[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff
jmm at debian.org
Wed Mar 10 19:30:17 GMT 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6b2a2a7d by Moritz Muehlenhoff at 2021-03-10T20:30:04+01:00
buster triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1671,6 +1671,7 @@ CVE-2021-27379 (An issue was discovered in Xen through 4.11.x, allowing x86 Inte
NOTE: containing broken backport for XSA-321 / CVE-2020-15565
CVE-2021-27378 (An issue was discovered in the rand_core crate before 0.6.2 for Rust. ...)
- rust-rand-core <unfixed>
+ [buster] - rust-rand-core <ignored> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0023.html
CVE-2021-27377 (An issue was discovered in the yottadb crate before 1.2.0 for Rust. Fo ...)
NOT-FOR-US: Rust crate yottadb
@@ -1735,6 +1736,7 @@ CVE-2021-27352
RESERVED
CVE-2021-27351 (The Terminate Session feature in the Telegram application through 7.2. ...)
- telegram-desktop 2.5.8+ds-1
+ [buster] - telegram-desktop <ignored> (Minor issue)
NOTE: https://0ffsecninja.github.io/Telegram:CVE-2021-2735.html
CVE-2021-27350
RESERVED
@@ -2045,6 +2047,7 @@ CVE-2021-3411 (A flaw was found in the Linux kernel in versions prior to 5.10. A
CVE-2021-3410 (A flaw was found in libcaca v0.99.beta19. A buffer overflow issue in c ...)
{DLA-2584-1}
- libcaca <unfixed> (bug #983686)
+ [buster] - libcaca <no-dsa> (Minor issue)
NOTE: https://github.com/cacalabs/libcaca/issues/52
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1928437
NOTE: https://github.com/cacalabs/libcaca/commit/46b4ea7cea72d6b3ffe65d33e604b1774dcc2bbd
@@ -2728,12 +2731,14 @@ CVE-2021-26907
RESERVED
CVE-2021-26906 (An issue was discovered in res_pjsip_session.c in Digium Asterisk thro ...)
- asterisk 1:16.16.1~dfsg-1 (bug #983159)
+ [buster] - asterisk <postponed> (Minor issue)
[stretch] - asterisk <no-dsa> (Minor issue)
NOTE: https://downloads.asterisk.org/pub/security/AST-2021-005.html
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-29196
CVE-2021-3402
RESERVED
- yara 4.0.4-1
+ [buster] - yara <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/01/29/2
NOTE: https://www.x41-dsec.de/lab/advisories/x41-2021-001-yara/
CVE-2021-26905 (1Password SCIM Bridge before 1.6.2 mishandles validation of authentica ...)
@@ -6776,18 +6781,22 @@ CVE-2021-25294 (OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activ
CVE-2021-25293
RESERVED
- pillow 8.1.1-1
+ [buster] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
CVE-2021-25292
RESERVED
- pillow 8.1.1-1
+ [buster] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
CVE-2021-25291
RESERVED
- pillow 8.1.1-1
+ [buster] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
CVE-2021-25290
RESERVED
- pillow 8.1.1-1
+ [buster] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
CVE-2021-25289
RESERVED
@@ -15121,6 +15130,7 @@ CVE-2020-36050
RESERVED
CVE-2020-36049 (socket.io-parser before 3.4.1 allows attackers to cause a denial of se ...)
- node-socket.io-parser 3.4.1-1
+ [buster] - node-socket.io-parser <no-dsa> (Minor issue)
NOTE: https://blog.caller.xyz/socketio-engineio-dos/
NOTE: https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55
CVE-2020-36048 (Engine.IO before 4.0.0 allows attackers to cause a denial of service ( ...)
@@ -15461,6 +15471,7 @@ CVE-2020-35905 (An issue was discovered in the futures-util crate before 0.3.7 f
NOT-FOR-US: futures-util rust crate
CVE-2020-35904 (An issue was discovered in the crossbeam-channel crate before 0.4.4 fo ...)
- rust-crossbeam-channel 0.4.4-1
+ [buster] - rust-crossbeam-channel <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0052.html
NOTE: https://github.com/crossbeam-rs/crossbeam/pull/533
CVE-2020-35903 (An issue was discovered in the dync crate before 0.5.0 for Rust. VecCo ...)
@@ -15874,6 +15885,7 @@ CVE-2020-35777 (NETGEAR DGN2200v1 devices before v1.0.0.58 are affected by comma
NOT-FOR-US: Netgear
CVE-2020-35776 (A buffer overflow in res_pjsip_diversion.c in Sangoma Asterisk version ...)
- asterisk 1:16.16.1~dfsg-1 (bug #983158)
+ [buster] - asterisk <postponed> (Minor issue)
[stretch] - asterisk <no-dsa> (Minor issue)
NOTE: https://downloads.asterisk.org/pub/security/AST-2021-001.html
NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-29227
@@ -19168,6 +19180,7 @@ CVE-2021-20231
RESERVED
CVE-2021-20230 (A flaw was found in stunnel before 5.57, where it improperly validates ...)
- stunnel4 3:5.56+dfsg-8 (bug #982578)
+ [buster] - stunnel4 <no-dsa> (Minor issue)
[stretch] - stunnel4 <not-affected> (Re-ordering of redirect/accept/reject checks performed in stunnel 5.41b8)
NOTE: https://github.com/mtrojnar/stunnel/commit/ebad9ddc4efb2635f37174c9d800d06206f1edf9
NOTE: Isolated fix only the changes in src/verify.c:
@@ -22546,10 +22559,12 @@ CVE-2020-29607 (A file upload restriction bypass vulnerability in Pluck CMS befo
NOT-FOR-US: Pluck CMS
CVE-2020-35921 (An issue was discovered in the miow crate before 0.3.6 for Rust. It ha ...)
