[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Mon Dec 6 11:52:35 GMT 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7e85cbf2 by Moritz Muehlenhoff at 2021-12-06T12:52:16+01:00
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1125,6 +1125,7 @@ CVE-2021-4024 [podman: podman machine spawns gvproxy with port binded to all IPs
 	NOTE: Fixed by: https://github.com/containers/podman/commit/295d87bb0b028e57dc2739791dee4820fe5fcc48
 CVE-2021-44227 (In GNU Mailman before 2.1.38, a list member or moderator can get a CSR ...)
 	- mailman <removed>
+	[buster] - mailman <no-dsa> (Minor issue)
 	[stretch] - mailman <no-dsa> (Minor issue; can be fixed with the next DLA)
 	NOTE: https://bugs.launchpad.net/mailman/+bug/1952384
 	NOTE: Patch: https://launchpadlibrarian.net/570827498/patch.txt
@@ -9086,6 +9087,8 @@ CVE-2021-42261 (Revisor Video Management System (VMS) before 2.0.0 has a directo
 	NOT-FOR-US: Revisor Video Management System (VMS)
 CVE-2021-42260 (TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp  ...)
 	- tinyxml <unfixed>
+	[bullseye] - tinyxml <no-dsa> (Minor issue)
+	[buster] - tinyxml <no-dsa> (Minor issue)
 	[stretch] - tinyxml <no-dsa> (Minor issue; can be fixed with the next DLA)
 	NOTE: https://sourceforge.net/p/tinyxml/bugs/141/
 	NOTE: https://sourceforge.net/p/tinyxml/git/merge-requests/1/
@@ -10306,6 +10309,7 @@ CVE-2021-41771 (ImportedSymbols in debug/macho (for Open or OpenFat) in Go befor
 	- golang-1.15 <unfixed>
 	[bullseye] - golang-1.15 <no-dsa> (Minor issue; will be fixed via point release)
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	- golang-1.8 <removed>
 	- golang-1.7 <removed>
 	[stretch] - golang-1.7 <no-dsa> (Minor issue; can be fixed with the next DLA)
@@ -13730,6 +13734,8 @@ CVE-2021-40331
 	RESERVED
 CVE-2021-3756 (libmysofa is vulnerable to Heap-based Buffer Overflow ...)
 	- libmysofa 1.2.1~dfsg0-1
+	[bullseye] - libmysofa <no-dsa> (Minor issue)
+	[buster] - libmysofa <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/7ca8d9ea-e2a6-4294-af28-70260bb53bc1/
 	NOTE: https://github.com/hoene/libmysofa/commit/890400ebd092c574707d0c132124f8ff047e20e1 (v1.2.1)
 CVE-2021-3755
@@ -42499,7 +42505,6 @@ CVE-2021-28703
 	NOTE: https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=c65ea16dbcafbe4fe21693b18f8c2a3c5d14600e (4.14.0-rc1)
 CVE-2021-28702 (PCI devices with RMRRs not deassigned correctly Certain PCI devices in ...)
 	- xen 4.14.3+32-g9de3671772-1
-	[bullseye] - xen <postponed> (Minor issue, fix along with next DSA)
 	[buster] - xen <not-affected> (Vulnerable code introduced later)
 	[stretch] - xen <not-affected> (Vulnerable code introduced later)
 	NOTE: https://xenbits.xen.org/xsa/advisory-386.html
@@ -56328,6 +56333,7 @@ CVE-2021-22943 (A vulnerability found in UniFi Protect application V1.18.1 and e
 CVE-2021-22942 (A possible open redirect vulnerability in the Host Authorization middl ...)
 	[experimental] - rails 2:6.1.4.1+dfsg-1
 	- rails <unfixed> (bug #992586)
+	[bullseye] - rails <no-dsa> (Minor issue)
 	[buster] - rails <not-affected> (Vulnerable code not present)
 	[stretch] - rails <not-affected> (Vulnerable code not present)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/08/20/1
@@ -61686,6 +61692,7 @@ CVE-2021-21306 (Marked is an open-source markdown parser and compiler (npm packa
 	NOTE: https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd
 CVE-2021-21305 (CarrierWave is an open-source RubyGem which provides a simple and flex ...)
 	- ruby-carrierwave <unfixed> (bug #982551)
+	[buster] - ruby-carrierwave <no-dsa> (Minor issue)
 	[stretch] - ruby-carrierwave <ignored> (No reverse dependencies)
 	NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4
 	NOTE: https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7
@@ -61741,6 +61748,7 @@ CVE-2021-21289 (Mechanize is an open-source ruby library that makes automated we
 	NOTE: Test warnings fixup: https://github.com/sparklemotion/mechanize/commit/5b30aed33cbac9825e8978f8e36dd221cbd4c093 (v2.7.7)
 CVE-2021-21288 (CarrierWave is an open-source RubyGem which provides a simple and flex ...)
 	- ruby-carrierwave 1.3.2-1 (bug #982552)
+	[buster] - ruby-carrierwave <no-dsa> (Minor issue)
 	[stretch] - ruby-carrierwave <ignored> (No reverse dependencies)
 	NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5
 	NOTE: https://github.com/carrierwaveuploader/carrierwave/commit/012702eb3ba1663452aa025831caa304d1a665c0


=====================================
data/dsa-needed.txt
=====================================
@@ -17,16 +17,15 @@ asterisk/oldstable
 condor
 --
 chromium
+  inactive, removal from stable likely
 --
 djvulibre
 --
 faad2/oldstable (jmm)
 --
-firefox-esr
+firefox-esr (jmm)
   Rust toolchain updates needed
 --
-gpac (jmm)
---
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v4.19.y versions.
@@ -43,6 +42,8 @@ openjdk-11/oldstable (jmm)
 --
 puppetdb (jmm)
 --
+python-babel/oldstable (jmm)
+--
 python-pysaml2 (jmm)
 --
 rabbitmq-server



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e85cbf2c82599c4ffcee262d85cf8345000131c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e85cbf2c82599c4ffcee262d85cf8345000131c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211206/3fb2ea01/attachment-0001.htm>
