[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff
jmm at debian.org
Wed Mar 17 18:49:56 GMT 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b3e027e9 by Moritz Muehlenhoff at 2021-03-17T19:49:35+01:00
bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -20324,6 +20324,7 @@ CVE-2021-20258
CVE-2021-20257 [net: e1000: infinite loop while processing transmit descriptors]
RESERVED
- qemu <unfixed> (bug #984450)
+ [bullseye] - qemu <postponed> (Minor issue)
[buster] - qemu <postponed> (Minor issue)
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg03595.html
CVE-2021-20256 (A flaw was found in Red Hat Satellite. The BMC interface exposes the p ...)
@@ -40503,6 +40504,7 @@ CVE-2020-24026
RESERVED
CVE-2020-24025 (Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when r ...)
- node-node-sass <unfixed>
+ [bullseye] - node-node-sass <ignored> (Minor issue)
NOTE: https://github.com/sass/node-sass/pull/567#issuecomment-656609236
CVE-2020-24024
RESERVED
@@ -61781,6 +61783,8 @@ CVE-2020-14305 (An out-of-bounds memory write flaw was found in how the Linux ke
NOTE: https://patchwork.ozlabs.org/project/netfilter-devel/patch/c2385b5c-309c-cc64-2e10-a0ef62897502@virtuozzo.com/
CVE-2020-14304 (A memory disclosure flaw was found in the Linux kernel's ethernet driv ...)
- linux <unfixed> (bug #960702)
+ [bullseye] - linux <ignored> (Minor issue)
+ [buster] - linux <ignored> (Minor issue)
CVE-2020-14303 (A flaw was found in the AD DC NBT server in all Samba versions before ...)
{DLA-2463-1}
- samba 2:4.12.5+dfsg-1
@@ -89460,6 +89464,7 @@ CVE-2020-4052 (In Wiki.js before 2.4.107, there is a stored cross-site scripting
NOT-FOR-US: Wiki.js
CVE-2020-4051 (In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 ...)
- dojo <unfixed> (bug #970000)
+ [bullseye] - dojo <no-dsa> (Minor issue)
[buster] - dojo <no-dsa> (Minor issue)
NOTE: https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6
CVE-2020-4045 (SSB-DB version 20.0.0 has an information disclosure vulnerability. The ...)
@@ -106852,11 +106857,13 @@ CVE-2019-16935 (The documentation XML-RPC server in Python through 2.7.16, 3.x t
[stretch] - python2.7 <no-dsa> (Minor issue)
[jessie] - python2.7 <ignored> (Minor Issue, XSS in an unlikely use-case)
- jython <unfixed>
+ [bullseye] - jython <ignored> (Minor Issue)
[buster] - jython <ignored> (Minor Issue)
[stretch] - jython <ignored> (Minor Issue)
[jessie] - jython <ignored> (Minor Issue, XSS in an unlikely use-case)
- pypy <unfixed> (low)
- [buster] - pypy <no-dsa> (Minor issue)
+ [bullseye] - pypy <ignored> (Minor issue)
+ [buster] - pypy <ignored> (Minor issue)
[stretch] - pypy <no-dsa> (Minor issue)
[jessie] - pypy <postponed> (Minor Issue, XSS in an unlikely use-case)
NOTE: https://bugs.python.org/issue38243
@@ -108434,6 +108441,7 @@ CVE-2019-16371 (LogMeIn LastPass before 4.33.0 allows attackers to construct a c
NOT-FOR-US: LogMeIn LastPass
CVE-2019-16370 (The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algori ...)
- gradle <unfixed> (low; bug #941186)
+ [bullseye] - gradle <ignored> (Minor issue)
[buster] - gradle <ignored> (Minor issue)
[stretch] - gradle <no-dsa> (Minor issue)
[jessie] - gradle <postponed> (Minor issue, old gradle mainly used for building Debian packages with apt signatures)
@@ -114292,6 +114300,7 @@ CVE-2019-14561
CVE-2019-14560 [GetEfiGlobalVariable2() return value not checked]
RESERVED
- edk2 <unfixed> (bug #967994)
+ [bullseye] - edk2 <no-dsa> (Minor issue)
[buster] - edk2 <no-dsa> (Minor issue)
[stretch] - edk2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2167
@@ -128130,6 +128139,7 @@ CVE-2019-10181 (It was found that in icedtea-web up to and including 1.7.2 and 1
NOTE: https://github.com/AdoptOpenJDK/IcedTea-Web/commit/528cb8163b7053576a658b9602b5694b21957b0e (1.8)
CVE-2019-10180 (A vulnerability was found in all pki-core 10.x.x version, where the To ...)
- dogtag-pki <unfixed>
+ [bullseye] - dogtag-pki <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1721137
CVE-2019-10179 (A vulnerability was found in all pki-core 10.x.x versions, where the K ...)
- dogtag-pki 10.9.1-1
@@ -128138,6 +128148,7 @@ CVE-2019-10179 (A vulnerability was found in all pki-core 10.x.x versions, where
NOTE: https://github.com/dogtagpki/pki/commit/a93a65be0b1bcf94e004ba59c6a0c8a2c086936f (v10.9.0)
CVE-2019-10178 (It was found that the Token Processing Service (TPS) did not properly ...)
- dogtag-pki <unfixed>
+ [bullseye] - dogtag-pki <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1719042
CVE-2019-10177 (A stored cross-site scripting (XSS) vulnerability was found in the PDF ...)