- rust-miow 0.3.6-1 (bug #976871)
+ [buster] - rust-miow <ignored> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0080.html
NOTE: https://github.com/yoshuawuyts/miow/issues/38
CVE-2020-35919 (An issue was discovered in the net2 crate before 0.2.36 for Rust. It h ...)
- rust-net2 0.2.37-1 (bug #976870)
+ [buster] - rust-net2 <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0078.html
NOTE: https://github.com/deprecrated/net2-rs/issues/105
CVE-2020-35916 (An issue was discovered in the image crate before 0.23.12 for Rust. A ...)
@@ -29744,7 +29759,10 @@ CVE-2020-27840
CVE-2020-27839
RESERVED
- ceph <unfixed>
+ [buster] - ceph <no-dsa> (Minor issue)
NOTE: https://tracker.ceph.com/issues/44591
+ NOTE: https://github.com/ceph/ceph/pull/38259
+ NOTE: https://github.com/ceph/ceph/commit/23f2604d6f9ac16779b4ac43aab6e4e434f2e8ec
CVE-2020-27838 (A flaw was found in keycloak in versions prior to 13.0.0. The client r ...)
NOT-FOR-US: Keycloak
CVE-2020-27837 (A flaw was found in GDM in versions prior to 3.38.2.1. A race conditio ...)
@@ -29826,6 +29844,7 @@ CVE-2020-27822 (A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.
- wildfly <itp> (bug #752018)
CVE-2020-27821 (A flaw was found in the memory management API of QEMU during the initi ...)
- qemu 1:5.2+dfsg-3 (bug #977616)
+ [buster] - qemu <postponed> (Fix along in future update)
[stretch] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1902651
NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=4bfb024bc76973d40a359476dc0291f46e435442
@@ -31447,6 +31466,7 @@ CVE-2020-27353
CVE-2020-27352
RESERVED
- snapd 2.49-1
+ [buster] - snapd <no-dsa> (Minor issue)
[stretch] - snapd <no-dsa> (Minor issue)
NOTE: https://ubuntu.com/security/notices/USN-4728-1
NOTE: https://github.com/docker-snap/docker-snap/security/advisories/GHSA-798c-v3jq-h646
@@ -36842,6 +36862,7 @@ CVE-2020-25086 (Ecommerce-CodeIgniter-Bootstrap before 2020-08-03 allows XSS in
CVE-2021-3409 [sdhci: incomplete fix for CVE-2020-17380/CVE-2020-25085]
RESERVED
- qemu <unfixed>
+ [buster] - qemu <not-affected> (CVE-2020-17380/CVE-2020-25085 weren't backported to Buster)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1928146
NOTE: https://www.openwall.com/lists/oss-security/2021/03/09/1
NOTE: New patch series: https://lists.nongnu.org/archive/html/qemu-devel/2021-03/msg00949.html
@@ -38382,6 +38403,7 @@ CVE-2020-24393 (TweetStream 2.6.1 uses the library eventmachine in an insecure w
NOT-FOR-US: TweetStream
CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname validation allow ...)
- ruby-twitter-stream <unfixed>
+ [buster] - ruby-twitter-stream <no-dsa> (Minor issue)
[stretch] - ruby-twitter-stream <no-dsa> (Minor issue)
NOTE: https://securitylab.github.com/advisories/GHSL-2020-097-voloko-twitter-stream
CVE-2020-24391
@@ -59981,12 +60003,14 @@ CVE-2020-14410 (SDL (Simple DirectMedia Layer) through 2.0.12 has a heap-based b
{DLA-2536-1}
- libsdl1.2 <not-affected> (Only affects SDL2)
- libsdl2 2.0.14+dfsg2-2
+ [buster] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=5200
NOTE: https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9
CVE-2020-14409 (SDL (Simple DirectMedia Layer) through 2.0.12 has an Integer Overflow ...)
{DLA-2536-1}
- libsdl1.2 <undetermined>
- libsdl2 2.0.14+dfsg2-2
+ [buster] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=5200
NOTE: https://hg.libsdl.org/SDL/rev/3f9b4e92c1d9
TODO: check libsdl1.2
@@ -105695,6 +105719,7 @@ CVE-2019-16884 (runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and
[buster] - runc <no-dsa> (Minor issue)
[stretch] - runc <no-dsa> (Minor issue)
- golang-github-opencontainers-selinux 1.3.0-2 (bug #942027)
+ [buster] - golang-github-opencontainers-selinux <no-dsa> (Minor issue)
NOTE: https://github.com/opencontainers/runc/issues/2128
CVE-2019-16883
RESERVED
=====================================
data/dsa-needed.txt
=====================================
@@ -26,5 +26,14 @@ linux (carnil)
netty
Markus Koschany possibly can prepare update
--
+openjpeg2 (jmm)
+--
python-pysaml2 (jmm)
--
+salt
+--
+tomcat9
+--
+xen (jmm)
+ will be held back to sync with next kernel update
+--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2a2a7d3c1aa324fc39e59fe9c595d7f3e40bf8
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2a2a7d3c1aa324fc39e59fe9c595d7f3e40bf8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210310/7dfe02ab/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list