[Git][security-tracker-team/security-tracker][master] bullseye triage

Thu May 6 18:37:32 BST 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ab678263 by Moritz Muehlenhoff at 2021-05-06T19:27:08+02:00
bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -379,6 +379,8 @@ CVE-2021-3528
 CVE-2021-3527 [usb: unbounded stack allocation in usbredir]
 	RESERVED
 	- qemu <unfixed>
+	[bullseye] - qemu <no-dsa> (Minor issue)
+	[buster] - qemu <no-dsa> (Minor issue)
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00564.html
 CVE-2021-3526
 	RESERVED
@@ -7922,6 +7924,7 @@ CVE-2021-28658 (In Django 2.2 before 2.2.20, 3.0 before 3.0.14, and 3.1 before 3
 	NOTE: https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2 (2.2.20)
 CVE-2021-28657 (A carefully crafted or corrupt file may trigger an infinite loop in Ti ...)
 	- tika <unfixed> (bug #986805)
+	[bullseye] - tika <no-dsa> (Minor issue)
 	[buster] - tika <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/03/30/3
 CVE-2021-28656
@@ -9178,6 +9181,7 @@ CVE-2021-28117 (libdiscover/backends/KNSBackend/KNSResource.cpp in KDE Discover
 	NOTE: Plasma 5.18: https://commits.kde.org/plasma/discover/fcd3b30552bf03a384b1a16f9bb8db029c111356
 CVE-2021-28116 (Squid through 4.14 and 5.x through 5.0.5, in some configurations, allo ...)
 	- squid <unfixed> (bug #986804)
+	[bullseye] - squid <postponed> (Minor issue, revisit once fixed upstream)
 	[buster] - squid <postponed> (Minor issue, revisit once fixed upstream)
 	- squid3 <removed>
 	[stretch] - squid3 <postponed> (Check later when information is public)
@@ -11465,6 +11469,7 @@ CVE-2021-27139 (An issue was discovered on FiberHome HG6245D devices through RP2
 CVE-2021-27138 (The boot loader in Das U-Boot before 2021.04-rc2 mishandles use of uni ...)
 	[experimental] - u-boot 2021.04~rc3+dfsg-1
 	- u-boot <unfixed> (bug #983269)
+	[bullseye] - u-boot <no-dsa> (Minor issue)
 	[buster] - u-boot <no-dsa> (Minor issue)
 	[stretch] - u-boot <postponed> (Minor issue; can be fixed in next DLA)
 	NOTE: https://github.com/u-boot/u-boot/commit/3f04db891a353f4b127ed57279279f851c6b4917
@@ -11565,6 +11570,7 @@ CVE-2021-27098 (In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2,
 CVE-2021-27097 (The boot loader in Das U-Boot before 2021.04-rc2 mishandles a modified ...)
 	[experimental] - u-boot 2021.04~rc3+dfsg-1
 	- u-boot <unfixed> (bug #983270)
+	[bullseye] - u-boot <no-dsa> (Minor issue)
 	[buster] - u-boot <no-dsa> (Minor issue)
 	[stretch] - u-boot <postponed> (Minor issue; can be fixed in next DLA)
 	NOTE: https://github.com/u-boot/u-boot/commit/6f3c2d8aa5e6cbd80b5e869bbbddecb66c329d01
@@ -22906,6 +22912,7 @@ CVE-2021-22208
 	RESERVED
 CVE-2021-22207 (Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to ...)
 	- wireshark <unfixed> (bug #987853)
+	[bullseye] - wireshark <postponed> (Minor issue, can be fixed along in future update)
 	[buster] - wireshark <postponed> (Minor issue, can be fixed along in future update)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17331
 	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/b7a0650e061b5418ab4a8f72c6e4b00317aff623
@@ -28827,7 +28834,7 @@ CVE-2021-20268 (An out-of-bounds access flaw was found in the Linux kernel's imp
 	NOTE: https://git.kernel.org/linus/bc895e8b2a64e502fbba72748d59618272052a8b
 CVE-2021-20267
 	RESERVED
-	- neutron <unfixed> (bug #985104)
+	- neutron 2:17.1.1-1 (bug #985104)
 	[buster] - neutron <no-dsa> (Minor issue)
 	[stretch] - neutron <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/neutron/+bug/1902917
@@ -29165,6 +29172,7 @@ CVE-2021-20204 [Use after free in _GD_Supports() in encoding.c]
 CVE-2021-20203 (An integer overflow issue was found in the vmxnet3 NIC emulator of the ...)
