[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2020-8265 & CVE-2020-8287 in nodejs for stretch LTS.

Tue Jan 5 11:52:03 GMT 2021


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
90197274 by Chris Lamb at 2021-01-05T11:46:19+00:00
Triage CVE-2020-8265 & CVE-2020-8287 in nodejs for stretch LTS.

- - - - -
e649746a by Chris Lamb at 2021-01-05T11:49:43+00:00
Triage CVE-2019-25013 in glibc for stretch LTS.

- - - - -
8721392d by Chris Lamb at 2021-01-05T11:51:33+00:00
data/dla-needed.txt: Triage dovecot for stretch LTS (CVE-2020-24386).

- - - - -
3bee5826 by Chris Lamb at 2021-01-05T11:51:41+00:00
data/dla-needed.txt: Claim dovecot.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1833,6 +1833,7 @@ CVE-2020-35931 (An issue was discovered in Foxit Reader before 10.1.1 (and befor
 CVE-2019-25013 (The iconv feature in the GNU C Library (aka glibc or libc6) through 2. ...)
 	- glibc 2.31-9 (bug #979273)
 	[buster] - glibc <no-dsa> (Minor issue)
+	[stretch] - glibc <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24973
 	NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=ee7a3144c9922808181009b7b3e50e852fb4999b
 CVE-2019-25012 (The Webform Report project 7.x-1.x-dev for Drupal allows remote attack ...)
@@ -62897,6 +62898,7 @@ CVE-2020-8288
 CVE-2020-8287 [nodejs: HTTP Request Smuggling]
 	RESERVED
 	- nodejs <unfixed>
+	[stretch] - nodejs <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://nodejs.org/en/blog/release/v10.23.1/
 	NOTE: https://github.com/nodejs/node/commit/fc70ce08f5818a286fb5899a1bc3aff5965a745e (v10.23.1)
 CVE-2020-8286 (curl 7.41.0 through 7.73.0 is vulnerable to an improper check for cert ...)
@@ -62959,6 +62961,7 @@ CVE-2020-8266
 CVE-2020-8265 [nodejs: use-after-free in TLSWrap]
 	RESERVED
 	- nodejs <unfixed>
+	[stretch] - nodejs <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://nodejs.org/en/blog/release/v10.23.1/
 	NOTE: https://github.com/nodejs/node/commit/7f178663ebffc82c9f8a5a1b6bf2da0c263a30ed (v10.23.1)
 CVE-2020-8264 [Possible XSS Vulnerability in Action Pack in Development Mode]


=====================================
data/dla-needed.txt
=====================================
@@ -43,6 +43,8 @@ condor
   NOTE: 20200712: Requested input on path forward from debian-lts at l.d.o (roberto)
   NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
 --
+dovecot (Chris Lamb)
+--
 f2fs-tools
   NOTE: 20200815: About CVE-2020-6070. The fix got introduced between 1.12.0 and 1.13.0, but it is not trivial to
   NOTE: 20200815: to detect which of the patches correlates to the CVE. Contacting upstream might be necessary. (sunweaver)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cbce0649ef97dde19e17f61bb0d3ad104db1725f...3bee5826da806c56db434e2470283dbae7fc02b5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cbce0649ef97dde19e17f61bb0d3ad104db1725f...3bee5826da806c56db434e2470283dbae7fc02b5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210105/98643ad2/attachment-0001.html>
