[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Jul 6 11:58:31 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
324b1102 by Moritz Muehlenhoff at 2021-07-06T12:58:03+02:00
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -242,6 +242,7 @@ CVE-2020-36402 (Solidity 0.7.5 has a stack-use-after-return issue in smtutil::CH
 	NOT-FOR-US: Solidity
 CVE-2020-36401 (mruby 2.1.2 has a double free in mrb_default_allocf (called from mrb_f ...)
 	- mruby <unfixed> (bug #990540)
+	[buster] - mruby <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23801
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mruby/OSV-2020-744.yaml
 	NOTE: https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503
@@ -3312,6 +3313,8 @@ CVE-2021-3598
 	RESERVED
 	{DLA-2701-1}
 	- openexr <unfixed> (bug #990450)
+	[bullseye] - openexr <no-dsa> (Minor issue)
+	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1033
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1037
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/566f5241edd87445373885d5f7a904dc81e866c1
@@ -5973,6 +5976,7 @@ CVE-2021-33516 (An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.
 	NOTE: https://gitlab.gnome.org/GNOME/gupnp/-/commit/ca6ec9dcb26fd7a2a630eb6a68118659b589afac (master)
 CVE-2021-33515 (The submission service in Dovecot before 2.3.15 allows STARTTLS comman ...)
 	- dovecot <unfixed> (bug #990566)
+	[buster] - dovecot <postponed> (Minor issue, fix along with next update)
 	[stretch] - dovecot <not-affected> (Vulnerable code (smtp_server_command queue) introduced later)
 	NOTE: https://dovecot.org/pipermail/dovecot-news/2021-June/000462.html
 	NOTE: https://www.openwall.com/lists/oss-security/2021/06/28/2
@@ -10747,6 +10751,8 @@ CVE-2021-26945 (An integer overflow leading to a heap-buffer overflow was found
 CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was found in the ...)
 	{DLA-2701-1}
 	- openexr <unfixed>
+	[bullseye] - openexr <no-dsa> (Minor issue)
+	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947582
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29423
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/894
@@ -10754,6 +10760,8 @@ CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was found
 CVE-2021-23215 (An integer overflow leading to a heap-buffer overflow was found in the ...)
 	{DLA-2701-1}
 	- openexr <unfixed>
+	[bullseye] - openexr <no-dsa> (Minor issue)
+	[buster] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947586
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29653
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/901
@@ -16803,6 +16811,7 @@ CVE-2021-29064
 	RESERVED
 CVE-2021-29063 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...)
 	- mpmath <unfixed> (bug #990576)
+	[buster] - mpmath <no-dsa> (Minor issue)
 	[stretch] - mpmath <no-dsa> (Minor issue)
 	NOTE: https://github.com/yetingli/PoCs/blob/main/CVE-2021-29063/Mpmath.md
 	NOTE: https://github.com/fredrik-johansson/mpmath/issues/548
@@ -16814,6 +16823,7 @@ CVE-2021-29061 (A Regular Expression Denial of Service (ReDOS) vulnerability was
 	NOT-FOR-US: Vfsjfilechooser2
 CVE-2021-29060 (A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...)
 	- node-color-string 1.5.4-2
+	[buster] - node-color-string <no-dsa> (Minor issue)
 	NOTE: https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md
 	NOTE: https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3
 CVE-2021-29059 (A vulnerability was discovered in IS-SVG version 4.3.1 and below where ...)
@@ -24001,6 +24011,7 @@ CVE-2021-26118 (While investigating ARTEMIS-2964 it was found that the creation
 CVE-2021-26117 (The optional ActiveMQ LDAP login module can be configured to use anony ...)
 	{DLA-2583-1}
 	- activemq 5.16.1-1 (bug #982590)
+	[buster] - activemq <no-dsa> (Minor issue)
 	NOTE: https://issues.apache.org/jira/browse/AMQ-8035
 	NOTE: https://www.openwall.com/lists/oss-security/2021/01/27/6
 	NOTE: https://gitbox.apache.org/repos/asf?p=activemq.git;h=c9f68f4c64b2687eee283b95538753665d2b229b
@@ -48819,6 +48830,7 @@ CVE-2020-28201
 	RESERVED
 CVE-2020-28200 (The Sieve engine in Dovecot before 2.3.15 allows Uncontrolled Resource ...)
 	- dovecot <unfixed> (bug #990566)
+	[buster] - dovecot <postponed> (Minor issue, fix along with next update)
 	[stretch] - dovecot <no-dsa> (Minor issue)
 	NOTE: https://dovecot.org/pipermail/dovecot-news/2021-June/000460.html
 	NOTE: https://www.openwall.com/lists/oss-security/2021/06/28/3



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/324b1102670203f17c0d5b93084f19424fa396ce

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/324b1102670203f17c0d5b93084f19424fa396ce
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210706/23d7afd4/attachment.htm>

More information about the debian-security-tracker-commits mailing list