NOT-FOR-US: Red Hat CloudForms
@@ -134310,12 +134321,13 @@ CVE-2019-8398 (An issue was discovered in the HDF HDF5 1.10.4 library. There is
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul6
NOTE: https://jira.hdfgroup.org/browse/HDFFV-10710
CVE-2019-8397 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...)
- - hdf5 <unfixed>
+ - hdf5 <unfixed> (unimportant)
[buster] - hdf5 <no-dsa> (Minor issue)
[stretch] - hdf5 <no-dsa> (Minor issue)
[jessie] - hdf5 <ignored> (Minor issue)
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul5
NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10711
+ NOTE: Negligible security impact, malicous scientific data has more issues than a crash
CVE-2019-8396 (A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 ...)
- hdf5 <undetermined>
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul4
@@ -146728,7 +146740,7 @@ CVE-2018-20595 (A CSRF issue was discovered in web/authorization/oauth2/controll
CVE-2018-20594 (An issue was discovered in hsweb 3.0.4. It is a reflected XSS vulnerab ...)
NOT-FOR-US: hsweb
CVE-2018-20593 (In Mini-XML (aka mxml) v2.12, there is stack-based buffer overflow in ...)
- - mxml <unfixed> (low; bug #924353)
+ - mxml 3.0-1 (low; bug #924353)
[buster] - mxml <ignored> (Minor issue)
[stretch] - mxml <ignored> (Minor issue)
[jessie] - mxml <no-dsa> (Minor issue, only affects the mxmldoc tool)
@@ -146737,9 +146749,9 @@ CVE-2018-20593 (In Mini-XML (aka mxml) v2.12, there is stack-based buffer overfl
NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/so_mxmldoc.c:2987_1.txt
NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/so_mxmldoc.c:2987_1.txt.err (error output)
NOTE: https://github.com/michaelrsweet/mxml/issues/237
- NOTE: upstream tagged the issue with 'wontfix' and removed mxmldoc code completely
+ NOTE: upstream tagged the issue with 'wontfix' and removed mxmldoc code completely in 3.0, marking that version as fix
CVE-2018-20592 (In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd ...)
- - mxml <unfixed> (low; bug #924353)
+ - mxml 3.0-1 (low; bug #924353)
[buster] - mxml <ignored> (Minor issue)
[stretch] - mxml <ignored> (Minor issue)
[jessie] - mxml <no-dsa> (Minor issue, only affected the mxmldoc tool)
@@ -146748,7 +146760,7 @@ CVE-2018-20592 (In Mini-XML (aka mxml) v2.12, there is a use-after-free in the m
NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/uaf_mxml-node.c:128_2.txt
NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/uaf_mxml-node.c:128_2.txt.err (error output)
NOTE: https://github.com/michaelrsweet/mxml/issues/237
- NOTE: upstream tagged the issue with 'wontfix' and removed mxmldoc code completely
+ NOTE: upstream tagged the issue with 'wontfix' and removed mxmldoc code completely in 3.0, marking that version as fix
CVE-2018-20591 (A heap-based buffer over-read was discovered in decompileJUMP function ...)
- ming <removed>
NOTE: https://github.com/libming/libming/issues/168
@@ -162854,13 +162866,14 @@ CVE-2018-17433 (A heap-based buffer overflow in ReadGifImageDesc() in gifread.c
NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln8#heap-overflow-in-readgifimagedesc
NOTE: https://jira.hdfgroup.org/browse/HDFFV-10592
CVE-2018-17432 (A NULL pointer dereference in H5O_sdspace_encode() in H5Osdspace.c in ...)
- - hdf5 <unfixed>
+ - hdf5 <unfixed> (unimportant)
[buster] - hdf5 <no-dsa> (Minor issue)
[stretch] - hdf5 <no-dsa> (Minor issue)
[jessie] - hdf5 <ignored> (Minor issue)
NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln6#null-pointer-dereference-in-h5o_sdspace_encode
NOTE: upstream bug tracker (not public): https://jira.hdfgroup.org/browse/HDFFV-10590
NOTE: fix planned for HDF5-1.10.6 (will also be backported to HDF5-1.8)
+ NOTE: Negligible security impact, malicous scientific data has more issues than a crash
CVE-2018-17431 (Web Console in Comodo UTM Firewall before 2.7.0 allows remote attacker ...)
NOT-FOR-US: Comodo UTM
CVE-2018-17430
@@ -208709,12 +208722,14 @@ CVE-2018-1100 (zsh through version 5.4.2 is vulnerable to a stack-based buffer o
NOTE: https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/
CVE-2018-1099 (DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attack ...)
- etcd <unfixed> (low; bug #921156)
+ [bullseye] - etcd <no-dsa> (Minor issue)
[buster] - etcd <no-dsa> (Minor issue)
NOTE: https://github.com/coreos/etcd/issues/9353
NOTE: https://github.com/etcd-io/etcd/pull/9372
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1552717
CVE-2018-1098 (A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. ...)
- etcd <unfixed> (low; bug #921156)
+ [bullseye] - etcd <no-dsa> (Minor issue)
[buster] - etcd <no-dsa> (Minor issue)
NOTE: https://github.com/coreos/etcd/issues/9353
NOTE: https://github.com/etcd-io/etcd/pull/9372
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3e027e9334b6329f74fe33a67c2a0a5f2b93a43
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3e027e9334b6329f74fe33a67c2a0a5f2b93a43
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210317/52b157ee/attachment.htm>
More information about the debian-security-tracker-commits
mailing list