[Git][security-tracker-team/security-tracker][master] bullseye triage

Tue Mar 16 21:50:26 GMT 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
504892bc by Moritz Muehlenhoff at 2021-03-16T22:50:10+01:00
bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2259,6 +2259,7 @@ CVE-2021-27646 (Use After Free vulnerability in iscsi_snapshot_comm_core in Syno
 	NOT-FOR-US: Synology
 CVE-2021-27645 (The nameserver caching daemon (nscd) in the GNU C Library (aka glibc o ...)
 	- glibc <unfixed> (bug #983479)
+	[bullseye] - glibc <no-dsa> (Minor issue)
 	[buster] - glibc <no-dsa> (Minor issue)
 	[stretch] - glibc <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27462
@@ -2911,9 +2912,12 @@ CVE-2021-27353
 CVE-2021-27352
 	RESERVED
 CVE-2021-27351 (The Terminate Session feature in the Telegram application through 7.2. ...)
-	- telegram-desktop <unfixed>
-	[buster] - telegram-desktop <ignored> (Minor issue)
+	- telegram-desktop 2.6.1-1
+	[buster] - telegram-desktop <not-affected> (Vulnerable code not present)
 	NOTE: https://0ffsecninja.github.io/Telegram:CVE-2021-2735.html
+	NOTE: Probably fixed earlier than 2.6.1, but marking that fixed in absence of further details
+	NOTE: (maintainer reached out to upstream for confirmation that 2.6.1 is fixed and buster
+	NOTE: not affected)
 CVE-2021-27350
 	RESERVED
 CVE-2021-27349
@@ -5497,6 +5501,7 @@ CVE-2021-26273
 	RESERVED
 CVE-2021-3326 (The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and  ...)
 	- glibc <unfixed> (bug #981198)
+	[bullseye] - glibc <no-dsa> (Minor issue)
 	[buster] - glibc <no-dsa> (Minor issue)
 	[stretch] - glibc <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=27256
@@ -20582,7 +20587,6 @@ CVE-2021-20201 [Client initiated renegotiation denial of service]
 	NOTE: https://gitlab.freedesktop.org/spice/spice/-/commit/ca5bbc5692e052159bce1a75f55dc60b36078749
 	NOTE: https://gitlab.freedesktop.org/spice/spice/-/commit/95a0cfac8a1c8eff50f05e65df945da3bb501fc9
 	NOTE: https://blog.qualys.com/product-tech/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
-	TODO: check details
 CVE-2021-20200
 	RESERVED
 	NOTE: Red Hat duplicate assignment for CVE-2020-29369, should be rejected, contacted CNA
@@ -31080,7 +31084,8 @@ CVE-2020-27821 (A flaw was found in the memory management API of QEMU during the
 	NOTE: Introduced by: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=48564041a73adbbff52834f9edbe3806fceefab7 (v3.0)
 CVE-2020-27820 [use-after-free in nouveau kernel module]
 	RESERVED
-	- linux <unfixed>
+	- linux <unfixed> (unimportant)
+	NOTE: No security impact, requires physical access to the computer
 CVE-2020-27819 (An issue was discovered in libxls before and including 1.6.1 when read ...)
 	- r-cran-readxl <not-affected> (Embeds libxls, but not affected)
 	NOTE: https://github.com/libxls/libxls/issues/84
@@ -36643,18 +36648,26 @@ CVE-2020-25674 (WriteOnePNGImage() from coders/png.c (the PNG coder) has a for l
 CVE-2020-25673
 	RESERVED
 	- linux <unfixed>
+	[bullseye] - linux <postponed> (Minor issue, revisit once fixed upstream)
+	[buster] - linux <postponed> (Minor issue, revisit once fixed upstream)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/01/1
 CVE-2020-25672
 	RESERVED
 	- linux <unfixed>
+	[bullseye] - linux <postponed> (Minor issue, revisit once fixed upstream)
+	[buster] - linux <postponed> (Minor issue, revisit once fixed upstream)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/01/1
 CVE-2020-25671
 	RESERVED
 	- linux <unfixed>
+	[bullseye] - linux <postponed> (Minor issue, revisit once fixed upstream)
+	[buster] - linux <postponed> (Minor issue, revisit once fixed upstream)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/01/1
 CVE-2020-25670
 	RESERVED
 	- linux <unfixed>
+	[bullseye] - linux <postponed> (Minor issue, revisit once fixed upstream)
+	[buster] - linux <postponed> (Minor issue, revisit once fixed upstream)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/01/1
 CVE-2020-25669
 	RESERVED
@@ -67856,6 +67869,8 @@ CVE-2020-11988 (Apache XmlGraphics Commons 2.4 is vulnerable to server-side requ
 	NOTE: https://issues.apache.org/jira/browse/XGC-122
 CVE-2020-11987 (Apache Batik 1.13 is vulnerable to server-side request forgery, caused ...)
 	- batik <unfixed> (bug #984829)
+	[bullseye] - batik <no-dsa> (Minor issue)
+	[buster] - batik <no-dsa> (Minor issue)
 	[stretch] - batik <no-dsa> (Minor issue)
 	NOTE: https://github.com/apache/xmlgraphics-batik/commit/0ef5b661a1f77772d1110877ea9e0287987098f6
 CVE-2020-11986 (To be able to analyze gradle projects, the build scripts need to be ex ...)
@@ -96365,6 +96380,8 @@ CVE-2019-19450
 	RESERVED
 CVE-2019-19449 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image c ...)
 	- linux <unfixed>
+	[bullseye] - linux <postponed> (Minor issue, revisit once fixed upstream)
+	[buster] - linux <postponed> (Minor issue, revisit once fixed upstream)
 	NOTE: https://github.com/bobfuzzer/CVE/tree/master/CVE-2019-19449
 CVE-2019-19448 (In the Linux kernel 5.0.21 and 5.3.11, mounting a crafted btrfs filesy ...)
 	{DLA-2420-1 DLA-2385-1}
@@ -187924,6 +187941,7 @@ CVE-2018-8003 (Apache Ambari, versions 1.4.0 to 2.6.1, is susceptible to a direc
 	NOT-FOR-US: Apache Ambari
 CVE-2018-8002 (In PoDoFo 0.9.5, there exists an infinite loop vulnerability in PdfPar ...)
 	- libpodofo <unfixed> (low; bug #892557)
+	[bullseye] - libpodofo <no-dsa> (Minor issue)
 	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/504892bcd782e14d75fcf409f32fbb8d51382ec8

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/504892bcd782e14d75fcf409f32fbb8d51382ec8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210316/22afc85c/attachment.htm>