 	{DLA-2623-1}
 	- qemu <unfixed> (bug #984452)
+	[bullseye] - qemu <postponed> (Minor issue)
 	[buster] - qemu <postponed> (Minor issue)
 	NOTE: https://bugs.launchpad.net/qemu/+bug/1913873
 	NOTE: https://bugs.launchpad.net/qemu/+bug/1890152
@@ -33156,6 +33164,7 @@ CVE-2020-29444
 CVE-2020-29443 (ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of- ...)
 	{DLA-2560-1}
 	- qemu <unfixed> (bug #983575)
+	[bullseye] - qemu <postponed> (Fix along in future DSA)
 	[buster] - qemu <postponed> (Fix along in future DSA)
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg04255.html
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=813212288970c39b1800f63e83ac6e96588095c6
@@ -40230,6 +40239,7 @@ CVE-2020-27749 (A flaw was found in grub2 in versions prior to 2.06. Variable na
 CVE-2020-27748 [local file inclusion vulnerability]
 	RESERVED
 	- xdg-utils <unfixed> (bug #975370)
+	[bullseye] - xdg-utils <postponed> (Minor issue; regression potential; revisit when fixed upstream)
 	[buster] - xdg-utils <postponed> (Minor issue; regression potential; revisit when fixed upstream)
 	[stretch] - xdg-utils <postponed> (Minor issue; regression potential; revisit when fixed upstream)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1899769
@@ -49558,6 +49568,7 @@ CVE-2020-23923
 	RESERVED
 CVE-2020-23922 (An issue was discovered in giflib through 5.1.4. DumpScreen2RGB in gif ...)
 	- giflib <unfixed>
+	[bullseye] - giflib <no-dsa> (Minor issue)
 	[buster] - giflib <no-dsa> (Minor issue)
 	[stretch] - giflib <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/giflib/bugs/151/
@@ -72223,6 +72234,7 @@ CVE-2020-13757 (Python-RSA before 4.1 ignores leading '\0' bytes during decrypti
 	[stretch] - python-rsa <no-dsa> (Minor issue)
 	[jessie] - python-rsa <no-dsa> (Minor issue)
 	NOTE: https://github.com/sybrenstuvel/python-rsa/issues/146
+	NOTE: https://github.com/sybrenstuvel/python-rsa/commit/93af6f2f89a9bf28361e67716c4240e691520f30
 CVE-2020-13756 (Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data ...)
 	NOT-FOR-US: Sabberworm PHP CSS Parser
 CVE-2020-13755
@@ -105929,6 +105941,7 @@ CVE-2020-1697 (It was found in all keycloak versions before 9.0.0 that links to
 	NOT-FOR-US: Keycloak
 CVE-2020-1696 (A flaw was found in the all pki-core 10.x.x versions, where Token Proc ...)
 	- dogtag-pki <unfixed>
+	[bullseye] - dogtag-pki <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1780707
 CVE-2020-1695 (A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final  ...)
 	- resteasy <undetermined>
@@ -175776,11 +175789,9 @@ CVE-2018-15913 (An issue was discovered in Cloudera Manager 5.x through 5.15.0.
 CVE-2018-15912 (An issue was discovered in manjaro-update-system.sh in manjaro-system  ...)
 	NOT-FOR-US: manjaro-update-system.sh in manjaro-system on Manjaro Linux
 CVE-2018-15919 (Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 co ...)
-	- openssh <unfixed> (low; bug #907503)
-	[buster] - openssh <ignored> (Minor issue)
-	[stretch] - openssh <ignored> (Minor issue)
-	[jessie] - openssh <no-dsa> (Minor issue)
+	- openssh <unfixed> (unimportant; bug #907503)
 	NOTE: https://www.openwall.com/lists/oss-security/2018/08/27/2
+	NOTE: Not treated as a security issue by upstream
 CVE-2018-15911 (In Artifex Ghostscript 9.23 before 2018-08-24, attackers able to suppl ...)
 	{DSA-4288-1 DLA-1504-1}
 	- ghostscript 9.22~dfsg-3 (bug #907332)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab67826371fea58c5ff2ce10fe611d3187e0cc5a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab67826371fea58c5ff2ce10fe611d3187e0cc5a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210506/4afc59ac/attachment.htm>
