[Git][security-tracker-team/security-tracker][master] 9 commits: data/dla-needed.txt: Triage openssl and openssl1.0 for stretch LTS (CVE-2021-23840).

Chris Lamb lamby at debian.org
Wed Feb 17 10:23:44 GMT 2021 


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4b2e5605 by Chris Lamb at 2021-02-17T10:23:27+00:00
data/dla-needed.txt: Triage openssl and openssl1.0 for stretch LTS (CVE-2021-23840).

- - - - -
13cb3fea by Chris Lamb at 2021-02-17T10:23:29+00:00
Triage CVE-2021-27211 in steghide for stretch LTS.

- - - - -
53f5c9e0 by Chris Lamb at 2021-02-17T10:23:30+00:00
Triage CVE-2021-26933 in xen for stretch LTS.

- - - - -
88c2e002 by Chris Lamb at 2021-02-17T10:23:32+00:00
Triage CVE-2021-21702 for php7.0 in stretch LTS.

- - - - -
0269b4c6 by Chris Lamb at 2021-02-17T10:23:32+00:00
data/dla-needed.txt: Triage guacamole-server for stretch LTS (CVE-2020-11997).

- - - - -
63a868aa by Chris Lamb at 2021-02-17T10:23:32+00:00
data/dla-needed.txt: Triage golang-1.7 and golang-1.8 for stretch LTS (CVE-2021-3114 CVE-2021-3115).

- - - - -
e504c4f1 by Chris Lamb at 2021-02-17T10:23:32+00:00
data/dla-needed.txt: Triage python3.5 for stretch LTS (CVE-2021-23336).

- - - - -
0862eda1 by Chris Lamb at 2021-02-17T10:23:32+00:00
data/dla-needed.txt: Claim mumble.

- - - - -
8a888e0a by Chris Lamb at 2021-02-17T10:23:32+00:00
data/dla-needed.txt: Claim openssl and openssl1.0.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -302,6 +302,7 @@ CVE-2021-27212 (In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an asse
 CVE-2021-27211 (steghide 0.5.1 relies on a certain 32-bit seed value, which makes it e ...)
 	- steghide <unfixed>
 	[buster] - steghide <no-dsa> (Minor issue)
+	[stretch] - steghide <postponed> (Minor issue; can be fixed in next DLA)
 	NOTE: https://github.com/b4shfire/stegcrack
 CVE-2021-27210 (TP-Link Archer C5v 1.7_181221 devices allows remote attackers to retri ...)
 	NOT-FOR-US: TP-Link
@@ -908,6 +909,7 @@ CVE-2021-26934 (An issue was discovered in the Linux kernel 4.18 through 5.10.16
 	NOTE: update SUPPORT.md to explicitly document the fact.
 CVE-2021-26933 (An issue was discovered in Xen 4.9 through 4.14.x. On Arm, a guest is  ...)
 	- xen <unfixed>
+	[stretch] - xen <end-of-life> (not supported; see https://gitlab.com/freexian-lts/debian-lts/-/commit/1b701a243a893d6cce6e59778b525407d560ab91)
 	NOTE: https://xenbits.xen.org/xsa/advisory-364.html
 CVE-2021-26932 (An issue was discovered in the Linux kernel 3.2 through 5.10.16, as us ...)
 	- linux <unfixed>
@@ -12595,6 +12597,7 @@ CVE-2021-21702 (In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15 and 8.0.x
 	- php7.4 7.4.15-1
 	- php7.3 <removed>
 	- php7.0 <removed>
+	[stretch] - php7.0 <postponed> (Relatively minor issue, can be fixed with next update)
 	NOTE: Fixed in PHP 8.0.2, 7.4.15, 7.3.27
 	NOTE: PHP Bug: https://bugs.php.net/80672
 CVE-2021-21701


=====================================
data/dla-needed.txt
=====================================
@@ -46,8 +46,15 @@ dnsmasq (Utkarsh)
 firmware-nonfree
   NOTE: 20201207: wait for the update in buster and backport that (Emilio)
 --
+golang-1.7
+--
+golang-1.8
+--
 golang-github-appc-cni (Thorsten Alteholz)
 --
+guacamole-server
+  NOTE: 20210217: Note may affect guacamole-client too (see note on security tracker). (lamby)
+--
 libebml (Thorsten Alteholz)
 --
 libzstd (Utkarsh)
@@ -56,7 +63,7 @@ linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
 --
-mumble
+mumble (Chris Lamb)
 --
 opendmarc
   NOTE: 20200719: no patches for remaining CVEs available, everything else is already done in Stretch (thorsten)
@@ -67,6 +74,10 @@ openldap (Uktarsh)
   NOTE: 20210215: update ready at https://salsa.debian.org/openldap-team/openldap/-/commits/stretch.
   NOTE: 20210215: waiting to see if anything else comes up. (utkarsh)
 --
+openssl (Chris Lamb)
+--
+openssl1.0 (Chris Lamb)
+--
 openvswitch (Thorsten Alteholz)
 --
 php-horde-text-filter (Sylvain Beucler)
@@ -79,6 +90,9 @@ php-pear
 --
 python-pysaml2 (Abhijith PA)
 --
+python3.5
+  NOTE: 20210217: Fairly invasive change, changing/augmenting API of standard library. (lamby)
+--
 ruby-actionpack-page-caching
   NOTE: 20200819: Upstream's patch on does not apply due to subsequent
   NOTE: 20200819: refactoring. However, a quick look at the private



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e8e784d4d8cff3c426da6dd01a2d541630bef11...8a888e0a88cdfe4a5cd4c4d5064ac99604671414

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9e8e784d4d8cff3c426da6dd01a2d541630bef11...8a888e0a88cdfe4a5cd4c4d5064ac99604671414
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210217/00d35b58/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list