[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2021-20298/openexr: stretch postponed

Wed Aug 4 20:39:52 BST 2021


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
bfa06328 by Sylvain Beucler at 2021-08-04T21:32:19+02:00
CVE-2021-20298/openexr: stretch postponed

- - - - -
4676904f by Sylvain Beucler at 2021-08-04T21:39:11+02:00
Reserve DLA-2732-1 for openexr

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -7499,7 +7499,6 @@ CVE-2021-3605 [Heap buffer overflow in the rleUncompress function]
 	RESERVED
 	- openexr <unfixed> (bug #990899)
 	[buster] - openexr <no-dsa> (Minor issue)
-	[stretch] - openexr <postponed> (Minor issue, buffer read overflow, fix along next DLA)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1036
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/25259a84827234a283f6f9db72978198c7a3f268 (master)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/3204008c0bd4c8d7599a052b304d1b44c4511283 (v2.5)
@@ -43643,6 +43642,7 @@ CVE-2021-20298 [Out-of-memory in B44Compressor]
 	RESERVED
 	- openexr 2.5.4-1
 	[buster] - openexr <ignored> (Minor issue)
+	[stretch] - openexr <postponed> (Minor issue, OOM, revisit when there's a full fix upstream)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97 (master) (partial fix)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/0c2b46f630a3b5f2f561c2849d047ee39f899179 (2.5.x) (partial fix)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[04 Aug 2021] DLA-2732-1 openexr - security update
+	{CVE-2021-3605 CVE-2021-20299 CVE-2021-20300 CVE-2021-20302 CVE-2021-20303}
+	[stretch] - openexr 2.2.0-11+deb9u4
 [04 Aug 2021] DLA-2731-1 wordpress - security update
 	[stretch] - wordpress 4.7.21+dfsg-0+deb9u1
 [04 Aug 2021] DLA-2730-1 libpam-tacplus - security update


=====================================
data/dla-needed.txt
=====================================
@@ -67,8 +67,6 @@ nvidia-graphics-drivers
   NOTE: package is in non-free but also in packages-to-support
   NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077
 --
-openexr (Sylvain Beucler)
---
 openjdk-8 (Emilio)
 --
 pillow (codehelp)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e47a6414e5f5eef0223516f31464c196be944ffe...4676904f2953caeaa3e958eb5054de1672dc5f32

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e47a6414e5f5eef0223516f31464c196be944ffe...4676904f2953caeaa3e958eb5054de1672dc5f32
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210804/48ddf8e6/attachment-0001.htm>
