[Git][security-tracker-team/security-tracker][master] Reserve DLA-2701-1 for openexr

Sylvain Beucler (@beuc) beuc at debian.org
Sat Jul 3 19:04:15 BST 2021 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f7ee7c32 by Sylvain Beucler at 2021-07-03T20:03:25+02:00
Reserve DLA-2701-1 for openexr

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -15252,7 +15252,6 @@ CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in version
 	- openexr <unfixed> (bug #986796)
 	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
-	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830
@@ -15260,7 +15259,6 @@ CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in
 	- openexr <unfixed> (bug #986796)
 	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
-	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939160
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a
@@ -15269,7 +15267,6 @@ CVE-2021-3477 (There's a flaw in OpenEXR's deep tile sample size calculations in
 	- openexr <unfixed> (bug #986796)
 	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
-	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26956
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939159
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642efbbe6bdace558079f68c16acb1
@@ -15852,21 +15849,18 @@ CVE-2021-3476 (A flaw was found in OpenEXR's B44 uncompression functionality in
 	- openexr <unfixed> (bug #986796)
 	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
-	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24787
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9
 CVE-2021-3475 (There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker  ...)
 	- openexr <unfixed> (bug #986796)
 	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
-	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25297
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753
 CVE-2021-3474 (There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted inp ...)
 	- openexr <unfixed> (bug #986796)
 	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
-	[stretch] - openexr <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24831
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f
 	NOTE: Introduced by https://github.com/AcademySoftwareFoundation/openexr/commit/7f0c9e256f34cac5a31e9d9cce00ccc898f49f3b (v2.2.0)
@@ -38714,7 +38708,6 @@ CVE-2021-20296 (A flaw was found in OpenEXR in versions before 3.0.0-beta. A cra
 	- openexr <unfixed> (bug #986796)
 	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
-	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24854
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/b0c63c0b96eb9b0d3998f603e12f9f414fb0d44a
 CVE-2021-20295 [Regression of CVE-2020-10756 fix in virt:rhel/qemu-kvm in Red Hat Enterprise Linux 8.3]


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[03 Jul 2021] DLA-2701-1 openexr - security update
+	{CVE-2020-16587 CVE-2021-3474 CVE-2021-3475 CVE-2021-3476 CVE-2021-3477 CVE-2021-3478 CVE-2021-3479 CVE-2021-3598 CVE-2021-20296 CVE-2021-23215 CVE-2021-26260}
+	[stretch] - openexr 2.2.0-11+deb9u3
 [01 Jul 2021] DLA-2700-1 htmldoc - security update
 	{CVE-2019-19630 CVE-2021-20308 CVE-2021-23158 CVE-2021-23165 CVE-2021-23180 CVE-2021-23191 CVE-2021-23206 CVE-2021-26252 CVE-2021-26259 CVE-2021-26948}
 	[stretch] - htmldoc 1.8.27-8+deb9u1


=====================================
data/dla-needed.txt
=====================================
@@ -82,9 +82,6 @@ nvidia-graphics-drivers
   NOTE: package is in non-free but also in packages-to-support
   NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077
 --
-openexr (Sylvain Beucler)
-  NOTE: 20210626: triaging backlog, porting patches (Beuc)
---
 python-babel
  NOTE: 20210617: CVE ID rejected. (abhijith)
  NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7ee7c32f7921b923001e87c560f64da6cc6fe84

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7ee7c32f7921b923001e87c560f64da6cc6fe84
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210703/8dbd27ed/attachment.htm>

More information about the debian-security-tracker-commits mailing list