[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Jul 5 17:32:06 BST 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
05391524 by Moritz Muehlenhoff at 2021-07-05T18:31:54+02:00
buster triage
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -157,21 +157,25 @@ CVE-2021-36088 (Fluent Bit (aka fluent-bit) 1.7.0 through 1.7,4 has a double fre
NOT-FOR-US: Fluent Bit
CVE-2021-36087 (The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in e ...)
- libsepol <unfixed> (bug #990526)
+ [buster] - libsepol <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32675
NOTE: https://github.com/SELinuxProject/selinux/commit/bad0a746e9f4cf260dedba5828d9645d50176aac
NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-585.yaml
CVE-2021-36086 (The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_clas ...)
- libsepol <unfixed> (bug #990526)
+ [buster] - libsepol <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32177
NOTE: https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8
NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-536.yaml
CVE-2021-36085 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...)
- libsepol <unfixed> (bug #990526)
+ [buster] - libsepol <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31124
NOTE: https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba
NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-421.yaml
CVE-2021-36084 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...)
- libsepol <unfixed> (bug #990526)
+ [buster] - libsepol <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31065
NOTE: https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3
NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-417.yaml
@@ -211,6 +215,7 @@ CVE-2020-36404 (Keystone Engine 0.9.2 has an invalid free in llvm_ks::SmallVecto
NOT-FOR-US: keystone engine
CVE-2020-36403 (HTSlib 1.10 through 1.10.2 allows out-of-bounds write access in vcf_pa ...)
- htslib 1.11-1
+ [buster] - htslib <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24097
NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/htslib/OSV-2020-955.yaml
NOTE: https://github.com/samtools/htslib/commit/dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c
@@ -243,6 +248,7 @@ CVE-2019-25048 (LibreSSL 2.9.1 through 3.2.1 has a heap-based buffer over-read i
- libressl <itp> (bug #754513)
CVE-2018-25018 (UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write durin ...)
- unrar-nonfree <unfixed> (bug #990541)
+ [buster] - unrar-nonfree <no-dsa> (Non-free not supported)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9845
NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/unrar/OSV-2018-204.yaml
CVE-2018-25017 (RawSpeed (aka librawspeed) 3.1 has a heap-based buffer overflow in Tab ...)
@@ -1413,6 +1419,8 @@ CVE-2021-35526
CVE-2021-3624 [buffer-overflow caused by integer-overflow in foveon_load_camf()]
RESERVED
- dcraw <unfixed> (bug #984761)
+ [bullseye] - dcraw <no-dsa> (Minor issue)
+ [buster] - dcraw <no-dsa> (Minor issue)
CVE-2021-3623 [out-of-bounds access when trying to resume the state of the vTPM]
RESERVED
- libtpms <unfixed> (bug #990522)
@@ -2905,11 +2913,13 @@ CVE-2021-34827
CVE-2021-3608 [pvrdma: uninitialized memory unmap in pvrdma_ring_init()]
RESERVED
- qemu <unfixed> (bug #990563)
+ [buster] - qemu <no-dsa> (Minor issue)
[stretch] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973383
CVE-2021-3607 [pvrdma: unchecked malloc size due to integer overflow in init_dev_ring()]
RESERVED
- qemu <unfixed> (bug #990564)
+ [buster] - qemu <no-dsa> (Minor issue)
[stretch] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973349
CVE-2021-3606 (OpenVPN before version 2.5.3 on Windows allows local users to load arb ...)
@@ -2918,6 +2928,7 @@ CVE-2021-34826
RESERVED
CVE-2021-34825 (Quassel through 0.13.1, when --require-ssl is enabled, launches withou ...)
- quassel <unfixed> (bug #990567)
+ [buster] - quassel <no-dsa> (Minor issue)
NOTE: https://github.com/quassel/quassel/pull/581
NOTE: https://bugs.quassel-irc.org/issues/1728
NOTE: '--require-ssl' flag added in https://github.com/quassel/quassel/pull/43
@@ -4944,6 +4955,7 @@ CVE-2021-3587 [nfc: fix NULL ptr dereference in llcp_sock_getname() after failed
CVE-2021-3582 [hw/rdma: Fix possible mremap overflow in the pvrdma device]
RESERVED
- qemu <unfixed> (bug #990565)
+ [buster] - qemu <no-dsa> (Minor issue)
[stretch] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-06/msg04148.html
CVE-2021-33907
@@ -5249,6 +5261,7 @@ CVE-2021-33792
CVE-2021-3572 [Don't split git references on unicode separators #9827]
RESERVED
- python-pip 20.3.4-2
+ [buster] - python-pip <no-dsa> (Minor issue)
[stretch] - python-pip <postponed> (Minor issue. Fix along with next DLA)
NOTE: https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/1926957
NOTE: https://github.com/pypa/pip/pull/9827
@@ -6583,6 +6596,7 @@ CVE-2021-3556
REJECTED
CVE-2021-33204 (In the pg_partman (aka PG Partition Manager) extension before 4.5.1 fo ...)
- pg-partman 4.5.1-1 (bug #988917)
+ [buster] - pg-partman <no-dsa> (Minor issue)
[stretch] - pg-partman <no-dsa> (Minor issue)
NOTE: https://github.com/pgpartman/pg_partman/commit/0b6565ad378c358f8a6cd1d48ddc482eb7f854d3
CVE-2021-33203 (Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a ...)
