[Git][security-tracker-team/security-tracker][master] 2 commits: bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue May 11 09:25:57 BST 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
01be2328 by Moritz Muehlenhoff at 2021-05-11T10:25:37+02:00
bullseye triage
- - - - -
d16b3014 by Moritz Muehlenhoff at 2021-05-11T10:25:38+02:00
buster triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -857,6 +857,7 @@ CVE-2021-32062 (MapServer before 7.0.8, 7.1.x and 7.2.x before 7.2.3, 7.3.x and
NOTE: Fixed in 7.0.8, 7.2.3, 7.4.5, 7.6.3
CVE-2019-25043 (ModSecurity 3.x before 3.0.4 mishandles key-value pair parsing, as dem ...)
- modsecurity 3.0.4-1
+ [buster] - modsecurity <no-dsa> (Minor issue)
NOTE: https://github.com/SpiderLabs/ModSecurity/issues/2566
NOTE: https://github.com/SpiderLabs/ModSecurity/commit/9cac167fafd180902c2aa5dc6141aae874127199
CVE-2021-3537 [NULL pointer dereference in valid.c in xmlValidBuildAContentModel]
@@ -6858,6 +6859,7 @@ CVE-2021-29496
RESERVED
CVE-2021-29495 (Nim is a statically typed compiled systems programming language. In Ni ...)
- nim 1.4.2-1
+ [buster] - nim <no-dsa> (Minor issue)
NOTE: https://github.com/nim-lang/security/security/advisories/GHSA-9vqv-2jj9-7mqr
CVE-2021-29494
RESERVED
@@ -8302,6 +8304,7 @@ CVE-2021-28900
RESERVED
CVE-2021-28899 (Vulnerability in the AC3AudioFileServerMediaSubsession, ADTSAudioFileS ...)
- liblivemedia <removed>
+ [buster] - liblivemedia <no-dsa> (Minor issue)
NOTE: http://lists.live555.com/pipermail/live-devel/2021-March/021891.html
CVE-2021-28898
RESERVED
@@ -10616,6 +10619,7 @@ CVE-2021-27928 (A remote code execution issue was discovered in MariaDB 10.2 bef
{DLA-2605-1}
- mariadb-10.5 1:10.5.9-1
- mariadb-10.3 <removed>
+ [buster] - mariadb-10.3 <no-dsa> (Minor issue)
- mariadb-10.1 <removed>
NOTE: https://jira.mariadb.org/browse/MDEV-25179
NOTE: Fixed in MariaDB: 10.5.9, 10.4.18, 10.3.28, 10.2.27
@@ -14477,6 +14481,7 @@ CVE-2021-26292
RESERVED
CVE-2021-26291 (Apache Maven will follow repositories that are defined in a dependency ...)
- maven <unfixed> (bug #988155)
+ [buster] - maven <no-dsa> (Minor issue)
[stretch] - maven <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/04/23/5
NOTE: https://issues.apache.org/jira/browse/MNG-7118
@@ -21282,6 +21287,7 @@ CVE-2021-23383 (The package handlebars before 4.7.7 are vulnerable to Prototype
NOTE: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029
CVE-2021-23382 (The package postcss before 8.2.13 are vulnerable to Regular Expression ...)
- node-postcss 8.2.1+~cs5.3.23-7
+ [buster] - node-postcss <no-dsa> (Minor issue)
NOTE: https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
NOTE: https://github.com/postcss/postcss/commit/2ad1ca9b965dde32223bee28dc259c339cbaaa05 (8.2.13)
CVE-2021-23381 (This affects all versions of package killing. If attacker-controlled u ...)
@@ -29579,6 +29585,7 @@ CVE-2021-20314
CVE-2021-20313 [Cipher leak when the calculating signatures in TransformSignatureof MagickCore/signature.c]
RESERVED
- imagemagick <unfixed>
+ [bullseye] - imagemagick <no-dsa> (Minor issue)
[buster] - imagemagick <ignored> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/commit/70aa86f5d5d8aa605a918ed51f7574f433a18482
NOTE: IM6: https://github.com/ImageMagick/ImageMagick6/commit/e53e24b078f7fa586f9cc910491b8910f5bdad2e
@@ -29601,6 +29608,7 @@ CVE-2021-20310 [Division by zero in ConvertXYZToJzazbz() of MagickCore/colorspac
CVE-2021-20309 [Division by zero in WaveImage() of MagickCore/visual-effects.c]
RESERVED
- imagemagick <unfixed>
+ [bullseye] - imagemagick <ignored> (Minor issue)
[buster] - imagemagick <ignored> (Minor issue)
[stretch] - imagemagick <postponed> (Minor issue; can be fixed in next update)
NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/94174beff065cb5683d09d79e992c3ebbdead311
@@ -30195,6 +30203,7 @@ CVE-2021-20192
CVE-2021-20191
RESERVED
- ansible <unfixed> (bug #985753)
+ [bullseye] - ansible <no-dsa> (Minor issue)
[buster] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1916813
NOTE: https://github.com/ansible-collections/cisco.nxos/pull/227
@@ -33709,23 +33718,25 @@ CVE-2020-29513
CVE-2020-29512
RESERVED
CVE-2020-29511 (The encoding/xml package in Go (all versions) does not correctly prese ...)
