[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff jmm at debian.org
Sat Jan 9 23:09:10 GMT 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ee0a1682 by Moritz Mühlenhoff at 2021-01-10T00:07:00+01:00
bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9117,24 +9117,28 @@ CVE-2020-35507 (There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in b
 CVE-2020-35506 [use after free vulnerability in esp_do_dma() in hw/scsi/esp.c]
 	RESERVED
 	- qemu <unfixed>
+	[bullseye] - qemu <postponed> (Minor issue)
 	[buster] - qemu <postponed> (Fix along in future DSA)
 	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909996
 CVE-2020-35505 [NULL pointer dereference in do_busid_cmd() in hw/scsi/esp.c]
 	RESERVED
 	- qemu <unfixed>
+	[bullseye] - qemu <postponed> (Minor issue)
 	[buster] - qemu <postponed> (Fix along in future DSA)
 	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
 CVE-2020-35504 [NULL pointer dereference in scsi_req_continue() in hw/scsi/scsi-bus.c]
 	RESERVED
-	- qemu <unfixed>
+	- qemu <unfixed> (bug #979679)
+	[bullseye] - qemu <postponed> (Minor issue)
 	[buster] - qemu <postponed> (Fix along in future DSA)
 	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
 CVE-2020-35503 [QEMU: NULL pointer dereference issue in megasas-gen2 host bus adapter]
 	RESERVED
-	- qemu <unfixed>
+	- qemu <unfixed> (bug #979678)
+	[bullseye] - qemu <postponed> (Minor issue)
 	[buster] - qemu <postponed> (Fix along in future DSA)
 	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910346
@@ -22119,7 +22123,8 @@ CVE-2020-26666
 CVE-2020-26665
 	RESERVED
 CVE-2020-26664 (A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media play ...)
-	- vlc <unfixed>
+	- vlc <unfixed> (low; bug #979676)
+	[buster] - vlc <postponed> (Minor issue, wait for 3.0.12 release)
 	NOTE: https://code.videolan.org/videolan/vlc-3.0/-/commit/ec1f55ee9ace5cc675395a1bc9700d99679e7e8c (3.0.12)
 	NOTE: https://gist.githubusercontent.com/henices/db11664dd45b9f322f8514d182aef5ea/raw/d56940c8bf211992bf4f3309a85bb2b69383e511/CVE-2020-26664.txt
 CVE-2020-26663
@@ -49050,7 +49055,9 @@ CVE-2020-14395
 	RESERVED
 CVE-2020-14394 [infinite loop in xhci_ring_chain_length() in hw/usb/hcd-xhci.c]
 	RESERVED
-	- qemu <unfixed>
+	- qemu <unfixed> (bug #979677)
+	[bullseye] - qemu <postponed> (Minor issue)
+	[buster] - qemu <postponed> (Minor issue)
 	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1908004
 CVE-2020-14393 (A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local  ...)
@@ -63537,12 +63544,13 @@ CVE-2020-9447 (There is an XSS (cross-site scripting) vulnerability in GwtUpload
 CVE-2020-9446
 	RESERVED
 CVE-2018-21035 (In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB f ...)
-	- qtwebsockets-opensource-src <unfixed> (low; bug #953049)
-	[buster] - qtwebsockets-opensource-src <ignored> (Minor issue)
+	- qtwebsockets-opensource-src 5.15.1-2 (low; bug #953049)
+	[buster] - qtwebsockets-opensource-src <ignored> (Minor issue, fix adds new API only)
 	[stretch] - qtwebsockets-opensource-src <ignored> (Minor issue)
 	[jessie] - qtwebsockets-opensource-src <no-dsa> (Minor issue)
 	NOTE: https://bugreports.qt.io/browse/QTBUG-70693
 	NOTE: https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735
+	NOTE: https://github.com/qt/qtwebsockets/commit/ed93680f34e92ad0383aa4e610bb65689118ca93
 CVE-2020-9445 (Zulip Server before 2.1.3 allows XSS via the modal_link feature in the ...)
 	- zulip-server <itp> (bug #800052)
 CVE-2020-9444 (Zulip Server before 2.1.3 allows reverse tabnabbing via the Markdown f ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee0a1682750b81519fa67845ee8101e807fd4a48

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee0a1682750b81519fa67845ee8101e807fd4a48
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210109/81092cfb/attachment.html>

More information about the debian-security-tracker-commits mailing list