[Git][security-tracker-team/security-tracker][master] bullseye triage

Mon Mar 22 16:57:08 GMT 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
de235543 by Moritz Muehlenhoff at 2021-03-22T17:56:51+01:00
bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2408,6 +2408,7 @@ CVE-2021-27918 (encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an
 	NOTE: https://github.com/golang/go/issues/44913
 CVE-2021-3420 (A flaw was found in newlib in versions prior to 4.0.0. Improper overfl ...)
 	- newlib <unfixed> (bug #984446)
+	[bullseye] - newlib <no-dsa> (Minor issue)
 	[buster] - newlib <no-dsa> (Minor issue)
 	[stretch] - newlib <no-dsa> (Minor issue)
 	- picolibc 1.5-1
@@ -21377,6 +21378,7 @@ CVE-2021-20197
 CVE-2021-20196 [block: fdc: null pointer dereference may lead to guest crash]
 	RESERVED
 	- qemu <unfixed> (bug #984453)
+	[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[buster] - qemu <postponed> (Fix along in future DSA)
 	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1919210
@@ -21405,6 +21407,7 @@ CVE-2021-20191
 	[buster] - ansible <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1916813
 	NOTE: https://github.com/ansible-collections/cisco.nxos/pull/227
+	NOTE: https://github.com/ansible-collections/cisco.nxos/commit/120956963f47502151a358e4a7bc2a87f71813aa
 CVE-2021-20190 (A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishan ...)
 	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
@@ -21445,6 +21448,7 @@ CVE-2021-20180
 	[buster] - ansible <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1915808
 	NOTE: https://github.com/ansible-collections/community.general/pull/1635
+	NOTE: https://github.com/ansible-collections/community.general/commit/1d0c5e2ba47724c31a18d7b08b9daf13df8829dc
 CVE-2021-20179 (A flaw was found in pki-core. An attacker who has successfully comprom ...)
 	- dogtag-pki 10.10.2-2
 	NOTE: https://github.com/dogtagpki/pki/pull/3475
@@ -21454,6 +21458,7 @@ CVE-2021-20178 [user data leak in snmp_facts module]
 	[buster] - ansible <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1914774
 	NOTE: https://github.com/ansible-collections/community.general/pull/1621
+	NOTE: https://github.com/ansible-collections/community.general/commit/3560aeb12f7061bf21d63ca0e1e19feb99c57de3
 CVE-2021-20177
 	RESERVED
 	{DSA-4843-1 DLA-2557-1}
@@ -28565,6 +28570,7 @@ CVE-2020-28492
 	REJECTED
 CVE-2020-28491 (This affects the package com.fasterxml.jackson.dataformat:jackson-data ...)
 	- jackson-dataformat-cbor <unfixed> (bug #983664)
+	[bullseye] - jackson-dataformat-cbor <no-dsa> (Minor issue)
 	[buster] - jackson-dataformat-cbor <no-dsa> (Minor issue)
 	[stretch] - jackson-dataformat-cbor <no-dsa> (Minor issue)
 	NOTE: https://people.debian.org/~abhijith/CVE-2020-28491.txt (stretch fix)
@@ -87301,6 +87307,7 @@ CVE-2020-5239 (In Mailu before version 1.7, an authenticated user can exploit a
 	NOT-FOR-US: Mailu
 CVE-2020-5238 (The table extension in GitHub Flavored Markdown before version 0.29.0. ...)
 	- cmark-gfm <unfixed> (bug #965984)
+	[bullseye] - cmark-gfm <no-dsa> (Minor issue)
 	[buster] - cmark-gfm <no-dsa> (Minor issue)
 	- python-cmarkgfm <unfixed> (bug #965983)
 	[bullseye] - python-cmarkgfm <no-dsa> (Minor issue)
@@ -92146,6 +92153,8 @@ CVE-2019-19815 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem i
 	[stretch] - linux 4.9.184-1
 CVE-2019-19814 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image c ...)
 	- linux <unfixed>
+	[bullseye] - linux <no-dsa> (Minor issue)
+	[buster] - linux <no-dsa> (Minor issue)
 CVE-2019-19813 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, ...)
