[Git][security-tracker-team/security-tracker][master] 2 commits: buster triage

Moritz Muehlenhoff jmm at debian.org
Tue Mar 23 19:21:49 GMT 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4578a1a7 by Moritz Muehlenhoff at 2021-03-23T20:18:17+01:00
buster triage

- - - - -
38213c74 by Moritz Muehlenhoff at 2021-03-23T20:21:01+01:00
thunderbird fixed in sid

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -4038,6 +4038,7 @@ CVE-2021-27291 (In pygments 1.1+, fixed in 2.7.4, the lexers used to parse progr
 	NOTE: https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
 CVE-2021-27290 (ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expre ...)
 	- node-ssri <unfixed>
+	[buster] - node-ssri <no-dsa> (Minor issue)
 	NOTE: https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
 CVE-2021-27289
 	RESERVED
@@ -5079,11 +5080,13 @@ CVE-2021-21299 (hyper is an open-source HTTP library for Rust (crates.io). In hy
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0020.html
 CVE-2021-27218 (An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before  ...)
 	- glib2.0 2.66.7-1 (bug #982779)
+	[buster] - glib2.0 <no-dsa> (Minor issue)
 	[stretch] - glib2.0 <postponed> (fix along with CVE-2021-27219)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942
 	NOTE: Test case depends on CVE-2021-27219 fix
 CVE-2021-27219 (An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before  ...)
 	- glib2.0 2.66.6-1 (bug #982778)
+	[buster] - glib2.0 <no-dsa> (Minor issue)
 	[stretch] - glib2.0 <postponed> (requires fixing vulnerable rdeps, follow buster strategy)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2319
 	NOTE: Fix introduces new API 'g_memdup2'
@@ -11726,7 +11729,7 @@ CVE-2021-23987
 	RESERVED
 	- firefox <unfixed>
 	- firefox-esr <unfixed>
-	- thunderbird <unfixed>
+	- thunderbird 1:78.9.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-23987
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/#CVE-2021-23987
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-12/#CVE-2021-23987
@@ -11741,7 +11744,7 @@ CVE-2021-23985
 CVE-2021-23984
 	RESERVED
 	- firefox-esr <unfixed>
-	- thunderbird <unfixed>
+	- thunderbird 1:78.9.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-23984
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/#CVE-2021-23984
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-12/#CVE-2021-23984
@@ -11753,7 +11756,7 @@ CVE-2021-23982
 	RESERVED
 	- firefox <unfixed>
 	- firefox-esr <unfixed>
-	- thunderbird <unfixed>
+	- thunderbird 1:78.9.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-23982
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/#CVE-2021-23982
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-12/#CVE-2021-23982
@@ -11761,7 +11764,7 @@ CVE-2021-23981
 	RESERVED
 	- firefox <unfixed>
 	- firefox-esr <unfixed>
-	- thunderbird <unfixed>
+	- thunderbird 1:78.9.0-1
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-23981
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/#CVE-2021-23981
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-12/#CVE-2021-23981
@@ -12027,6 +12030,7 @@ CVE-2021-23897
 	RESERVED
 CVE-2021-25900 (An issue was discovered in the smallvec crate before 0.6.14 and 1.x be ...)
 	- rust-smallvec 1.4.2-2 (bug #984665)
+	[buster] - rust-smallvec <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0003.html
 	NOTE: https://github.com/servo/rust-smallvec/issues/252
 CVE-2021-3127 (NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorre ...)
@@ -13228,6 +13232,7 @@ CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0
 	- python2.7 <unfixed>
 	[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
 	- pypy3 7.3.3+dfsg-3
+	[buster] - pypy3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/python/cpython/pull/24297
 	NOTE: https://github.com/python/cpython/commit/fcbe0cb04d35189401c0c880ebfb4311e952d776 (master)
 	NOTE: https://github.com/python/cpython/commit/c9f07813ab8e664d8c34413c4fc2d4f86c061a92 (3.9)
@@ -17819,6 +17824,7 @@ CVE-2019-25010 (An issue was discovered in the failure crate through 2019-11-13
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0036.html
 CVE-2019-25009 (An issue was discovered in the http crate before 0.1.20 for Rust. The  ...)
 	- rust-http <unfixed>
+	[buster] - rust-http <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0034.html
 	NOTE: https://github.com/hyperium/http/commit/82d53dbdfdb1ffbeb0323200a0bbd30b5f895fa7
 	NOTE: https://github.com/hyperium/http/commit/8ffe094df1431321d450860cc56a22dd53175f5e
@@ -85631,6 +85637,7 @@ CVE-2020-6099
 	RESERVED
 CVE-2020-6098 (An exploitable denial of service vulnerability exists in the freeDiame ...)
 	- freediameter 1.2.1-8 (bug #985088)
+	[buster] - freediameter <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1030
 	NOTE: Possible fix: http://www.freediameter.net/trac/changeset/19ab8ac08a361642e7f9ec9f2657202c6f8ef9ee/freeDiameter?old=edfb2b662b91af94b2fccc48b11eec904ccab370
 CVE-2020-6097 (An exploitable denial of service vulnerability exists in the atftpd da ...)
@@ -129636,6 +129643,7 @@ CVE-2019-10070 (Apache Atlas versions 0.8.3 and 1.1.0 were found vulnerable to S
 	NOT-FOR-US: Apache Atlas
 CVE-2019-10069 (In Godot through 3.1, remote code execution is possible due to the des ...)
 	- godot 3.2-stable-1
+	[buster] - godot <no-dsa> (Minor issue)
 	NOTE: https://github.com/godotengine/godot/pull/27398
 	NOTE: https://github.com/godotengine/godot/commit/e3bd84fa571661d76fc8458d65bb053988e934a6 (3.2-stable)
 	NOTE: For 3.0: https://github.com/godotengine/godot/commit/0c4881f1dbfe4feab879b4f0fe031b735ddc1f9f


=====================================
data/dsa-needed.txt
=====================================
@@ -32,6 +32,8 @@ netty
 --
 openjpeg2 (jmm)
 --
+pygments (jmm)
+--
 python-pysaml2 (jmm)
 --
 salt



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/19f069659b87342f74af967ad98c8bb1552e3a6e...38213c747b9f51f06c1a83dbedcc763b930278ed

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/19f069659b87342f74af967ad98c8bb1552e3a6e...38213c747b9f51f06c1a83dbedcc763b930278ed
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210323/1f650012/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list