[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff
jmm at debian.org
Fri Mar 26 17:49:48 GMT 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
9a13612a by Moritz Muehlenhoff at 2021-03-26T18:49:30+01:00
buster triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2258,12 +2258,14 @@ CVE-2021-28212
CVE-2021-28211 [possible heap corruption with LzmaUefiDecompressGetInfo]
RESERVED
- edk2 2020.11-1
+ [buster] - edk2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1816
NOTE: https://github.com/tianocore/edk2/pull/1138
NOTE: https://github.com/tianocore/edk2/commit/e7bd0dd26db7e56aa8ca70132d6ea916ee6f3db0
CVE-2021-28210 [unlimited FV recursion, round 2]
RESERVED
- edk2 2020.11-1
+ [buster] - edk2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1743
NOTE: https://github.com/tianocore/edk2/pull/1137
NOTE: https://github.com/tianocore/edk2/commit/47343af30435302c087027177613412a1a83e919
@@ -2514,6 +2516,7 @@ CVE-2021-28117 (libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover
NOTE: Plasma 5.18: https://commits.kde.org/plasma/discover/fcd3b30552bf03a384b1a16f9bb8db029c111356
CVE-2021-28116 (Squid through 4.14 and 5.x through 5.0.5, in some configurations, allo ...)
- squid <unfixed>
+ [buster] - squid <postponed> (Minor issue, revisit once fixed upstream)
- squid3 <removed>
[stretch] - squid3 <postponed> (Check later when information is public)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-21-157/
@@ -5212,6 +5215,7 @@ CVE-2021-23201
RESERVED
CVE-2020-36244 (The daemon in GENIVI Diagnostic Log and Trace (DLT) before 2.18.6 has ...)
- dlt-daemon 2.18.6-1
+ [buster] - dlt-daemon <no-dsa> (Minor issue)
NOTE: https://github.com/GENIVI/dlt-daemon/issues/265
NOTE: https://github.com/GENIVI/dlt-daemon/pull/269
NOTE: https://github.com/GENIVI/dlt-daemon/commit/af734fe097ed379b0aa5fcf551886b1ce5098052 (v2.18.6)
@@ -12601,6 +12605,7 @@ CVE-2021-3116 (before_upstream_connection in AuthPlugin in http/proxy/auth.py in
CVE-2021-3115 (Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to ...)
- golang-1.15 1.15.7-1
- golang-1.11 <removed>
+ [buster] - golang-1.11 <ignored> (Minor issue, only applies to inherently insecure setups)
- golang-1.8 <removed>
[stretch] - golang-1.8 <ignored> (Minor issue, requires unsecure PATH and compiling a malicious dependency)
- golang-1.7 <removed>
@@ -13647,9 +13652,10 @@ CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from 3.7.0
CVE-2021-23335 (All versions of package is-user-valid are vulnerable to LDAP Injection ...)
NOT-FOR-US: Node is-user-valid
CVE-2021-23334 (All versions of package static-eval are vulnerable to Arbitrary Code E ...)
- - node-static-eval <unfixed>
+ - node-static-eval <unfixed> (unimportant)
NOTE: https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765
NOTE: https://github.com/browserify/static-eval/issues/34
+ NOTE: Explicitly documented as such by upstream: https://github.com/browserify/static-eval#security
CVE-2021-23333
RESERVED
CVE-2021-23332
@@ -18783,6 +18789,7 @@ CVE-2020-35679 (smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain regfre
NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html
CVE-2020-35678 (Autobahn|Python before 20.12.3 allows redirect header injection. ...)
- python-autobahn <unfixed> (bug #978416)
+ [buster] - python-autobahn <no-dsa> (Minor issue)
[stretch] - python-autobahn <ignored> (Need a package which is not in this suite)
NOTE: https://github.com/crossbario/autobahn-python/pull/1439
NOTE: https://github.com/crossbario/autobahn-python/commit/f7b7ad5c1066bdcc551775b73da15dca5c111623 (v20.12.3)
@@ -21723,6 +21730,7 @@ CVE-2021-20268 (An out-of-bounds access flaw was found in the Linux kernel's imp
CVE-2021-20267
RESERVED
- neutron <unfixed> (bug #985104)
+ [buster] - neutron <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/neutron/+bug/1902917
NOTE: https://review.opendev.org/c/openstack/neutron/+/776599
CVE-2021-20266
@@ -29280,6 +29288,7 @@ CVE-2020-28499 (All versions of package merge are vulnerable to Prototype Pollut
NOTE: Only bogus references listed, unclear what this is about
CVE-2020-28498 (The package elliptic before 6.5.4 are vulnerable to Cryptographic Issu ...)
