[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff jmm at debian.org
Sat Mar 6 20:06:55 GMT 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2fb33b95 by Moritz Muehlenhoff at 2021-03-06T21:06:43+01:00
bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1802,6 +1802,7 @@ CVE-2021-27212 (In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an asse
 	NOTE: REL_ENG 2.4.x: https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30
 CVE-2021-27211 (steghide 0.5.1 relies on a certain 32-bit seed value, which makes it e ...)
 	- steghide <unfixed> (bug #983267)
+	[bullseye] - steghide <no-dsa> (Minor issue)
 	[buster] - steghide <no-dsa> (Minor issue)
 	[stretch] - steghide <postponed> (Minor issue; can be fixed in next DLA)
 	NOTE: https://github.com/b4shfire/stegcrack
@@ -15325,6 +15326,8 @@ CVE-2019-25011 (NetBox through 2.6.2 allows an Authenticated User to conduct an
 	NOT-FOR-US: NetBox
 CVE-2019-25010 (An issue was discovered in the failure crate through 2019-11-13 for Ru ...)
 	- rust-failure <unfixed>
+	[bullseye] - rust-failure <no-dsa> (Minor issue, unmaintained/deprecated upstream)
+	[buster] - rust-failure <no-dsa> (Minor issue, unmaintained/deprecated upstream)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0036.html
 CVE-2019-25009 (An issue was discovered in the http crate before 0.1.20 for Rust. The  ...)
 	- rust-http <unfixed>
@@ -36334,6 +36337,7 @@ CVE-2020-25574 (An issue was discovered in the http crate before 0.1.20 for Rust
 	NOTE: https://github.com/hyperium/http/issues/352
 CVE-2020-25575 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in the failure ...)
 	- rust-failure <unfixed> (bug #969839; low)
+	[bullseye] - rust-failure <ignored> (Minor issue; unmaintained upstream)
 	[buster] - rust-failure <ignored> (Minor issue; unmaintained upstream)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0036.html
 	NOTE: https://github.com/rust-lang-nursery/failure/issues/336
@@ -74204,6 +74208,7 @@ CVE-2020-9490 (Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted
 	NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2030
 CVE-2020-9489 (A carefully crafted or corrupt file may trigger a System.exit in Tika' ...)
 	- tika <unfixed>
+	[bullseye] - tika <no-dsa> (Minor issue)
 	[buster] - tika <no-dsa> (Minor issue)
 	[jessie] - tika <ignored> (the fix is too invasive to backport)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/04/24/1
@@ -92712,11 +92717,9 @@ CVE-2019-19650 (Zoho ManageEngine Applications Manager before 13640 allows a rem
 CVE-2019-19649 (Zoho ManageEngine Applications Manager before 13620 allows a remote un ...)
 	NOT-FOR-US: Zoho ManageEngine Applications Manager
 CVE-2019-19648 (In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, ...)
-	- yara <unfixed>
-	[buster] - yara <no-dsa> (Minor issue)
-	[stretch] - yara <no-dsa> (Minor issue)
-	[jessie] - yara <no-dsa> (Minor issue)
+	- yara <unfixed> (unimportant)
 	NOTE: https://github.com/VirusTotal/yara/issues/1178
+	NOTE: Negligible security impact
 CVE-2019-19647 (radare2 through 4.0.0 lacks validation of the content variable in the  ...)
 	- radare2 4.2.1+dfsg-1 (bug #947402)
 	[jessie] - radare2 <no-dsa> (Minor issue)
@@ -170375,6 +170378,7 @@ CVE-2018-14029 (CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6.
 	NOT-FOR-US: Creatiwity wityCMS
 CVE-2018-14028 (In WordPress 4.9.7, plugins uploaded via the admin area are not verifi ...)
 	- wordpress <unfixed> (bug #906565)
+	[bullseye] - wordpress <postponed> (Minor issue, revisit when fixed upstream)
 	[buster] - wordpress <postponed> (Minor issue, revisit when fixed upstream)
 	[stretch] - wordpress <postponed> (Minor issue, no sanctioned patch)
 	[jessie] - wordpress <postponed> (Minor issue, no sanctioned patch)
@@ -214816,6 +214820,7 @@ CVE-2017-15638 (The SuSEfirewall2 package before 3.6.312-2.13.1 in SUSE Linux En
 	NOT-FOR-US: SuSEfirewall2 in SUSE
 CVE-2012-6707 (WordPress through 4.8.2 uses a weak MD5-based password hashing algorit ...)
 	- wordpress <unfixed> (bug #880868)
+	[bullseye] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution)
 	[buster] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution)
 	[stretch] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution)
 	[jessie] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution)
@@ -228503,6 +228508,7 @@ CVE-2017-1000048 (the web framework using ljharb's qs module older than v6.3.2,
 	NOT-FOR-US: ljharb
 CVE-2017-1000047 (rbenv (all current versions) is vulnerable to Directory Traversal in t ...)
 	- rbenv <unfixed> (bug #869702)
+	[bullseye] - rbenv <no-dsa> (Minor issue)
 	[buster] - rbenv <no-dsa> (Minor issue)
 	[stretch] - rbenv <no-dsa> (Minor issue)
 	[jessie] - rbenv <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fb33b950924855489cd84a17b0da335cf6178f3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fb33b950924855489cd84a17b0da335cf6178f3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210306/fd5cbb04/attachment.htm>

More information about the debian-security-tracker-commits mailing list