[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue Jul 6 20:18:32 BST 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
733f121e by Moritz Muehlenhoff at 2021-07-06T21:15:36+02:00
buster triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -3247,6 +3247,7 @@ CVE-2021-34696
CVE-2021-3605 [Heap buffer overflow in the rleUncompress function]
RESERVED
- openexr <unfixed>
+ [buster] - openexr <no-dsa> (Minor issue)
[stretch] - openexr <postponed> (Minor issue, buffer read overflow, fix along next DLA)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1036
NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/25259a84827234a283f6f9db72978198c7a3f268 (master)
@@ -3254,6 +3255,7 @@ CVE-2021-3605 [Heap buffer overflow in the rleUncompress function]
NOTE: not to be confused with CVE-2020-11760 whose fix is similar but applied around 10 lines above, in the other branch of the 'if'
CVE-2021-3603 (PHPMailer 6.4.1 and earlier contain a vulnerability that can result in ...)
- libphp-phpmailer <unfixed>
+ [buster] - libphp-phpmailer <no-dsa> (Minor issue)
[stretch] - libphp-phpmailer <postponed> (Minor issue, fix along with next DLA)
NOTE: https://www.huntr.dev/bounties/1-PHPMailer/PHPMailer/
NOTE: https://github.com/PHPMailer/PHPMailer/commit/45f3c18dc6a2de1cb1bf49b9b249a9ee36a5f7f3 (v6.5.0)
@@ -9855,6 +9857,7 @@ CVE-2020-36328 (A flaw was found in libwebp in versions before 1.0.1. A heap-bas
NOTE: https://chromium.googlesource.com/webm/libwebp/+/71ed73cf86132394ea25ae9c7ed431e0d71043f5
CVE-2020-36327 (Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes choos ...)
- bundler <removed>
+ [buster] - bundler <no-dsa> (Minor issue)
[stretch] - bundler <no-dsa> (Invasive change, hard to backport; chances of regression)
- rubygems <unfixed>
[bullseye] - rubygems <no-dsa> (Minor issue)
@@ -9993,6 +9996,7 @@ CVE-2021-3516 (There's a flaw in libxml2's xmllint in versions before 2.9.11. An
NOTE: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539
CVE-2021-3515 (A shell injection flaw was found in pglogical in versions before 2.3.4 ...)
- pglogical 2.3.3-3 (bug #988735)
+ [buster] - pglogical <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1954112
NOTE: https://github.com/2ndQuadrant/pglogical/commit/95c0e8981485e09efab6821cf55a4e27b086efe5
CVE-2021-3514 (When using a sync_repl client in 389-ds-base, an authenticated attacke ...)
@@ -16309,6 +16313,8 @@ CVE-2021-29280
RESERVED
CVE-2021-29279 (There is a integer overflow in function filter_core/filter_props.c:gf_ ...)
- gpac 1.0.1+dfsg1-4 (bug #987323)
+ [buster] - gpac <not-affected> (Vulnerable code not present)
+ [stretch] - gpac <not-affected> (Vulnerable code not present)
NOTE: https://github.com/gpac/gpac/commit/da69ad1f970a7e17c865eaec9af98cc84df10d5b
NOTE: https://github.com/gpac/gpac/issues/1718
CVE-2021-29278
@@ -18610,6 +18616,7 @@ CVE-2021-28301
RESERVED
CVE-2021-28300 (NULL Pointer Dereference in the "isomedia/track.c" module's "MergeTrac ...)
- gpac 1.0.1+dfsg1-4 (bug #987020)
+ [buster] - gpac <no-dsa> (Minor issue)
[stretch] - gpac <postponed> (Minor issue; can be fixed in next update)
NOTE: https://github.com/gpac/gpac/issues/1702
NOTE: https://github.com/gpac/gpac/commit/c4a5109dad73abe25ad12d8d529a728ae98d78ca
@@ -20931,8 +20938,9 @@ CVE-2021-27349 (Advanced Order Export before 3.1.8 for WooCommerce allows XSS, a
CVE-2021-27348
RESERVED
CVE-2021-27347 (Use after free in lzma_decompress_buf function in stream.c in Irzip 0. ...)
- - lrzip <unfixed> (bug #990583)
+ - lrzip <unfixed> (unimportant; bug #990583)
NOTE: https://github.com/ckolivas/lrzip/issues/165
+ NOTE: Crash in CLI tool, no security impact
CVE-2021-27346
RESERVED
CVE-2021-27345 (A null pointer dereference was discovered in ucompthread in stream.c i ...)
@@ -34891,10 +34899,12 @@ CVE-2020-35983
RESERVED
CVE-2020-35982 (An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is an i ...)