- node-elliptic 6.5.4~dfsg-1
+ [buster] - node-elliptic <no-dsa> (Minor issue)
NOTE: https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f
NOTE: https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
CVE-2020-28497
@@ -29295,6 +29304,7 @@ CVE-2020-28494 (This affects the package total.js before 3.4.7. The issue occurs
NOT-FOR-US: Node total.js
CVE-2020-28493 (This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDo ...)
- jinja2 2.11.3-1 (bug #982736)
+ [buster] - jinja2 <no-dsa> (Minor issue)
[stretch] - jinja2 <no-dsa> (Minor issue)
NOTE: https://github.com/pallets/jinja/pull/1343
NOTE: https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
@@ -32469,7 +32479,6 @@ CVE-2020-27846 (A signature verification vulnerability exists in crewjam/saml. T
CVE-2020-27845 (There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior t ...)
{DLA-2550-1}
- openjpeg2 2.4.0-1
- [buster] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1302
NOTE: https://github.com/uclouvain/openjpeg/commit/8f5aff1dff510a964d3901d0fba281abec98ab63 (v2.4.0)
CVE-2020-27844 (A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior ...)
@@ -32479,19 +32488,16 @@ CVE-2020-27844 (A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions
NOTE: Introduced by: https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5
CVE-2020-27843 (A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw all ...)
- openjpeg2 2.4.0-1 (bug #983663)
- [buster] - openjpeg2 <no-dsa> (Minor issue)
[stretch] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1297
NOTE: Partial fix (preventing the out of bounds access): https://github.com/uclouvain/openjpeg/commit/38d661a3897052c7ff0b39b30c29cb067e130121 (2.4.0)
CVE-2020-27842 (There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. An ...)
- openjpeg2 2.4.0-1
- [buster] - openjpeg2 <no-dsa> (Minor issue)
[stretch] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1294
CVE-2020-27841 (There's a flaw in openjpeg in versions prior to 2.4.0 in src/lib/openj ...)
{DLA-2550-1}
- openjpeg2 2.4.0-1
- [buster] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1293
NOTE: https://github.com/rouault/openjpeg/commit/00383e162ae2f8fc951f5745bf1011771acb8dce (v2.4.0)
CVE-2020-27840 [Heap corruption via crafted DN strings]
@@ -32580,7 +32586,6 @@ CVE-2020-27824 [global-buffer-overflow read in lib-openjp2]
RESERVED
{DLA-2550-1}
- openjpeg2 2.4.0-1
- [buster] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1286
NOTE: https://github.com/uclouvain/openjpeg/commit/6daf5f3e1ec6eff03b7982889874a3de6617db8d (v2.4.0)
CVE-2020-27823 [Heap-buffer-overflow write in lib-openjp2]
@@ -32626,6 +32631,8 @@ CVE-2020-27814 (A heap-buffer overflow was found in the way openjpeg2 handled ce
NOTE: https://github.com/uclouvain/openjpeg/issues/1283
NOTE: https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc (v2.4.0)
NOTE: https://github.com/uclouvain/openjpeg/commit/15cf3d95814dc931ca0ecb132f81cb152e051bae (v2.4.0)
+ NOTE: https://github.com/uclouvain/openjpeg/commit/649298dcf84b2f20cfe458d887c1591db47372a6
+ NOTE: https://github.com/uclouvain/openjpeg/commit/4ce7d285a55d29b79880d0566d4b010fe1907aa9
CVE-2020-27813 (An integer overflow vulnerability exists with the length of websocket ...)
{DLA-2520-1}
- golang-github-gorilla-websocket <not-affected> (Fixed with first upload to Debian with renamed source package)
@@ -38462,6 +38469,7 @@ CVE-2020-25613 (An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6
[buster] - ruby2.5 2.5.5-3+deb10u3
- ruby2.3 <removed>
- jruby <unfixed> (bug #972230)
+ [buster] - jruby <no-dsa> (Minor issue)
NOTE: https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
NOTE: Fix in webrick: https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7
CVE-2020-25612 (The NuPoint Messenger of Mitel MiCollab before 9.2 could allow an atta ...)