 	{DLA-2586-1 DLA-2385-1}
 	- linux 5.2.6-1
@@ -97424,6 +97433,8 @@ CVE-2019-19379 (In app/Controller/TagsController.php in MISP 2.4.118, users can
 	NOT-FOR-US: MISP
 CVE-2019-19378 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image  ...)
 	- linux <unfixed>
+	[bullseye] - linux <no-dsa> (Minor issue)
+	[buster] - linux <no-dsa> (Minor issue)
 CVE-2019-19377 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, ...)
 	{DLA-2483-1}
 	- linux 5.6.7-1
@@ -138640,6 +138651,7 @@ CVE-2019-6989 (TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow,
 	NOT-FOR-US: TP-Link
 CVE-2019-6988 (An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers  ...)
 	- openjpeg2 <unfixed> (low; bug #922648)
+	[bullseye] - openjpeg2 <ignored> (Minor issue)
 	[buster] - openjpeg2 <ignored> (Minor issue)
 	[stretch] - openjpeg2 <ignored> (Minor issue)
 	[jessie] - openjpeg2 <ignored> (Minor issue)
@@ -142743,6 +142755,7 @@ CVE-2019-5428
 	REJECTED
 CVE-2019-5427 (c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack  ...)
 	- c3p0 <unfixed> (low; bug #927936)
+	[bullseye] - c3p0 <no-dsa> (Minor issue)
 	[buster] - c3p0 <no-dsa> (Minor issue)
 	[stretch] - c3p0 <no-dsa> (Minor issue)
 	[jessie] - c3p0 <no-dsa> (Minor issue)
@@ -175199,6 +175212,7 @@ CVE-2018-12929 (ntfs_read_locked_inode in the ntfs.ko filesystem driver in the L
 	[jessie] - linux <ignored> (ntfs is not supportable)
 CVE-2018-12928 (In the Linux kernel 4.15.0, a NULL pointer dereference was discovered  ...)
 	- linux <unfixed> (low)
+	[bullseye] - linux <ignored> (Minor issue)
 	[buster] - linux <ignored> (Minor issue)
 	[stretch] - linux <ignored> (Minor issue)
 	- linux-4.9 <removed>
@@ -208649,6 +208663,7 @@ CVE-2018-1298 (A Denial of Service vulnerability was found in Apache Qpid Broker
 	NOTE: https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=4b9fb37
 CVE-2018-1297 (When using Distributed Test only (RMI based), Apache JMeter 2.x and 3. ...)
 	- jakarta-jmeter <unfixed> (low; bug #897259)
+	[bullseye] - jakarta-jmeter <ignored> (Minor issue, too intrusive to backport)
 	[buster] - jakarta-jmeter <ignored> (Minor issue, too intrusive to backport)
 	[stretch] - jakarta-jmeter <ignored> (Minor issue, too intrusive to backport)
 	[jessie] - jakarta-jmeter <ignored> (Minor issue, too intrusive to backport)
@@ -208677,6 +208692,7 @@ CVE-2018-1288 (In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.
 	- kafka <itp> (bug #786460)
 CVE-2018-1287 (In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI ba ...)
 	- jakarta-jmeter <unfixed> (low)
+	[bullseye] - jakarta-jmeter <no-dsa> (Minor issue)
 	[buster] - jakarta-jmeter <no-dsa> (Minor issue)
 	[stretch] - jakarta-jmeter <no-dsa> (Minor issue)
 	[jessie] - jakarta-jmeter <no-dsa> (Minor issue)
@@ -287399,6 +287415,7 @@ CVE-2016-2142 (Red Hat OpenShift Enterprise 3.1 uses world-readable permissions
 	NOT-FOR-US: OpenShift
 CVE-2016-2141 (JGroups before 4.0 does not require the proper headers for the ENCRYPT ...)
 	- libjgroups-java <unfixed> (low; bug #867493)
+	[bullseye] - libjgroups-java <ignored> (Minor issue, only used as build dep)
 	[buster] - libjgroups-java <ignored> (Minor issue, only used as build dep)
 	[stretch] - libjgroups-java <ignored> (Minor issue, only used as build dep)
 	[jessie] - libjgroups-java <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de235543e9ff16a7429c8228ac5a2812db54a011

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de235543e9ff16a7429c8228ac5a2812db54a011
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210322/74e16a97/attachment-0001.htm>
