[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Jul 1 15:27:33 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7efeedc7 by Moritz Muehlenhoff at 2021-07-01T16:20:49+02:00
bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -401,14 +401,20 @@ CVE-2021-35940
 CVE-2021-35939 [checks for unsafe symlinks are not performed for intermediary directories]
 	RESERVED
 	- rpm <unfixed>
+	[bullseye] - rpm <no-dsa> (Minor issue)
+	[buster] - rpm <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964129
 CVE-2021-35938 [races with chown/chmod/capabilities calls during installation]
 	RESERVED
 	- rpm <unfixed>
+	[bullseye] - rpm <no-dsa> (Minor issue)
+	[buster] - rpm <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964114
 CVE-2021-35937 [TOCTOU race in checks for unsafe symlinks]
 	RESERVED
 	- rpm <unfixed>
+	[bullseye] - rpm <no-dsa> (Minor issue)
+	[buster] - rpm <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964125
 CVE-2021-35936
 	RESERVED
@@ -8985,6 +8991,7 @@ CVE-2021-32063
 CVE-2021-32062 (MapServer before 7.0.8, 7.1.x and 7.2.x before 7.2.3, 7.3.x and 7.4.x  ...)
 	[experimental] - mapserver 7.6.3-1~exp1
 	- mapserver 7.6.2-2 (bug #988208)
+	[bullseye] - mapserver <ignored> (Minor issue; #988224)
 	[buster] - mapserver <no-dsa> (Minor issue; will be fixed via point release)
 	[stretch] - mapserver <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://github.com/mapserver/mapserver/issues/6313
@@ -9601,6 +9608,7 @@ CVE-2020-36327 (Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes
 	- bundler <removed>
 	[stretch] - bundler <no-dsa> (Invasive change, hard to backport; chances of regression)
 	- rubygems <unfixed>
+	[bullseye] - rubygems <no-dsa> (Minor issue)
 	NOTE: https://github.com/rubygems/rubygems/issues/3982
 CVE-2021-3521
 	RESERVED
@@ -18523,6 +18531,7 @@ CVE-2021-28214
 	RESERVED
 CVE-2021-28213 (Example EDK2 encrypted private key in the IpSecDxe.efi present potenti ...)
 	- edk2 <unfixed> (bug #989988)
+	[bullseye] - edk2 <no-dsa> (Minor issue)
 	[buster] - edk2 <no-dsa> (Minor issue)
 	[stretch] - edk2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1866
@@ -24798,6 +24807,7 @@ CVE-2021-25738
 CVE-2021-25737
 	RESERVED
 	- kubernetes <unfixed>
+	[bullseye] - kubernetes <not-affected> (Kubernetes in Bullseye only ships the client)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/05/18/4
 	NOTE: Server components no longer built since 1.20.5+really1.20.2-1
 CVE-2021-25736
@@ -24806,6 +24816,7 @@ CVE-2021-25736
 CVE-2021-25735 [Validating Admission Webhook does not observe some previous fields]
 	RESERVED
 	- kubernetes <unfixed>
+	[bullseye] - kubernetes <not-affected> (Kubernetes in Bullseye only ships the client)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/04/14/1
 	NOTE: https://github.com/kubernetes/kubernetes/issues/100096
 	NOTE: Server components no longer built since 1.20.5+really1.20.2-1
@@ -31111,6 +31122,7 @@ CVE-2021-22896 (Nextcloud Mail before 1.9.5 suffers from improper access control
 	NOT-FOR-US: Nextcloud Mail
 CVE-2021-22895 (Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certif ...)
 	- nextcloud-desktop <unfixed> (bug #989846)
+	[bullseye] - nextcloud-desktop <no-dsa> (Minor issue)
 	[buster] - nextcloud-desktop <no-dsa> (Minor issue)
 	NOTE: https://github.com/nextcloud/desktop/pull/2926
 	NOTE: https://github.com/nextcloud/desktop/commit/b1ddd0e491b2af0ed040e658d8bcde2a7a61c9fc (stable-3.1)
@@ -97109,6 +97121,7 @@ CVE-2020-8563 (In Kubernetes clusters using VSphere as a cloud provider, with a
 CVE-2020-8562
 	RESERVED
 	- kubernetes <unfixed>
+	[bullseye] - kubernetes <not-affected> (Kubernetes in Bullseye only ships the client)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/05/04/8
 	NOTE: Server components no longer built since 1.20.5+really1.20.2-1
 CVE-2020-8561
@@ -97133,6 +97146,7 @@ CVE-2020-8555 (The Kubernetes kube-controller-manager in versions v1.0-1.14, ver
 	NOTE: https://github.com/kubernetes/kubernetes/issues/91542
 CVE-2020-8554 (Kubernetes API server in all versions allow an attacker who is able to ...)
 	- kubernetes <unfixed>
+	[bullseye] - kubernetes <not-affected> (Kubernetes in Bullseye only ships the client)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/12/07/5
 	NOTE: https://github.com/kubernetes/kubernetes/issues/97076
 	NOTE: Server components no longer built since 1.20.5+really1.20.2-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7efeedc74f2799809b430c8660204800999fd457

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7efeedc74f2799809b430c8660204800999fd457
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210701/da4ff584/attachment.htm>

More information about the debian-security-tracker-commits mailing list