[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2021-33516 in gupnp for stretch LTS.

Mon Jun 7 08:33:18 BST 2021


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
972b5182 by Chris Lamb at 2021-06-07T08:29:46+01:00
Triage CVE-2021-33516 in gupnp for stretch LTS.

- - - - -
79b29a8a by Chris Lamb at 2021-06-07T08:29:47+01:00
Triage CVE-2021-31855 in kf5-messagelib for stretch LTS.

- - - - -
12fea034 by Chris Lamb at 2021-06-07T08:29:47+01:00
Triage CVE-2021-33560 in libgcrypt20 for stretch LTS.

- - - - -
b8d1aa07 by Chris Lamb at 2021-06-07T08:33:02+01:00
data/dla-needed.txt: Triage ffmpeg for stretch LTS.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -767,6 +767,7 @@ CVE-2021-33560 [cipher: Fix ElGamal encryption for other implementations.]
 	RESERVED
 	- libgcrypt20 1.8.7-6
 	[buster] - libgcrypt20 <no-dsa> (Minor issue)
+	[stretch] - libgcrypt20 <no-dsa> (Minor issue)
 	NOTE: https://dev.gnupg.org/T5328 (not yet public)
 	NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320
 CVE-2021-33559
@@ -863,6 +864,7 @@ CVE-2021-33516 (An issue was discovered in GUPnP before 1.0.7 and 1.1.x and 1.2.
 	- gupnp <unfixed> (bug #989098)
 	[bullseye] - gupnp <no-dsa> (Minor issue)
 	[buster] - gupnp <no-dsa> (Minor issue)
+	[stretch] - gupnp <no-dsa> (Minor issue)
 	NOTE: https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536
 	NOTE: https://gitlab.gnome.org/GNOME/gupnp/-/issues/24
 CVE-2021-33515
@@ -4757,6 +4759,7 @@ CVE-2021-31856 (A SQL Injection vulnerability in the REST API in Layer5 Meshery
 CVE-2021-31855 (KDE Messagelib through 5.17.0 reveals cleartext of encrypted messages  ...)
 	- kf5-messagelib <unfixed> (bug #989438)
 	[buster] - kf5-messagelib <no-dsa> (Minor issue)
+	[stretch] - kf5-messagelib <no-dsa> (Minor issue)
 	- kdepim4 <removed>
 	NOTE: https://kde.org/info/security/advisory-20210429-1.txt
 	NOTE: https://commits.kde.org/messagelib/3b5b171e91ce78b966c98b1292a1bcbc8d984799


=====================================
data/dla-needed.txt
=====================================
@@ -40,6 +40,16 @@ eterm (Utkarsh)
   NOTE: 20210521: src/term.c:process_escape_seq(), probably just disable vulnerable escape sequence
   NOTE: 20210607: proposed a fix. (utkarsh)
 --
+ffmpeg
+  NOTE: 20210607: stretch was following the 3.2.x release line, but 3.2.15
+  NOTE: 20210607: (released 2020-07-02) was the last on this branch. There are
+  NOTE: 20210607: now 10+ ~new CVEs that nominally apply to the version in LTS,
+  NOTE: 20210607: so some investigation and insight is required to see which
+  NOTE: 20210607: apply and/or what we do with the version of ffmpeg in LTS
+  NOTE: 20210607: going forward. There is a 3.4.x release branch, for example,
+  NOTE: 20210607: but unclear on the compatibility as well as whether this one
+  NOTE: 20210607: won't just be dropped too, etc. etc. (lamby)
+--
 gpac (Thorsten Alteholz)
   NOTE: 20210607: WIP
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ceb3f1f6b739d921417b34188da274fc90957cc7...b8d1aa07dba71d47c772c8f7c52c24a70db7d442

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ceb3f1f6b739d921417b34188da274fc90957cc7...b8d1aa07dba71d47c772c8f7c52c24a70db7d442
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210607/efe87650/attachment.htm>
