[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2021-3624 in dcraw for stretch LTS.

Chris Lamb (@lamby) lamby at debian.org
Wed Jul 7 10:21:28 BST 2021 


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9175d471 by Chris Lamb at 2021-07-07T10:16:39+01:00
Triage CVE-2021-3624 in dcraw for stretch LTS.

- - - - -
9a3284b2 by Chris Lamb at 2021-07-07T10:19:50+01:00
Triage CVE-2020-36401 in mruby for stretch LTS.

- - - - -
16c443a4 by Chris Lamb at 2021-07-07T10:20:06+01:00
Triage CVE-2021-35937, CVE-2021-35938 and CVE-2021-35939 in rpm for stretch LTS.

- - - - -
0906f48d by Chris Lamb at 2021-07-07T10:21:06+01:00
Triage CVE-2021-36084, CVE-2021-36085, CVE-2021-36086 & CVE-2021-36087 in libsepol for stretch LTS.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -290,24 +290,28 @@ CVE-2021-36088 (Fluent Bit (aka fluent-bit) 1.7.0 through 1.7,4 has a double fre
 CVE-2021-36087 (The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in e ...)
 	- libsepol <unfixed> (bug #990526)
 	[buster] - libsepol <no-dsa> (Minor issue)
+	[stretch] - libsepol <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32675
 	NOTE: https://github.com/SELinuxProject/selinux/commit/bad0a746e9f4cf260dedba5828d9645d50176aac
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-585.yaml
 CVE-2021-36086 (The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_clas ...)
 	- libsepol <unfixed> (bug #990526)
 	[buster] - libsepol <no-dsa> (Minor issue)
+	[stretch] - libsepol <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32177
 	NOTE: https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-536.yaml
 CVE-2021-36085 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...)
 	- libsepol <unfixed> (bug #990526)
 	[buster] - libsepol <no-dsa> (Minor issue)
+	[stretch] - libsepol <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31124
 	NOTE: https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-421.yaml
 CVE-2021-36084 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...)
 	- libsepol <unfixed> (bug #990526)
 	[buster] - libsepol <no-dsa> (Minor issue)
+	[stretch] - libsepol <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31065
 	NOTE: https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-417.yaml
@@ -357,6 +361,7 @@ CVE-2020-36402 (Solidity 0.7.5 has a stack-use-after-return issue in smtutil::CH
 CVE-2020-36401 (mruby 2.1.2 has a double free in mrb_default_allocf (called from mrb_f ...)
 	- mruby <unfixed> (bug #990540)
 	[buster] - mruby <no-dsa> (Minor issue)
+	[stretch] - mruby <not-affected> (Vulnerable code not present)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23801
 	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/mruby/OSV-2020-744.yaml
 	NOTE: https://github.com/mruby/mruby/commit/97319697c8f9f6ff27b32589947e1918e3015503
@@ -711,18 +716,21 @@ CVE-2021-35939 [checks for unsafe symlinks are not performed for intermediary di
 	- rpm <unfixed> (bug #990543)
 	[bullseye] - rpm <no-dsa> (Minor issue)
 	[buster] - rpm <no-dsa> (Minor issue)
+	[stretch] - rpm <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964129
 CVE-2021-35938 [races with chown/chmod/capabilities calls during installation]
 	RESERVED
 	- rpm <unfixed> (bug #990543)
 	[bullseye] - rpm <no-dsa> (Minor issue)
 	[buster] - rpm <no-dsa> (Minor issue)
+	[stretch] - rpm <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964114
 CVE-2021-35937 [TOCTOU race in checks for unsafe symlinks]
 	RESERVED
 	- rpm <unfixed> (bug #990543)
 	[bullseye] - rpm <no-dsa> (Minor issue)
 	[buster] - rpm <no-dsa> (Minor issue)
+	[stretch] - rpm <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1964125
 CVE-2021-35936
 	RESERVED
@@ -1555,6 +1563,7 @@ CVE-2021-3624 [buffer-overflow caused by integer-overflow in foveon_load_camf()]
 	- dcraw <unfixed> (bug #984761)
 	[bullseye] - dcraw <no-dsa> (Minor issue)
 	[buster] - dcraw <no-dsa> (Minor issue)
+	[stretch] - dcraw <no-dsa> (Minor issue)
 CVE-2021-3623 [out-of-bounds access when trying to resume the state of the vTPM]
 	RESERVED
 	- libtpms <unfixed> (bug #990522)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/12e9b96526fb1c4ceec271d3d60fece8fc0d898f...0906f48d4dc8b026dd844c2474b9fccb34caedd8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/12e9b96526fb1c4ceec271d3d60fece8fc0d898f...0906f48d4dc8b026dd844c2474b9fccb34caedd8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210707/e19d994e/attachment.htm>

More information about the debian-security-tracker-commits mailing list