[Git][security-tracker-team/security-tracker][master] bullseye/buster triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Aug 5 19:58:18 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
15fc3768 by Moritz Muehlenhoff at 2021-08-05T20:57:56+02:00
bullseye/buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5855,6 +5855,8 @@ CVE-2021-35502 (app/View/Elements/genericElements/IndexTable/Fields/generic_fiel
 CVE-2021-3622
 	RESERVED
 	- hivex <unfixed> (bug #991860)
+	[bullseye] - hivex <no-dsa> (Minor issue)
+	[buster] - hivex <no-dsa> (Minor issue)
 	NOTE: https://listman.redhat.com/archives/libguestfs/2021-August/msg00002.html
 	NOTE: https://github.com/libguestfs/hivex/commit/771728218dac2fbf6997a7e53225e75a4c6b7255
 CVE-2021-35501 (PandoraFMS <=7.54 allows Stored XSS by placing a payload in the nam ...)
@@ -7641,6 +7643,7 @@ CVE-2021-3603 (PHPMailer 6.4.1 and earlier contain a vulnerability that can resu
 CVE-2021-3602 [Host environment variables leaked in build container when using chroot isolation]
 	RESERVED
 	- golang-github-containers-buildah <unfixed>
+	[bullseye] - golang-github-containers-buildah <no-dsa> (Minor issue)
 	NOTE: https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
 	NOTE: https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0 (main)
 	NOTE: https://github.com/containers/buildah/commit/23c478b815fb93c094070baa336bcb6a27c01683 (release-1.21)
@@ -11765,6 +11768,7 @@ CVE-2021-32926 (When an authenticated password change request takes place, this
 CVE-2021-3551
 	RESERVED
 	- dogtag-pki <unfixed> (bug #991665)
+	[bullseye] - dogtag-pki <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1959971
 	NOTE: https://github.com/dogtagpki/pki/commit/0c2f3b84499584bb6029f5ba3988ed3cb081e548
 	NOTE: https://github.com/dogtagpki/pki/commit/b01cd8cc7d3e391e69ed2c8161f7e15fa84553e6
@@ -12386,6 +12390,7 @@ CVE-2021-32678 (Nextcloud Server is a Nextcloud package that handles data storag
 	- nextcloud-server <itp> (bug #941708)
 CVE-2021-32677 (FastAPI is a web framework for building APIs with Python 3.6+ based on ...)
 	- fastapi <unfixed> (bug #990582)
+	[bullseye] - fastapi <no-dsa> (Minor issue)
 	NOTE: https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7
 	NOTE: https://github.com/tiangolo/fastapi/commit/fa7e3c996edf2d5482fff8f9d890ac2390dede4d (0.65.2)
 CVE-2021-32676 (Nextcloud Talk is a fully on-premises audio/video and chat communicati ...)
@@ -15948,12 +15953,15 @@ CVE-2021-31293
 	RESERVED
 CVE-2021-31292 (An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allows att ...)
 	- exiv2 <unfixed> (bug #991706)
+	[bullseye] - exiv2 <no-dsa> (Minor issue)
+	[buster] - exiv2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/1530
-	TODO: check older versions
+	NOTE: https://github.com/Exiv2/exiv2/commit/9b7a19f957af53304655ed1efe32253a1b11a8d0
+	NOTE: In older releases affected code is in src/crwimage.cpp
 CVE-2021-31291 (A heap-based buffer overflow vulnerability in jp2image.cpp of Exiv2 0. ...)
 	- exiv2 <unfixed> (bug #991705)
 	NOTE: https://github.com/Exiv2/exiv2/issues/1529
-	TODO: check oder versions
+	NOTE: https://github.com/Exiv2/exiv2/commit/0230620e6ea5e2da0911318e07ce6e66d1ebdf22
 CVE-2021-31290
 	RESERVED
 CVE-2021-31289
@@ -150254,6 +150262,7 @@ CVE-2019-11099
 CVE-2019-11098 (Insufficient input validation in MdeModulePkg in EDKII may allow an un ...)
 	[experimental] - edk2 2021.02-1
 	- edk2 2020.11-5 (bug #991495)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	[buster] - edk2 <no-dsa> (Minor issue)
 	[stretch] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability


=====================================
data/dsa-needed.txt
=====================================
@@ -25,6 +25,8 @@ chromium
 --
 djvulibre
 --
+exiv2 (jmm)
+--
 icu
 --
 linux (carnil)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15fc376855dc8359710d0aa04caca1981feac6f6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15fc376855dc8359710d0aa04caca1981feac6f6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210805/31105c81/attachment.htm>

More information about the debian-security-tracker-commits mailing list