[Git][security-tracker-team/security-tracker][master] buster triage

Fri Jan 22 18:37:01 GMT 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
aa7970c6 by Moritz Muehlenhoff at 2021-01-22T19:36:44+01:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1411,8 +1411,11 @@ CVE-2021-3177 (Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in
 	- python3.9 3.9.1-3
 	- python3.8 <unfixed>
 	- python3.7 <removed>
+	[buster] - python3.7 <no-dsa> (Minor issue)
 	- python3.5 <removed>
 	- python2.7 <unfixed>
+	[bullseye] - python2.7 <ignored> (Python 2 not covered by security support)
+	[buster] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue42938
 	NOTE: https://github.com/python/cpython/pull/24239
 	NOTE: https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html
@@ -10601,15 +10604,18 @@ CVE-2020-35682
 CVE-2020-35681 [Potential leakage of session identifiers using legacy AsgiHandler]
 	RESERVED
 	- python-django-channels 3.0.3-1 (bug #979376)
+	[buster] - python-django-channels <no-dsa> (Minor issue)
 	NOTE: https://channels.readthedocs.io/en/latest/releases/3.0.3.html
 	NOTE: https://github.com/django/channels/commit/e85874d9630474986a6937430eac52db79a2a022 (3.0.3)
 CVE-2020-35680 (smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurati ...)
 	- opensmtpd 6.8.0p2-1 (bug #978039)
+	[buster] - opensmtpd <no-dsa> (Minor issue)
 	[stretch] - opensmtpd <not-affected> (new filter grammar support added in ec69ed85b6c)
 	NOTE: https://github.com/openbsd/src/commit/6c3220444ed06b5796dedfd53a0f4becd903c0d1
 	NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html
 CVE-2020-35679 (smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain regfree, whi ...)
 	- opensmtpd 6.8.0p2-1 (bug #978038)
+	[buster] - opensmtpd <no-dsa> (Minor issue)
 	[stretch] - opensmtpd <not-affected> (regex table supported added > 6.4.0 according to CHANGES.md)
 	NOTE: https://github.com/openbsd/src/commit/79a034b4aed29e965f45a13409268290c9910043
 	NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html
@@ -20358,10 +20364,12 @@ CVE-2021-1054 (NVIDIA GPU Display Driver for Windows, all versions, contains a v
 	NOT-FOR-US: NVIDIA Windows drivers
 CVE-2021-1053 (NVIDIA GPU Display Driver for Windows and Linux, all versions, contain ...)
 	- nvidia-graphics-drivers 460.32.03-1 (bug #979670)
+	[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	[stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	- nvidia-graphics-drivers-tesla-450 <unfixed> (bug #979675)
 CVE-2021-1052 (NVIDIA GPU Display Driver for Windows and Linux, all versions, contain ...)
 	- nvidia-graphics-drivers 460.32.03-1 (bug #979670)
+	[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	[stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	- nvidia-graphics-drivers-tesla-450 <unfixed> (bug #979675)
 CVE-2021-1051 (NVIDIA GPU Display Driver for Windows, all versions, contains a vulner ...)
@@ -48082,15 +48090,18 @@ CVE-2020-16590 (A double free vulnerability exists in the Binary File Descriptor
 CVE-2020-16589 (A head-based buffer overflow exists in Academy Software Foundation Ope ...)
 	{DLA-2491-1}
 	- openexr 2.5.3-2
+	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/6bb36714528a9563dd3b92720c5063a1284b86f8 (v2.4.0-beta.1)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/494
 CVE-2020-16588 (A Null Pointer Deference issue exists in Academy Software Foundation O ...)
 	{DLA-2491-1}
 	- openexr 2.5.3-2
+	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/74504503cff86e986bac441213c403b0ba28d58f (v2.4.0-beta.1)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/493
 CVE-2020-16587 (A heap-based buffer overflow vulnerability exists in Academy Software  ...)
