[Git][security-tracker-team/security-tracker][master] glib2.0: stretch triage
Sylvain Beucler
beuc at debian.org
Fri Mar 19 15:03:09 GMT 2021
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
eaccec74 by Sylvain Beucler at 2021-03-19T16:02:54+01:00
glib2.0: stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1487,6 +1487,7 @@ CVE-2016-20009 (** UNSUPPORTED WHEN ASSIGNED ** A DNS client stack-based buffer
CVE-2021-28153 (An issue was discovered in GNOME GLib before 2.66.8. When g_file_repla ...)
- glib2.0 2.66.7-2 (bug #984969)
[buster] - glib2.0 <no-dsa> (Minor issue)
+ [stretch] - glib2.0 <postponed> (Minor issue, directory traversal exploitable in file-roller)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2325
CVE-2021-3435
RESERVED
@@ -4528,10 +4529,15 @@ CVE-2021-21299 (hyper is an open-source HTTP library for Rust (crates.io). In hy
NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0020.html
CVE-2021-27218 (An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before ...)
- glib2.0 2.66.7-1 (bug #982779)
+ [stretch] - glib2.0 <postponed> (fix along with CVE-2021-27219)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942
+ NOTE: Test case depends on CVE-2021-27219 fix
CVE-2021-27219 (An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before ...)
- glib2.0 2.66.6-1 (bug #982778)
+ [stretch] - glib2.0 <postponed> (requires fixing vulnerable rdeps, follow buster strategy)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2319
+ NOTE: Fix introduces new API 'g_memdup2'
+ NOTE: Fix backport in 2.66.7 adds 'g_memdup2' for internal use but does not allow fixing reverse-dependencies using vulnerable 'g_memdup'
CVE-2021-26842
RESERVED
CVE-2021-26841
=====================================
data/dla-needed.txt
=====================================
@@ -48,8 +48,6 @@ dnsmasq
firmware-nonfree
NOTE: 20201207: wait for the update in buster and backport that (Emilio)
--
-glib2.0 (Sylvain Beucler)
---
golang-github-appc-cni (Thorsten Alteholz)
NOTE: 20210221: also taking care of reverse dependencies
NOTE: 20210221: also taking care of other suites
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaccec74e3e0bfde1b77d50671053e3f3bc1dd4c
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eaccec74e3e0bfde1b77d50671053e3f3bc1dd4c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210319/09a3c042/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list