[Git][security-tracker-team/security-tracker][master] buster triage

Thu Jul 15 16:29:29 BST 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5dcc0b4c by Moritz Muehlenhoff at 2021-07-15T17:29:03+02:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -11340,64 +11340,76 @@ CVE-2021-31816 (When configuring Octopus Server if it is configured with an exte
 	NOT-FOR-US: Octopus Server
 CVE-2019-25042 (** DISPUTED ** Unbound before 1.9.5 allows an out-of-bounds write via  ...)
 	{DLA-2652-1}
-	- unbound 1.9.6-1
+	- unbound 1.9.6-1 (unimportant)
 	[stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
 	NOTE: https://github.com/NLnetLabs/unbound/commit/6c3a0b54ed8ace93d5b5ca7b8078dc87e75cd640
+	NOTE: Not deemed an exploitable vulnerability by upstream
 CVE-2019-25041 (** DISPUTED ** Unbound before 1.9.5 allows an assertion failure via a  ...)
 	{DLA-2652-1}
-	- unbound 1.9.6-1
+	- unbound 1.9.6-1 (unimportant)
 	[stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
 	NOTE: https://github.com/NLnetLabs/unbound/commit/2d444a5037acff6024630b88092d9188f2f5d8fe
+	NOTE: Not deemed an exploitable vulnerability by upstream
 CVE-2019-25040 (** DISPUTED ** Unbound before 1.9.5 allows an infinite loop via a comp ...)
 	{DLA-2652-1}
-	- unbound 1.9.6-1
+	- unbound 1.9.6-1 (unimportant)
 	[stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
 	NOTE: https://github.com/NLnetLabs/unbound/commit/2d444a5037acff6024630b88092d9188f2f5d8fe
+	NOTE: Not deemed an exploitable vulnerability by upstream
 CVE-2019-25039 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in a si ...)
 	{DLA-2652-1}
-	- unbound 1.9.6-1
+	- unbound 1.9.6-1 (unimportant)
 	[stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
 	NOTE: https://github.com/NLnetLabs/unbound/commit/02080f6b180232f43b77f403d0c038e9360a460f
+	NOTE: Not deemed an exploitable vulnerability by upstream
 CVE-2019-25038 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in a si ...)
 	{DLA-2652-1}
-	- unbound 1.9.6-1
+	- unbound 1.9.6-1 (unimportant)
 	[stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
 	NOTE: https://github.com/NLnetLabs/unbound/commit/02080f6b180232f43b77f403d0c038e9360a460f
+	NOTE: Not deemed an exploitable vulnerability by upstream
 CVE-2019-25037 (** DISPUTED ** Unbound before 1.9.5 allows an assertion failure and de ...)
 	{DLA-2652-1}
-	- unbound 1.9.6-1
+	- unbound 1.9.6-1 (unimportant)
 	[stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
 	NOTE: https://github.com/NLnetLabs/unbound/commit/d2eb78e871153f22332d30c6647f3815148f21e5
+	NOTE: Not deemed an exploitable vulnerability by upstream
 CVE-2019-25036 (** DISPUTED ** Unbound before 1.9.5 allows an assertion failure and de ...)
 	{DLA-2652-1}
-	- unbound 1.9.6-1
+	- unbound 1.9.6-1 (unimportant)
 	[stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
 	NOTE: https://github.com/NLnetLabs/unbound/commit/f5e06689d193619c57c33270c83f5e40781a261d
+	NOTE: Not deemed an exploitable vulnerability by upstream
 CVE-2019-25035 (** DISPUTED ** Unbound before 1.9.5 allows an out-of-bounds write in s ...)
 	{DLA-2652-1}
-	- unbound 1.9.6-1
+	- unbound 1.9.6-1 (unimportant)
 	[stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
 	NOTE: https://github.com/NLnetLabs/unbound/commit/fa23ee8f31ba9a018c720ea822faaee639dc7a9c
+	NOTE: Not deemed an exploitable vulnerability by upstream
 CVE-2019-25034 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in sldn ...)
 	{DLA-2652-1}
-	- unbound 1.9.6-1
+	- unbound 1.9.6-1 (unimportant)
 	[stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
 	NOTE: https://github.com/NLnetLabs/unbound/commit/a3545867fcdec50307c776ce0af28d07046a52dd
+	NOTE: Not deemed an exploitable vulnerability by upstream
 CVE-2019-25033 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in the  ...)
 	{DLA-2652-1}
-	- unbound 1.9.6-1
+	- unbound 1.9.6-1 (unimportant)
 	[stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
 	NOTE: https://github.com/NLnetLabs/unbound/commit/226298bbd36f1f0fd9608e98c2ae85988b7bbdb8
+	NOTE: Not deemed an exploitable vulnerability by upstream
