[Git][security-tracker-team/security-tracker][master] 7 commits: Triage isc-dhcp for stretch

Thu Jun 3 10:50:16 BST 2021


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker


Commits:
54f15c20 by Emilio Pozuelo Monfort at 2021-06-03T11:49:16+02:00
Triage isc-dhcp for stretch

- - - - -
06f7386f by Emilio Pozuelo Monfort at 2021-06-03T11:49:16+02:00
Triage lasso for stretch

- - - - -
990f138f by Emilio Pozuelo Monfort at 2021-06-03T11:49:16+02:00
Triage sogo for stretch

- - - - -
b23b93fa by Emilio Pozuelo Monfort at 2021-06-03T11:49:16+02:00
Triage libxstream-java for stretch

- - - - -
7b3bfb83 by Emilio Pozuelo Monfort at 2021-06-03T11:49:18+02:00
CVE-2021-3567/caribou n/a on stretch

The security issue is in combination with cinnamon-screensaver >= 4.2,
as with that the caribou crash can be used to bypass the screensaver.

- - - - -
b6841cca by Emilio Pozuelo Monfort at 2021-06-03T11:49:18+02:00
Triage caribou for stretch

- - - - -
2ce4ab29 by Emilio Pozuelo Monfort at 2021-06-03T11:49:18+02:00
Triage python-django for stretch

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -198,6 +198,7 @@ CVE-2021-3568
 CVE-2021-3567
 	RESERVED
 	- caribou 0.4.21-7.1 (bug #980061)
+	[stretch] - caribou <not-affected> (Security impact only with cinnamon-screensaver >= 4.2)
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/caribou/+bug/1912060
 	NOTE: https://gitlab.gnome.org/GNOME/caribou/-/merge_requests/3
 	NOTE: https://gitlab.gnome.org/GNOME/caribou/-/commit/d41c8e44b12222a290eaca16703406b113a630c6


=====================================
data/dla-needed.txt
=====================================
@@ -18,6 +18,9 @@ ansible
   NOTE: 20210411: after that LTS. (apo)
   NOTE: 20210426: https://people.debian.org/~apo/lts/ansible/
 --
+caribou
+  NOTE: 20210603: no security impact, but important a11y impact introduced by DLA-2486-1 (pochu)
+--
 ceph (Emilio)
   NOTE: 20200707: Vulnerable to at least CVE-2018-14662. (lamby)
   NOTE: 20200707: Some discussion regarding removal <https://lists.debian.org/debian-lts/2020/04/msg00019.html> (lamby)
@@ -42,10 +45,20 @@ eterm (Utkarsh)
 gpac (Thorsten Alteholz)
   NOTE: 20210524: WIP
 --
+isc-dhcp
+--
+lasso
+--
 libwebp (Anton Gladky)
   NOTE: 20210516: WIP
   NOTE: 20210530: DLA will be released CW23/2021
 --
+libxstream-java
+  NOTE: 20210603: upstream changed the default security framework to a whitelist,
+  NOTE: 20210603: we should consider checking rdeps and doing the same and announce
+  NOTE: 20210603: that the blocklist is no longer supported, see
+  NOTE: 20210603: https://lists.debian.org/debian-lts/2021/06/msg00001.html (pochu)
+--
 linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
@@ -61,6 +74,8 @@ prosody (Anton Gladky)
   NOTE: 20210519: at least the 10MB limit mentioned in CVE-2021-32918 is present 
   NOTE: 20210530: WIP
 --
+python-django
+--
 rxvt (Utkarsh)
 --
 ruby-actionpack-page-caching
@@ -111,6 +126,10 @@ shiro (Roberto C. Sánchez)
 --
 slapi-nis (Thorsten Alteholz)
 --
+sogo
+  NOTE: 20210603: maybe mention in announcement the recommendation to invalidate user
+  NOTE: 20210603: sessions (see upstream blog). (pochu)
+--
 squid3 (Abhijith PA)
   NOTE: 20210523:  not sure whether all CVEs realy affect Stretch
   NOTE: 20210528: Looks like all CVEs affect stretch. (Ola)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ef4bbbdea4c24b2d499b224226320f3a15a14ad...2ce4ab29a45343dc870f3ccc98ffa3e947e8fc46

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1ef4bbbdea4c24b2d499b224226320f3a15a14ad...2ce4ab29a45343dc870f3ccc98ffa3e947e8fc46
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210603/4c01f6b0/attachment-0001.htm>
