[Git][security-tracker-team/security-tracker][master] CVE-2021-2403{1,2}/libzstd assigned
Salvatore Bonaccorso
carnil at debian.org
Tue Mar 2 07:06:19 GMT 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d476a732 by Salvatore Bonaccorso at 2021-03-02T08:05:18+01:00
CVE-2021-2403{1,2}/libzstd assigned
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/DSA/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2226,15 +2226,11 @@ CVE-2021-26910 (Firejail before 0.9.64.4 allows attackers to bypass intended acc
NOTE: Fix (disabled overlayfs): https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b
NOTE: https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt
NOTE: https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/
-CVE-2021-XXXX [zstd allows for race-opening files being compressed or uncompressed]
+CVE-2021-24032 [zstd allows for race-opening files being compressed or uncompressed]
- libzstd 1.4.8+dfsg-2 (bug #982519)
- [buster] - libzstd 1.3.8+dfsg-3+deb10u2
- [stretch] - libzstd 1.1.2-1+deb9u1
NOTE: https://github.com/facebook/zstd/issues/2491
-CVE-2019-XXXX [zstd adds read permissions to files while being compressed or uncompressed]
+CVE-2021-24031 [zstd adds read permissions to files while being compressed or uncompressed]
- libzstd 1.4.8+dfsg-1 (bug #981404)
- [buster] - libzstd 1.3.8+dfsg-3+deb10u1
- [stretch] - libzstd 1.1.2-1+deb9u1
NOTE: https://github.com/facebook/zstd/issues/1630
CVE-2021-26852
RESERVED
@@ -8765,10 +8761,6 @@ CVE-2021-24034
RESERVED
CVE-2021-24033
RESERVED
-CVE-2021-24032
- RESERVED
-CVE-2021-24031
- RESERVED
CVE-2021-24030
RESERVED
CVE-2021-24029
=====================================
data/DLA/list
=====================================
@@ -14,6 +14,7 @@
{CVE-2021-27212}
[stretch] - openldap 2.4.44+dfsg-5+deb9u8
[20 Feb 2021] DLA-2573-1 libzstd - security update
+ {CVE-2021-24031 CVE-2021-24032}
[stretch] - libzstd 1.1.2-1+deb9u1
[20 Feb 2021] DLA-2572-1 wpa - security update
{CVE-2021-0326}
=====================================
data/DSA/list
=====================================
@@ -20,6 +20,7 @@
{CVE-2021-27212}
[buster] - openldap 2.4.47+dfsg-3+deb10u6
[20 Feb 2021] DSA-4859-1 libzstd - security update
+ {CVE-2021-24032}
[buster] - libzstd 1.3.8+dfsg-3+deb10u2
[19 Feb 2021] DSA-4858-1 chromium - security update
{CVE-2021-21148 CVE-2021-21149 CVE-2021-21150 CVE-2021-21151 CVE-2021-21152 CVE-2021-21153 CVE-2021-21154 CVE-2021-21155 CVE-2021-21156 CVE-2021-21157}
@@ -45,6 +46,7 @@
{CVE-2020-17525}
[buster] - subversion 1.10.4-1+deb10u2
[10 Feb 2021] DSA-4850-1 libzstd - security update
+ {CVE-2021-24031}
[buster] - libzstd 1.3.8+dfsg-3+deb10u1
[09 Feb 2021] DSA-4849-1 firejail - security update
{CVE-2021-26910}
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d476a73235fb12334b2d8fbae0421c31257a61f5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d476a73235fb12334b2d8fbae0421c31257a61f5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210302/6328fe75/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list