 CVE-2019-25032 (** DISPUTED ** Unbound before 1.9.5 allows an integer overflow in the  ...)
 	{DLA-2652-1}
-	- unbound 1.9.6-1
+	- unbound 1.9.6-1 (unimportant)
 	[stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
 	NOTE: https://github.com/NLnetLabs/unbound/commit/226298bbd36f1f0fd9608e98c2ae85988b7bbdb8
+	NOTE: Not deemed an exploitable vulnerability by upstream
 CVE-2019-25031 (** DISPUTED ** Unbound before 1.9.5 allows configuration injection in  ...)
 	{DLA-2652-1}
-	- unbound 1.9.6-1
+	- unbound 1.9.6-1 (unimportant)
 	[stretch] - unbound <end-of-life> (No longer supported, see DSA 4694)
 	NOTE: https://github.com/NLnetLabs/unbound/commit/f887552763477a606a9608b0f6b498685e0f6587
+	NOTE: Not deemed an exploitable vulnerability by upstream
 CVE-2021-3513
 	NOT-FOR-US: Keycloak
 CVE-2021-31815 (GAEN (aka Google/Apple Exposure Notifications) through 2021-04-27 on A ...)
@@ -40233,10 +40245,11 @@ CVE-2021-20305 (A flaw was found in Nettle in versions before 3.7.2, where sever
 	NOTE: https://git.lysator.liu.se/nettle/nettle/-/commit/63f222c60b03470c0005aa9bc4296fbf585f68b9
 CVE-2021-20304 [Undefined-shift in Imf_2_5::hufDecode]
 	RESERVED
-	- openexr 2.5.4-1
+	- openexr 2.5.4-1 (unimportant)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26229
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/51a92d67f53c08230734e74564c807043cbfe41e
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/849
+	NOTE: Negligible security impact
 CVE-2021-20303 [Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer]
 	RESERVED
 	- openexr 2.5.4-1
@@ -40245,6 +40258,7 @@ CVE-2021-20303 [Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer]
 CVE-2021-20302 [Floating-point-exception in Imf_2_5::precalculateTileInfot]
 	RESERVED
 	- openexr 2.5.4-1
+	[buster] - openexr <ignored> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25894
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/842
 CVE-2021-20301
@@ -40253,14 +40267,17 @@ CVE-2021-20300 [Integer-overflow in Imf_2_5::hufUncompress]
 	RESERVED
 	- openexr 2.5.4-1
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25562
-	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/ed560b8a932c78d5e8e5990ce36fe7808b35d9f0
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/ed560b8a932c78d5e8e5990ce36fe7808b35d9f0 (master)
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/4212416433a230334cef0ac122cb8d722746035d (2.5.x)
 CVE-2021-20299
 	RESERVED
 CVE-2021-20298 [Out-of-memory in B44Compressor]
 	RESERVED
 	- openexr 2.5.4-1
+	[buster] - openexr <ignored> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913
-	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97 (master)
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/0c2b46f630a3b5f2f561c2849d047ee39f899179 (2.5.x)
 CVE-2021-20297 (A flaw was found in NetworkManager in versions before 1.30.0. Setting  ...)
 	- network-manager 1.30.0-2 (bug #986809)
 	[buster] - network-manager <not-affected> (Vulnerable code introduced later)
@@ -119410,6 +119427,7 @@ CVE-2019-18849 (In tnef before 1.4.18, an attacker may be able to write to the v
 CVE-2019-18848 (The json-jwt gem before 1.11.0 for Ruby lacks an element count during  ...)
 	{DLA-2390-1}
 	- ruby-json-jwt 1.11.0-1 (bug #944850)
+	[buster] - ruby-json-jwt <no-dsa> (Minor issue)
 	NOTE: https://github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948a
 CVE-2019-18847 (Enterprise Access Client Auto-Updater allows for Remote Code Execution ...)
 	NOT-FOR-US: Akamai / Enterprise Access Client Auto-Updater


=====================================
data/dsa-needed.txt
=====================================
@@ -34,12 +34,16 @@ puppetdb (jmm)
 --
 python-pysaml2 (jmm)
 --
+rabbitmq-server
+--
 runc
 --
 salt
 --
 thunderbird (jmm)
 --
+tomcat9
+--
 trafficserver (jmm)
 --
 varnish



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dcc0b4c02d8b83d691f2695f075626e822b8e2e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dcc0b4c02d8b83d691f2695f075626e822b8e2e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210715/d684a7a3/attachment.htm>
