[Git][security-tracker-team/security-tracker][master] buster triage

Thu Jan 21 18:45:30 GMT 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f6fb8c2b by Moritz Muehlenhoff at 2021-01-21T19:45:21+01:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -6205,6 +6205,7 @@ CVE-2021-3029 (** UNSUPPORTED WHEN ASSIGNED ** EVOLUCARE ECSIMAGING (aka ECS Ima
 	NOT-FOR-US: EVOLUCARE ECSIMAGING (aka ECS Imaging)
 CVE-2021-3028 (git-big-picture before 1.0.0 mishandles ' characters in a branch name, ...)
 	- git-big-picture 1.0.0-1
+	[buster] - git-big-picture <no-dsa> (Minor issue)
 	NOTE: https://github.com/git-big-picture/git-big-picture/pull/62
 CVE-2021-22696
 	RESERVED
@@ -9096,11 +9097,13 @@ CVE-2021-21494 (MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.ph
 	NOT-FOR-US: MK-AUTH
 CVE-2020-35965 (decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds  ...)
 	- ffmpeg 7:4.3.1-6 (bug #979999)
+	[buster] - ffmpeg <postponed> (Wait for 4.1.7)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26532
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/3e5959b3457f7f1856d997261e6ac672bba49e8b
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/b0a8b40294ea212c1938348ff112ef1b9bf16bb3
 CVE-2020-35964 (track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bo ...)
 	- ffmpeg 7:4.3.1-6 (bug #980000)
+	[buster] - ffmpeg <postponed> (Wait for 4.1.7)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/27a99e2c7d450fef15594671eef4465c8a166bd7
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26622
 CVE-2020-35963 (flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out- ...)
@@ -26204,7 +26207,6 @@ CVE-2020-26665
 	RESERVED
 CVE-2020-26664 (A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media play ...)
 	- vlc 3.0.12-1 (low; bug #979676)
-	[buster] - vlc <postponed> (Minor issue, wait for 3.0.12 release)
 	[stretch] - vlc <postponed> (Minor issue, wait for next LTS release)
 	NOTE: https://code.videolan.org/videolan/vlc-3.0/-/commit/ec1f55ee9ace5cc675395a1bc9700d99679e7e8c (3.0.12)
 	NOTE: https://gist.githubusercontent.com/henices/db11664dd45b9f322f8514d182aef5ea/raw/d56940c8bf211992bf4f3309a85bb2b69383e511/CVE-2020-26664.txt
@@ -29603,6 +29605,7 @@ CVE-2020-25266 (AppImage appimaged before 1.0.3 does not properly check whether
 	NOT-FOR-US: AppImage appimaged
 CVE-2020-25265 (AppImage libappimage before 1.0.3 allows attackers to trigger an overw ...)
 	- libappimage <unfixed> (bug #977192)
+	[buster] - libappimage <no-dsa> (Minor issue)
 	NOTE: https://github.com/AppImage/libappimage/pull/146
 	NOTE: https://github.com/refi64/CVE-2020-25265-25266
 CVE-2020-25264


=====================================
data/dsa-needed.txt
=====================================
@@ -36,6 +36,8 @@ salt (carnil)
 --
 slurm-llnl (jmm)
 --
+vlc (jmm)
+--
 xcftools
   Hugo proposed to work on this update
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6fb8c2bc555f3aeb02d2a93cf380081f1d2e37b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6fb8c2bc555f3aeb02d2a93cf380081f1d2e37b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210121/fb579e72/attachment.html>