@@ -39870,6 +39878,7 @@ CVE-2020-24995
RESERVED
CVE-2020-24994 (Stack overflow in the parse_tag function in libass/ass_parse.c in liba ...)
- libass 1:0.15.0-1
+ [buster] - libass <no-dsa> (Minor issue)
NOTE: https://github.com/libass/libass/issues/422
NOTE: https://github.com/libass/libass/issues/423
NOTE: https://github.com/libass/libass/commit/6835731c2fe4164a0c50bc91d12c43b2a2b4e799 (0.15.0)
@@ -60195,7 +60204,6 @@ CVE-2020-15390
CVE-2020-15389 (jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free th ...)
{DLA-2277-1}
- openjpeg2 2.4.0-1 (bug #965220)
- [buster] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1261
NOTE: https://github.com/uclouvain/openjpeg/commit/e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 (v2.4.0)
CVE-2020-15388
@@ -80772,7 +80780,6 @@ CVE-2020-8113 (GitLab 10.7 and later through 12.7.2 has Incorrect Access Control
CVE-2020-8112 (opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through ...)
{DLA-2277-1 DLA-2089-1}
- openjpeg2 2.4.0-1 (bug #950184)
- [buster] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1231
NOTE: https://github.com/rouault/openjpeg/commit/05f9b91e60debda0e83977e5e63b2e66486f7074 (v2.4.0)
CVE-2020-8111
@@ -83862,7 +83869,6 @@ CVE-2020-6852 (CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmwa
CVE-2020-6851 (OpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl ...)
{DLA-2277-1 DLA-2081-1}
- openjpeg2 2.4.0-1 (bug #950000)
- [buster] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1228
NOTE: https://github.com/uclouvain/openjpeg/commit/024b8407392cb0b82b04b58ed256094ed5799e04 (v2.4.0)
CVE-2020-6850 (Utilities.php in the miniorange-saml-20-single-sign-on plugin before 4 ...)
@@ -110359,6 +110365,7 @@ CVE-2019-16255 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4
- ruby2.3 <removed>
- ruby2.1 <removed>
- jruby <unfixed> (bug #972230)
+ [buster] - jruby <no-dsa> (Minor issue)
NOTE: https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
NOTE: ruby2.5: https://github.com/ruby/ruby/commit/3af01ae1101e0b8815ae5a106be64b0e82a58640
CVE-2019-16254 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allow ...)
@@ -110367,6 +110374,7 @@ CVE-2019-16254 (Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4
- ruby2.3 <removed>
- ruby2.1 <removed>
- jruby <unfixed> (bug #972230)
+ [buster] - jruby <no-dsa> (Minor issue)
NOTE: https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc
NOTE: https://hackerone.com/reports/331984
NOTE: https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
@@ -110558,6 +110566,7 @@ CVE-2019-16201 (WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x throu
- ruby2.3 <removed>
- ruby2.1 <removed>
- jruby <unfixed> (bug #972230)
+ [buster] - jruby <no-dsa> (Minor issue)
NOTE: https://github.com/ruby/ruby/commit/36e057e26ef2104bc2349799d6c52d22bb1c7d03
NOTE: https://hackerone.com/reports/661722
NOTE: https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
@@ -121866,7 +121875,7 @@ CVE-2019-12974 (A NULL pointer dereference in the function ReadPANGOImage in cod
CVE-2019-12973 (In OpenJPEG 2.3.1, there is excessive iteration in the opj_t1_encode_c ...)
{DLA-2277-1}
- openjpeg2 2.4.0-1 (bug #931292)
- [buster] - openjpeg2 <no-dsa> (Minor issue)
+ [buster] - openjpeg2 <ignored> (Minor issue)
[jessie] - openjpeg2 <not-affected> (vulnerable code is not present)
NOTE: https://github.com/uclouvain/openjpeg/pull/1185
NOTE: https://github.com/uclouvain/openjpeg/commit/21399f6b7d318fcdf4406d5e88723c4922202aa3 (v2.4.0)
=====================================
data/dsa-needed.txt
=====================================
@@ -41,8 +41,6 @@ python-pysaml2 (jmm)
--
salt
--
-samba
---
tomcat9
--
xen (jmm)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a13612a53063435ab66a16085efab144b9215d0
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a13612a53063435ab66a16085efab144b9215d0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210326/8f8af137/attachment.htm>
More information about the debian-security-tracker-commits
mailing list