 	- openexr 2.5.3-2
+	[buster] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <not-affected> (Vulnerable code not present, part number range checking added later)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/8b5370c688a7362673c3a5256d93695617a4cd9a (v2.4.0-beta.1)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/491
@@ -51651,6 +51662,7 @@ CVE-2020-15217 (In GLPI before version 9.5.2, there is a leakage of user informa
 	- glpi <removed>
 CVE-2020-15216 (In goxmldsig (XML Digital Signatures implemented in pure Go) before ve ...)
 	- golang-github-russellhaering-goxmldsig 1.1.0-1 (bug #971615)
+	[buster] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue)
 	NOTE: https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
 	NOTE: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
 CVE-2020-15215 (Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vuln ...)
@@ -55267,7 +55279,6 @@ CVE-2020-13944 (In Apache Airflow < 1.10.12, the "origin" parameter passed to
 CVE-2020-13943 (If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7 ...)
 	{DLA-2407-1}
 	- tomcat9 9.0.38-1
-	[buster] - tomcat9 <no-dsa> (Minor issue)
 	- tomcat8 <removed>
 	NOTE: https://github.com/apache/tomcat/commit/55911430df13f8c9998fbdee1f9716994d2db59b (9.0.38)
 	NOTE: https://github.com/apache/tomcat/commit/9d7def063b47407a09a2f9202beed99f4dcb292a (8.5.58)
@@ -71721,6 +71732,7 @@ CVE-2020-8112 (opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 th
 	- openjpeg2 <unfixed> (bug #950184)
 	[buster] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1231
+	NOTE: https://github.com/rouault/openjpeg/commit/05f9b91e60debda0e83977e5e63b2e66486f7074
 CVE-2020-8111
 	RESERVED
 CVE-2020-8110 (A vulnerability has been discovered in the ceva_emu.cvd module that re ...)
@@ -72607,6 +72619,7 @@ CVE-2020-7794 (This affects all versions of package buns. The injection point is
 	TODO: check
 CVE-2020-7793 (The package ua-parser-js before 0.7.23 are vulnerable to Regular Expre ...)
 	- node-ua-parser-js 0.7.23+ds-1
+	[buster] - node-ua-parser-js <no-dsa> (Minor issue)
 	NOTE: https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599
 	NOTE: https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18 (0.7.23)
 CVE-2020-7792 (This affects all versions of package mout. The deepFillIn function can ...)
@@ -166727,6 +166740,7 @@ CVE-2018-12984 (Hycus CMS 1.0.4 allows Authentication Bypass via "'=' 'OR'" cred
 	NOT-FOR-US: Hycus CMS
 CVE-2018-12983 (A stack-based buffer over-read in the PdfEncryptMD5Base::ComputeEncryp ...)
 	- libpodofo <unfixed> (low; bug #916580)
+	[bullseye] - libpodofo <no-dsa> (Minor issue)
 	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)
@@ -181983,6 +181997,7 @@ CVE-2018-1000098 (Teluu PJSIP version 2.7.1 and earlier contains a Integer Overf
 	NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, STUN and TURN)
 CVE-2018-1000101 (Mingw-w64 version 5.0.3 and earlier contains an Improper Null Terminat ...)
 	- mingw-w64 <unfixed> (low; bug #897196)
+	[bullseye] - mingw-w64 <ignored> (Minor issue)
 	[buster] - mingw-w64 <ignored> (Minor issue)
 	[stretch] - mingw-w64 <ignored> (Minor issue)
 	[jessie] - mingw-w64 <ignored> (Minor issue)


=====================================
data/dsa-needed.txt
=====================================
@@ -35,6 +35,8 @@ netty
 --
 openvswitch (jmm)
 --
+python-pysaml2
+--
 salt (carnil)
 --
 slurm-llnl (jmm)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa7970c64a0024432d58f725d9d63f2792a79193

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa7970c64a0024432d58f725d9d63f2792a79193
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210122/883a5053/attachment.html>