@@ -6605,45 +6619,52 @@ CVE-2021-33199
RESERVED
CVE-2021-33198
RESERVED
- - golang-1.16 1.16.5-1
- - golang-1.15 1.15.9-5
- - golang-1.11 <removed>
- - golang-1.8 <removed>
+ - golang-1.16 1.16.5-1 (unimportant)
+ - golang-1.15 1.15.9-5 (unimportant)
+ - golang-1.11 <removed> (unimportant)
+ - golang-1.8 <removed> (unimportant)
[stretch] - golang-1.8 <no-dsa> (Limited support in stretch)
- - golang-1.7 <removed>
+ - golang-1.7 <removed> (unimportant)
NOTE: https://github.com/golang/go/issues/44910
NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
+ NOTE: This appears to only update the documentation/example
CVE-2021-33197
RESERVED
- golang-1.16 1.16.5-1
- golang-1.15 1.15.9-5
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <no-dsa> (Limited support in stretch)
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/46313
NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
+ NOTE: https://github.com/golang/go/commit/cbd1ca84453fecf3825a6bb9f985823e8bc32b76 (1.15)
CVE-2021-33196 [archive/zip: malformed archive may cause panic or memory exhaustion]
RESERVED
- golang-1.16 1.16.5-1 (bug #989492)
- golang-1.15 1.15.9-4
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <no-dsa> (Limited support in stretch)
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/46242
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33912
NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
+ NOTE: https://github.com/golang/go/commit/c92adf420a3d9a5510f9aea382d826f0c9216a10 (1.15)
CVE-2021-33195
RESERVED
- golang-1.16 1.16.5-1
- golang-1.15 1.15.9-5
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
[stretch] - golang-1.8 <no-dsa> (Limited support in stretch)
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/46241
NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI
+ NOTE: https://github.com/golang/go/commit/31d60cda1f58b7558fc5725d2b9e4531655d980e (1.15)
CVE-2021-33194 (golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows atta ...)
- golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-4
- golang-golang-x-net-dev <removed>
@@ -58162,6 +58183,7 @@ CVE-2020-24588 (The 802.11 standard that underpins Wi-Fi Protected Access (WPA,
- linux 5.10.46-1
[buster] - linux 4.19.194-1
- firmware-nonfree <unfixed>
+ [buster] - firmware-nonfree <no-dsa> (Non-free not supported)
NOTE: https://papers.mathyvanhoef.com/usenix2021.pdf
NOTE: https://www.fragattacks.com/
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html
@@ -58178,6 +58200,7 @@ CVE-2020-24587 (The 802.11 standard that underpins Wi-Fi Protected Access (WPA,
- linux 5.10.46-1
[buster] - linux 4.19.194-1
- firmware-nonfree <unfixed>
+ [buster] - firmware-nonfree <no-dsa> (Non-free not supported)
NOTE: https://papers.mathyvanhoef.com/usenix2021.pdf
NOTE: https://www.fragattacks.com/
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html
@@ -58191,6 +58214,7 @@ CVE-2020-24586 (The 802.11 standard that underpins Wi-Fi Protected Access (WPA,
- linux 5.10.46-1
[buster] - linux 4.19.194-1
- firmware-nonfree <unfixed>
+ [buster] - firmware-nonfree <no-dsa> (Non-free not supported)
NOTE: https://papers.mathyvanhoef.com/usenix2021.pdf
NOTE: https://www.fragattacks.com/
NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html
@@ -77512,6 +77536,7 @@ CVE-2020-15523 (In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8
- python2.7 <not-affected> (Python on Windows)
CVE-2020-15522 (Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA bef ...)
- bouncycastle 1.68-1
+ [buster] - bouncycastle <no-dsa> (Minor issue)
[stretch] - bouncycastle <no-dsa> (Minor issue)
NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2020-15522
CVE-2020-15521 (Zoho ManageEngine Applications Manager before 14 build 14730 has no pr ...)
=====================================
data/DSA/list
=====================================
@@ -11,7 +11,7 @@
{CVE-2021-0089 CVE-2021-26313 CVE-2021-28690 CVE-2021-28692}
[buster] - xen 4.11.4+107-gef32c7afa2-1
[10 Jun 2021] DSA-4930-1 libwebp - security update
- {CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332}
+ {CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332 }
[buster] - libwebp 0.6.1-2+deb10u1
[09 Jun 2021] DSA-4929-1 rails - security update
{CVE-2021-22880 CVE-2021-22885 CVE-2021-22904}
=====================================
data/dsa-needed.txt
=====================================
@@ -12,7 +12,7 @@ To pick an issue, simply add your uid behind it.
If needed, specify the release by adding a slash after the name of the source package.
--
-apache2
+apache2 (jmm)
Maintainer (yadd) is working on updates
--
condor
@@ -21,7 +21,9 @@ chromium
--
djvulibre
--
-libuv1
+icu
+--
+libuv1 (jmm)
jmm asked maintainers to prepare update, pending
--
linux (carnil)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0539152487f369f60aa45ddc9601aa7ce88b5d86
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0539152487f369f60aa45ddc9601aa7ce88b5d86
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210705/a82125d3/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list