- - golang-1.15 <unfixed>
- - golang-1.11 <removed>
+ - golang-1.15 <unfixed> (unimportant)
+ - golang-1.11 <removed> (unimportant)
- golang-1.8 <removed>
[stretch] - golang-1.8 <ignored> (deemed unfixable by upstream who shifts responsibility to saml packages we don't ship)
- golang-1.7 <removed>
[stretch] - golang-1.7 <ignored> (deemed unfixable by upstream who shifts responsibility to saml packages we don't ship)
NOTE: https://github.com/golang/go/issues/43168
NOTE: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
+ NOTE: Upstream considers this WONTFIX and requires validation/updates in potentially affected SAML libs
CVE-2020-29510 (The encoding/xml package in Go versions 1.15 and earlier does not corr ...)
- - golang-1.15 <unfixed>
- - golang-1.11 <removed>
+ - golang-1.15 <unfixed> (unimportant)
+ - golang-1.11 <removed> (unimportant)
- golang-1.8 <removed>
[stretch] - golang-1.8 <ignored> (deemed unfixable by upstream who shifts responsibility to saml packages we don't ship)
- golang-1.7 <removed>
[stretch] - golang-1.7 <ignored> (deemed unfixable by upstream who shifts responsibility to saml packages we don't ship)
NOTE: https://github.com/golang/go/issues/43168
NOTE: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
+ NOTE: Upstream considers this WONTFIX and requires validation/updates in potentially affected SAML libs
CVE-2020-29509 (The encoding/xml package in Go (all versions) does not correctly prese ...)
- golang-github-russellhaering-gosaml2 <itp> (bug #948190)
- golang-1.15 <unfixed> (unimportant)
@@ -68446,6 +68457,7 @@ CVE-2020-15401 (IOBit Malware Fighter Pro 8.0.2.547 allows local users to gain p
NOT-FOR-US: IOBit Malware Fighter Pro
CVE-2020-15400 (CakePHP before 4.0.6 mishandles CSRF token generation. This might be r ...)
- cakephp <unfixed> (bug #985673)
+ [bullseye] - cakephp <ignored> (Minor issue)
[buster] - cakephp <ignored> (Minor issue)
[stretch] - cakephp <no-dsa> (Minor issue)
CVE-2020-15399
@@ -86995,6 +87007,7 @@ CVE-2020-8934
RESERVED
CVE-2020-8933 (A vulnerability in Google Cloud Platform's guest-oslogin versions betw ...)
- google-compute-image-packages <unfixed> (bug #987353)
+ [buster] - google-compute-image-packages <no-dsa> (Minor issue)
NOTE: https://cloud.google.com/compute/docs/security-bulletins#2020619
NOTE: https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29
CVE-2020-8932
@@ -87051,6 +87064,7 @@ CVE-2020-8908 (A temp directory creation vulnerability exists in all versions of
NOT-FOR-US: Google Guava
CVE-2020-8907 (A vulnerability in Google Cloud Platform's guest-oslogin versions betw ...)
- google-compute-image-packages <unfixed> (bug #987353)
+ [buster] - google-compute-image-packages <no-dsa> (Minor issue)
NOTE: https://cloud.google.com/compute/docs/security-bulletins#2020619
NOTE: https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29
CVE-2020-8906
@@ -87061,6 +87075,7 @@ CVE-2020-8904 (An arbitrary memory overwrite vulnerability in the trusted memory
NOT-FOR-US: Asylo
CVE-2020-8903 (A vulnerability in Google Cloud Platform's guest-oslogin versions betw ...)
- google-compute-image-packages <unfixed> (bug #987353)
+ [buster] - google-compute-image-packages <no-dsa> (Minor issue)
NOTE: https://cloud.google.com/compute/docs/security-bulletins#2020619
NOTE: https://github.com/GoogleCloudPlatform/guest-oslogin/pull/29
CVE-2020-8902 (Rendertron versions prior to 3.0.0 are are susceptible to a Server-Sid ...)
@@ -138023,6 +138038,7 @@ CVE-2019-10173 (It was found that xstream API version 1.4.10 before 1.4.11 intro
CVE-2019-10172 (A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libr ...)
{DLA-2342-1 DLA-2091-1}
- libjackson-json-java 1.9.13-2
+ [buster] - libjackson-json-java <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1715075
NOTE: https://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38017721
NOTE: https://github.com/FasterXML/jackson-1/pull/1
@@ -228005,6 +228021,7 @@ CVE-2017-15095 (A deserialization flaw was discovered in the jackson-databind in
{DSA-4037-1 DLA-2342-1 DLA-2091-1}
- jackson-databind 2.9.1-1
- libjackson-json-java 1.9.13-2
+ [buster] - libjackson-json-java <no-dsa> (Minor issue)
NOTE: The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.4.2-2+deb8u1)
NOTE: misses the further sets of blacklists, in particular as well
NOTE: https://github.com/FasterXML/jackson-databind/commit/3bfbb835
@@ -251209,6 +251226,7 @@ CVE-2017-7525 (A deserialization flaw was discovered in the jackson-databind, ve
{DSA-4004-1 DLA-2342-1 DLA-2091-1}
- jackson-databind 2.9.1-1 (bug #870848)
- libjackson-json-java 1.9.13-2
+ [buster] - libjackson-json-java <no-dsa> (Minor issue)
NOTE: https://github.com/FasterXML/jackson-databind/issues/1599
NOTE: For libjackson-json-java:
NOTE: https://github.com/FasterXML/jackson-1/commit/9ac68db819bce7b9546bc4bf1c44f82ca910fa31
=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,8 @@ linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v4.19.y versions.
--
+lz4
+--
ndpi
--
jetty9
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/67f2be05fdf8827c7f6f327764d1c0d119b9dded...d16b3014a19501ac968cadcd2a9ee91c8b9ec610
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/67f2be05fdf8827c7f6f327764d1c0d119b9dded...d16b3014a19501ac968cadcd2a9ee91c8b9ec610
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210511/ac66852c/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list