[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff jmm at debian.org
Sun Jan 10 22:44:37 GMT 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3f69e6dd by Moritz Muehlenhoff at 2021-01-10T23:41:26+01:00
bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -15561,6 +15561,7 @@ CVE-2021-1056 (NVIDIA GPU Display Driver for Linux, all versions, contains a vul
 	[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	[stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-340xx <unfixed> (bug #979671)
+	[bullseye] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported, no updates provided by Nvidia for 340)
 	[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
 	[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-390xx 390.141-1 (bug #979672)
@@ -100218,6 +100219,7 @@ CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Con
 	NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence Server
 CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication credentials  ...)
 	- gradle <unfixed> (low; bug #941187)
+	[bullseye] - gradle <no-dsa> (Minor issue)
 	[buster] - gradle <no-dsa> (Minor issue)
 	[stretch] - gradle <no-dsa> (Minor issue)
 	[jessie] - gradle <postponed> (Minor issue, old gradle mainly used for building Debian packages with system libraries)
@@ -110080,6 +110082,7 @@ CVE-2019-12215 (** DISPUTED ** A full path disclosure vulnerability was discover
 	- matomo <itp> (bug #448532)
 CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of mishand ...)
 	- freeimage <unfixed> (bug #947478)
+	[bullseye] - freeimage <postponed> (Revisit when upstream fixes are available)
 	[buster] - freeimage <postponed> (Revisit when upstream fixes are available)
 	[stretch] - freeimage <postponed> (Revisit when upstream fixes are available)
 	[jessie] - freeimage <postponed> (Revisit when upstream fixes are available)
@@ -110096,6 +110099,7 @@ CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDir
 	NOTE: https://sourceforge.net/p/freeimage/svn/1825/
 CVE-2019-12212 (When FreeImage 3.18.0 reads a special JXR file, the StreamCalcIFDSize  ...)
 	- freeimage <unfixed> (bug #947477)
+	[bullseye] - freeimage <postponed> (Revisit when upstream fixes are available)
 	[buster] - freeimage <postponed> (Revisit when upstream fixes are available)
 	[stretch] - freeimage <postponed> (Revisit when upstream fixes are available)
 	[jessie] - freeimage <postponed> (Revisit when upstream fixes are available)
@@ -175346,6 +175350,7 @@ CVE-2017-18227 (TitanHQ WebTitan Gateway has incorrect certificate validation fo
 	NOT-FOR-US: TitanHQ WebTitan Gateway
 CVE-2017-18226 (The Gentoo net-im/jabberd2 package through 2.6.1 sets the ownership of ...)
 	- jabberd2 <unfixed> (low; bug #902783)
+	[bullseye] - jabberd2 <ignored> (Minor issue, default init system not affected)
 	[buster] - jabberd2 <ignored> (Minor issue, default init system not affected)
 	[stretch] - jabberd2 <ignored> (Minor issue, default init system not affected)
 	NOTE: https://bugs.gentoo.org/631068
@@ -195169,15 +195174,12 @@ CVE-2017-17508 (In HDF5 1.10.1, there is a divide-by-zero vulnerability in the f
 	NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md
 	NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/0a7128c0d5bd035288be7b02ca9cf9bba321aadd
 CVE-2017-17507 (In HDF5 1.10.1, there is an out of bounds read vulnerability in the fu ...)
-	- hdf5 <unfixed> (low; bug #915807)
-	[buster] - hdf5 <no-dsa> (Minor issue, requires ABI change)
-	[stretch] - hdf5 <no-dsa> (Minor issue)
-	[jessie] - hdf5 <no-dsa> (Minor issue)
-	[wheezy] - hdf5 <no-dsa> (Minor issue)
+	- hdf5 <unfixed> (unimportant; bug #915807)
 	NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/3-hdf5-outbound-read-H5T_conv_struct_opt
 	NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md
 	NOTE: Fixing the bug requires an ABI changes thus upstream will only include a fix
 	NOTE: on a major version bump.
+	NOTE: Negligible security impact
 CVE-2017-17506 (In HDF5 1.10.1, there is an out of bounds read vulnerability in the fu ...)
 	- hdf5 1.10.4+repack-1 (bug #884365)
 	[stretch] - hdf5 <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f69e6dd29cb41a89b5e9383de86df39f657df20

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f69e6dd29cb41a89b5e9383de86df39f657df20
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210110/ac4fe1d7/attachment.html>

More information about the debian-security-tracker-commits mailing list