[Git][security-tracker-team/security-tracker][master] 2 commits: buster triage
Moritz Muehlenhoff
jmm at debian.org
Tue Mar 23 19:21:49 GMT 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
4578a1a7 by Moritz Muehlenhoff at 2021-03-23T20:18:17+01:00
buster triage
- - - - -
38213c74 by Moritz Muehlenhoff at 2021-03-23T20:21:01+01:00
thunderbird fixed in sid
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -4038,6 +4038,7 @@ CVE-2021-27291 (In pygments 1.1+, fixed in 2.7.4, the lexers used to parse progr
NOTE: https://github.com/pygments/pygments/commit/2e7e8c4a7b318f4032493773732754e418279a14
CVE-2021-27290 (ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expre ...)
- node-ssri <unfixed>
+ [buster] - node-ssri <no-dsa> (Minor issue)
NOTE: https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
CVE-2021-27289
RESERVED
@@ -5079,11 +5080,13 @@ CVE-2021-21299 (hyper is an open-source HTTP library for Rust (crates.io). In hy
NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0020.html
CVE-2021-27218 (An issue was discovered in GNOME GLib before 2.66.7 and 2.67.x before ...)
- glib2.0 2.66.7-1 (bug #982779)
+ [buster] - glib2.0 <no-dsa> (Minor issue)
[stretch] - glib2.0 <postponed> (fix along with CVE-2021-27219)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1942
NOTE: Test case depends on CVE-2021-27219 fix
CVE-2021-27219 (An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before ...)
- glib2.0 2.66.6-1 (bug #982778)
+ [buster] - glib2.0 <no-dsa> (Minor issue)
[stretch] - glib2.0 <postponed> (requires fixing vulnerable rdeps, follow buster strategy)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2319
NOTE: Fix introduces new API 'g_memdup2'
@@ -11726,7 +11729,7 @@ CVE-2021-23987
RESERVED
- firefox <unfixed>
- firefox-esr <unfixed>
- - thunderbird <unfixed>
+ - thunderbird 1:78.9.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-23987
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/#CVE-2021-23987
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-12/#CVE-2021-23987
@@ -11741,7 +11744,7 @@ CVE-2021-23985
CVE-2021-23984
RESERVED
- firefox-esr <unfixed>
- - thunderbird <unfixed>
+ - thunderbird 1:78.9.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-23984
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/#CVE-2021-23984
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-12/#CVE-2021-23984
@@ -11753,7 +11756,7 @@ CVE-2021-23982
RESERVED
- firefox <unfixed>
- firefox-esr <unfixed>
- - thunderbird <unfixed>
+ - thunderbird 1:78.9.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-23982
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/#CVE-2021-23982
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-12/#CVE-2021-23982
@@ -11761,7 +11764,7 @@ CVE-2021-23981
RESERVED
- firefox <unfixed>
- firefox-esr <unfixed>
- - thunderbird <unfixed>
+ - thunderbird 1:78.9.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-10/#CVE-2021-23981
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-11/#CVE-2021-23981
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2021-12/#CVE-2021-23981
@@ -12027,6 +12030,7 @@ CVE-2021-23897
RESERVED
CVE-2021-25900 (An issue was discovered in the smallvec crate before 0.6.14 and 1.x be ...)
- rust-smallvec 1.4.2-2 (bug #984665)
+ [buster] - rust-smallvec <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0003.html
NOTE: https://github.com/servo/rust-smallvec/issues/252
CVE-2021-3127 (NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorre ...)
@@ -13228,6 +13232,7 @@ CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0
- python2.7 <unfixed>
[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
- pypy3 7.3.3+dfsg-3
+ [buster] - pypy3 <no-dsa> (Minor issue)
NOTE: https://github.com/python/cpython/pull/24297
NOTE: https://github.com/python/cpython/commit/fcbe0cb04d35189401c0c880ebfb4311e952d776 (master)
NOTE: https://github.com/python/cpython/commit/c9f07813ab8e664d8c34413c4fc2d4f86c061a92 (3.9)
@@ -17819,6 +17824,7 @@ CVE-2019-25010 (An issue was discovered in the failure crate through 2019-11-13
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0036.html
CVE-2019-25009 (An issue was discovered in the http crate before 0.1.20 for Rust. The ...)
- rust-http <unfixed>
+ [buster] - rust-http <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0034.html
NOTE: https://github.com/hyperium/http/commit/82d53dbdfdb1ffbeb0323200a0bbd30b5f895fa7
NOTE: https://github.com/hyperium/http/commit/8ffe094df1431321d450860cc56a22dd53175f5e
@@ -85631,6 +85637,7 @@ CVE-2020-6099
RESERVED
CVE-2020-6098 (An exploitable denial of service vulnerability exists in the freeDiame ...)
- freediameter 1.2.1-8 (bug #985088)
+ [buster] - freediameter <no-dsa> (Minor issue)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1030
NOTE: Possible fix: http://www.freediameter.net/trac/changeset/19ab8ac08a361642e7f9ec9f2657202c6f8ef9ee/freeDiameter?old=edfb2b662b91af94b2fccc48b11eec904ccab370
CVE-2020-6097 (An exploitable denial of service vulnerability exists in the atftpd da ...)
@@ -129636,6 +129643,7 @@ CVE-2019-10070 (Apache Atlas versions 0.8.3 and 1.1.0 were found vulnerable to S
NOT-FOR-US: Apache Atlas
CVE-2019-10069 (In Godot through 3.1, remote code execution is possible due to the des ...)
- godot 3.2-stable-1
+ [buster] - godot <no-dsa> (Minor issue)
NOTE: https://github.com/godotengine/godot/pull/27398
NOTE: https://github.com/godotengine/godot/commit/e3bd84fa571661d76fc8458d65bb053988e934a6 (3.2-stable)
NOTE: For 3.0: https://github.com/godotengine/godot/commit/0c4881f1dbfe4feab879b4f0fe031b735ddc1f9f
=====================================
data/dsa-needed.txt
=====================================
@@ -32,6 +32,8 @@ netty
--
openjpeg2 (jmm)
--
+pygments (jmm)
+--
python-pysaml2 (jmm)
--
salt
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/19f069659b87342f74af967ad98c8bb1552e3a6e...38213c747b9f51f06c1a83dbedcc763b930278ed
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/19f069659b87342f74af967ad98c8bb1552e3a6e...38213c747b9f51f06c1a83dbedcc763b930278ed
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210323/1f650012/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list