)
 	- mbedtls 2.16.9-0.1
 	[buster] - mbedtls <no-dsa> (Minor issue)
+	[stretch] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://github.com/ARMmbed/mbedtls/issues/3394
 CVE-2021-36774
 	RESERVED
@@ -11947,12 +11956,14 @@ CVE-2021-32793
 CVE-2021-32792 (mod_auth_openidc is an authentication/authorization module for the Apa ...)
 	- libapache2-mod-auth-openidc 2.4.9-1 (bug #991580)
 	[buster] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
+	[stretch] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
 	NOTE: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-458c-7pwg-3j7j
 	NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/00c315cb0c8ab77c67be4a2ac08a71a83ac58751 (v2.4.9)
 	NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/55ea0a085290cd2c8cdfdd960a230cbc38ba8b56 (v2.4.9)
 CVE-2021-32791 (mod_auth_openidc is an authentication/authorization module for the Apa ...)
 	- libapache2-mod-auth-openidc 2.4.9-1 (bug #991581)
 	[buster] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
+	[stretch] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
 	NOTE: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-px3c-6x7j-3r9r
 	NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/375407c16c61a70b56fdbe13b0d2c8f11398e92c (v2.4.9)
 CVE-2021-32790 (Woocommerce is an open source eCommerce plugin for WordPress. An SQL i ...)
@@ -11966,11 +11977,13 @@ CVE-2021-32787 (Sourcegraph is a code search and navigation engine. Sourcegraph
 CVE-2021-32786 (mod_auth_openidc is an authentication/authorization module for the Apa ...)
 	- libapache2-mod-auth-openidc 2.4.9-1 (bug #991582)
 	[buster] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
+	[stretch] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
 	NOTE: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-xm4c-5wm5-jqv7
 	NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/3a115484eb927bc6daa5737dd84f88ff4bbc5544 (v2.4.9)
 CVE-2021-32785 (mod_auth_openidc is an authentication/authorization module for the Apa ...)
 	- libapache2-mod-auth-openidc 2.4.9-1 (bug #991583)
 	[buster] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
+	[stretch] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
 	NOTE: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-55r8-6w97-xxr4
 	NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/dc672688dc1f2db7df8ad4abebc367116017a449 (v2.4.9)
 CVE-2021-32784


=====================================
data/dla-needed.txt
=====================================
@@ -18,6 +18,8 @@ ansible
   NOTE: 20210411: after that LTS. (apo)
   NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
 --
+asterisk (Chris Lamb)
+--
 ceph (Markus Koschany)
   NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
   NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
@@ -76,6 +78,9 @@ openjdk-8 (Emilio)
 --
 pillow (codehelp)
 --
+pjproject
+  NOTE: 20210804: Check notes on CVE (especially re. src:ring). (lamby)
+--
 postgresql-9.1
   NOTE: 20210803: See "Subject: packages in *-lts newer than in subsequent releases"
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4452b7f7603c9b0f4650943e86cb0cbdffbc9f2a...adaa8d08ac9c22a20ad83c54617c312364d9331b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4452b7f7603c9b0f4650943e86cb0cbdffbc9f2a...adaa8d08ac9c22a20ad83c54617c312364d9331b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210804/8daaf1aa/attachment-0001.htm>