- gpac 1.0.1+dfsg1-4 (bug #987374)
+ [buster] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/commit/a4eb327049132359cae54b59faec9e2f14c5a619
NOTE: https://github.com/gpac/gpac/issues/1660
CVE-2020-35981 (An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is an i ...)
- gpac 1.0.1+dfsg1-4 (bug #987374)
+ [buster] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/commit/dae9900580a8888969481cd72035408091edb11b
NOTE: https://github.com/gpac/gpac/issues/1659
CVE-2020-35980 (An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is a us ...)
@@ -34905,6 +34915,7 @@ CVE-2020-35980 (An issue was discovered in GPAC version 0.8.0 and 1.0.1. There i
NOTE: https://github.com/gpac/gpac/issues/1661
CVE-2020-35979 (An issue was discovered in GPAC version 0.8.0 and 1.0.1. There is heap ...)
- gpac 1.0.1+dfsg1-4 (bug #987374)
+ [buster] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/commit/b15020f54aff24aaeb64b80771472be8e64a7adc
NOTE: https://github.com/gpac/gpac/issues/1662
CVE-2020-35978
@@ -59766,21 +59777,29 @@ CVE-2020-23933
REJECTED
CVE-2020-23932 (An issue was discovered in gpac before 1.0.1. A NULL pointer dereferen ...)
- gpac 1.0.1+dfsg1-2 (bug #987374)
+ [buster] - gpac <not-affected> (Vulnerable code not present)
+ [stretch] - gpac <not-affected> (Vulnerable code not present)
NOTE: https://github.com/gpac/gpac/commit/ce01bd15f711d4575b7424b54b3a395ec64c1784
NOTE: https://github.com/gpac/gpac/issues/1566
CVE-2020-23931 (An issue was discovered in gpac before 1.0.1. The abst_box_read functi ...)
- gpac 1.0.1+dfsg1-2 (bug #987374)
+ [buster] - gpac <not-affected> (Vulnerable code not present)
+ [stretch] - gpac <not-affected> (Vulnerable code not present)
NOTE: https://github.com/gpac/gpac/commit/093283e727f396130651280609e687cd4778e0d1
NOTE: https://github.com/gpac/gpac/issues/1564
NOTE: https://github.com/gpac/gpac/issues/1567
CVE-2020-23930 (An issue was discovered in gpac through 20200801. A NULL pointer deref ...)
- gpac 1.0.1+dfsg1-2 (bug #987374)
+ [buster] - gpac <not-affected> (Vulnerable code not present)
+ [stretch] - gpac <not-affected> (Vulnerable code not present)
NOTE: https://github.com/gpac/gpac/commit/9eeac00b38348c664dfeae2525bba0cf1bc32349
NOTE: https://github.com/gpac/gpac/issues/1565
CVE-2020-23929
RESERVED
CVE-2020-23928 (An issue was discovered in gpac before 1.0.1. The abst_box_read functi ...)
- gpac 1.0.1+dfsg1-2 (bug #987374)
+ [buster] - gpac <not-affected> (Vulnerable code not present)
+ [stretch] - gpac <not-affected> (Vulnerable code not present)
NOTE: https://github.com/gpac/gpac/commit/8e05648d6b4459facbc783025c5c42d301fef5c3
NOTE: https://github.com/gpac/gpac/issues/1568
NOTE: https://github.com/gpac/gpac/issues/1569
@@ -78397,6 +78416,7 @@ CVE-2020-15226 (In GLPI before version 9.5.2, there is a SQL Injection in the AP
- glpi <removed>
CVE-2020-15225 (django-filter is a generic system for filtering Django QuerySets based ...)
- django-filter 2.4.0-1
+ [buster] - django-filter <no-dsa> (Minor issue)
[stretch] - django-filter <no-dsa> (Minor issue)
NOTE: https://github.com/carltongibson/django-filter/security/advisories/GHSA-x7gm-rfgv-w973
NOTE: https://github.com/carltongibson/django-filter/commit/340cf7a23a2b3dcd7183f6a0d6c383e85b130d2b
=====================================
data/dsa-needed.txt
=====================================
@@ -15,6 +15,8 @@ If needed, specify the release by adding a slash after the name of the source pa
apache2 (jmm)
Maintainer (yadd) is working on updates
--
+bluez
+--
condor
--
chromium
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/733f121e910137d45eda19169b1ac54dceeaeee9
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/733f121e910137d45eda19169b1ac54dceeaeee9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210706/a52d4b97/attachment.htm>
More information about the debian-security-tracker-commits
mailing list