[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Jul 5 21:34:28 BST 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
1f0457df by Moritz Muehlenhoff at 2021-07-05T22:34:06+02:00
buster triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -10777,6 +10777,7 @@ CVE-2021-3506 (An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/no
NOTE: https://lore.kernel.org/lkml/20210322114730.71103-1-yuchao0@huawei.com/
CVE-2021-34557 (XScreenSaver 5.45 can be bypassed if the machine has more than ten dis ...)
- xscreensaver 5.45+dfsg1-2 (bug #989508)
+ [buster] - xscreensaver <no-dsa> (Minor issue)
[stretch] - xscreensaver <postponed> (Minor issue, fix along with next dla)
NOTE: https://www.openwall.com/lists/oss-security/2021/06/05/1
NOTE: https://www.openwall.com/lists/oss-security/2021/06/05/2
@@ -23727,24 +23728,29 @@ CVE-2021-26200 (The user area for Library System 1.0 is vulnerable to SQL inject
NOT-FOR-US: Library System
CVE-2021-26199 (An issue was discovered in JerryScript 2.4.0. There is a heap-use-afte ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4056
CVE-2021-26198 (An issue was discovered in JerryScript 2.4.0. There is a SEVG in ecma_ ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4402
CVE-2021-26197 (An issue was discovered in JerryScript 2.4.0. There is a SEGV in main_ ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4403
CVE-2021-26196
RESERVED
CVE-2021-26195 (An issue was discovered in JerryScript 2.4.0. There is a heap-buffer-o ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4442
CVE-2021-26194 (An issue was discovered in JerryScript 2.4.0. There is a heap-use-afte ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/4445
CVE-2021-26193
@@ -60926,18 +60932,28 @@ CVE-2020-23324
RESERVED
CVE-2020-23323 (There is a heap-buffer-overflow at re-parser.c in re_parse_char_escape ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3871
CVE-2020-23322 (There is an Assertion in 'context_p->token.type == LEXER_RIGHT_BRAC ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3869
CVE-2020-23321 (There is a heap-buffer-overflow at lit-strings.c:431 in lit_read_code_ ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3870
CVE-2020-23320 (There is an Assertion in 'context_p->next_scanner_info_p->type = ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3835
CVE-2020-23319 (There is an Assertion in '(flags >> CBC_STACK_ADJUST_SHIFT) > ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3834
CVE-2020-23318
RESERVED
@@ -60949,29 +60965,45 @@ CVE-2020-23315
RESERVED
CVE-2020-23314 (There is an Assertion 'block_found' failed at js-parser-statm.c:2003 p ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3825
CVE-2020-23313 (There is an Assertion 'scope_stack_p > context_p->scope_stack_p' ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3823
CVE-2020-23312 (There is an Assertion 'context.status_flags & PARSER_SCANNING_SUCC ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3824
CVE-2020-23311 (There is an Assertion 'context_p->token.type == LEXER_RIGHT_BRACE | ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3822
CVE-2020-23310 (There is an Assertion 'context_p->next_scanner_info_p->type == S ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3821
CVE-2020-23309 (There is an Assertion 'context_p->stack_depth == context_p->cont ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3820
CVE-2020-23308 (There is an Assertion 'context_p->stack_top_uint8 == LEXER_EXPRESSI ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3819
CVE-2020-23307
RESERVED
CVE-2020-23306 (There is a stack-overflow at ecma-regexp-object.c:535 in ecma_regexp_m ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3753
CVE-2020-23305
RESERVED
@@ -60979,9 +61011,13 @@ CVE-2020-23304
RESERVED
CVE-2020-23303 (There is a heap-buffer-overflow at jmem-poolman.c:165 in jmem_pools_co ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3749
CVE-2020-23302 (There is a heap-use-after-free at ecma-helpers-string.c:772 in ecma_re ...)
- iotjs <unfixed> (bug #989991)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
+ [buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3748
CVE-2020-23301
RESERVED
@@ -81922,9 +81958,11 @@ CVE-2020-13951 (Attackers can use public NetTest web service of Apache OpenMeeti
CVE-2020-13950 (Apache HTTP Server versions 2.4.41 to 2.4.46 mod_proxy_http can be mad ...)
[experimental] - apache2 2.4.48-1
- apache2 2.4.46-6
+ [buster] - apache2 <not-affected> (Vulnerable code not present)
+ [stretch] - apache2 <not-affected> (Vulnerable code not present)
NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-13950
NOTE: Fixed by: https://svn.apache.org/r1678771
- TODO: check why this only a problem starting in 2.4.41
+ NOTE: Introduced by: https://svn.apache.org/r1656259
CVE-2020-13949 (In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send sho ...)
- thrift <unfixed> (bug #988949)
[bullseye] - thrift <no-dsa> (Minor issue)
@@ -116379,6 +116417,7 @@ CVE-2020-1696 (A flaw was found in the all pki-core 10.x.x versions, where Token
CVE-2020-1695 (A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final ...)
- resteasy <undetermined>
- resteasy3.0 3.0.26-2
+ [buster] - resteasy3.0 <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1730462
NOTE: https://github.com/resteasy/Resteasy/commit/acf15f2a8067f7e4cf5838342cecfa0b78a174fb
CVE-2020-1694 (A flaw was found in all versions of Keycloak before 10.0.0, where the ...)
@@ -177051,6 +177090,7 @@ CVE-2019-0211 (In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM eve
CVE-2019-0210 (In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJS ...)
[experimental] - thrift 0.13.0-1
- thrift 0.13.0-2
+ [buster] - thrift <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2019/10/17/2
NOTE: https://github.com/apache/thrift/commit/264a3f318ed3e9e51573f67f963c8509786bcec2
CVE-2019-0209
@@ -177064,6 +177104,7 @@ CVE-2019-0206
CVE-2019-0205 (In Apache Thrift all versions up to and including 0.12.0, a server or ...)
[experimental] - thrift 0.13.0-1
- thrift 0.13.0-2
+ [buster] - thrift <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2019/10/17/1
CVE-2019-0204 (A specifically crafted Docker image running under the root user can ov ...)
- apache-mesos <itp> (bug #760315)
=====================================
data/dsa-needed.txt
=====================================
@@ -31,11 +31,13 @@ ndpi
--
jetty9
--
+puppetdb (jmm)
+--
python-pysaml2 (jmm)
--
runc
--
salt
--
-trafficserver
+trafficserver (jmm)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f0457df760981ff71d893c0bbeed1202ee919ac
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f0457df760981ff71d893c0bbeed1202ee919ac
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210705/a2d96322/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list