[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Wed May 12 21:37:32 BST 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
8a1df16c by Moritz Muehlenhoff at 2021-05-12T22:36:10+02:00
bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -100,8 +100,9 @@ CVE-2021-3544 [vhost-user-gpu: multiple memory leaks]
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01158.html
CVE-2021-3548 [OOB in dmg2img.c memcpy() causing undefined behavior]
RESERVED
- - dmg2img <unfixed>
+ - dmg2img <unfixed> (unimportant)
NOTE: https://github.com/Lekensteyn/dmg2img/issues/9
+ NOTE: Crash in CLI tool, no security impact
CVE-2021-3543
RESERVED
CVE-2021-32575
@@ -1347,6 +1348,8 @@ CVE-2021-3534
CVE-2021-3533
RESERVED
- ansible <unfixed>
+ [bullseye] - ansible <no-dsa> (Minor issue)
+ [buster] - ansible <no-dsa> (Minor issue)
- ansible-base <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956477
CVE-2021-32026
@@ -1382,6 +1385,8 @@ CVE-2021-32012
CVE-2021-3532
RESERVED
- ansible <unfixed>
+ [bullseye] - ansible <no-dsa> (Minor issue)
+ [buster] - ansible <no-dsa> (Minor issue)
- ansible-base <undetermined>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956464
CVE-2021-3531
@@ -6912,6 +6917,7 @@ CVE-2021-3480
RESERVED
CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in versions bef ...)
- openexr <unfixed> (bug #986796)
+ [bullseye] - openexr <no-dsa> (Minor issue)
[buster] - openexr <no-dsa> (Minor issue)
[stretch] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370
@@ -6919,6 +6925,7 @@ CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in version
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830
CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in versi ...)
- openexr <unfixed> (bug #986796)
+ [bullseye] - openexr <no-dsa> (Minor issue)
[buster] - openexr <no-dsa> (Minor issue)
[stretch] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409
@@ -6926,6 +6933,7 @@ CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in
NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a
CVE-2021-3477 (There's a flaw in OpenEXR's deep tile sample size calculations in vers ...)
- openexr <unfixed> (bug #986796)
+ [bullseye] - openexr <no-dsa> (Minor issue)
[buster] - openexr <no-dsa> (Minor issue)
[stretch] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26956
@@ -7469,18 +7477,21 @@ CVE-2021-29425 (In Apache Commons IO before 2.7, When invoking the method FileNa
NOTE: https://issues.apache.org/jira/browse/IO-556
CVE-2021-3476 (A flaw was found in OpenEXR's B44 uncompression functionality in versi ...)
- openexr <unfixed> (bug #986796)
+ [bullseye] - openexr <no-dsa> (Minor issue)
[buster] - openexr <no-dsa> (Minor issue)
[stretch] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24787
NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9
CVE-2021-3475 (There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker ...)
- openexr <unfixed> (bug #986796)
+ [bullseye] - openexr <no-dsa> (Minor issue)
[buster] - openexr <no-dsa> (Minor issue)
[stretch] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25297
NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753
CVE-2021-3474 (There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted inp ...)
- openexr <unfixed> (bug #986796)
+ [bullseye] - openexr <no-dsa> (Minor issue)
[buster] - openexr <no-dsa> (Minor issue)
[stretch] - openexr <postponed> (Minor issue; can be fixed in next update)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24831
@@ -14870,6 +14881,7 @@ CVE-2021-26292
RESERVED
CVE-2021-26291 (Apache Maven will follow repositories that are defined in a dependency ...)
- maven <unfixed> (bug #988155)
+ [bullseye] - maven <no-dsa> (Minor issue)
[buster] - maven <no-dsa> (Minor issue)
[stretch] - maven <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/04/23/5
@@ -27645,6 +27657,7 @@ CVE-2021-21253 (OnlineVotingSystem is an open source project hosted on GitHub. O
NOT-FOR-US: OnlineVotingSystem
CVE-2021-21252 (The jQuery Validation Plugin provides drop-in validation for your exis ...)
- civicrm <unfixed> (bug #980892)
+ [bullseye] - civicrm <no-dsa> (Minor issue)
- otrs2 6.0.32-4 (bug #980891)
[buster] - otrs2 <ignored> (Non-free not supported)
[stretch] - otrs2 <ignored> (Non-free not supported)
@@ -30057,6 +30070,7 @@ CVE-2021-20297 [Setting match.path and activating a profiles crashes NetworkMana
NOTE: Fixed by: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/420784e342da4883f6debdfe10cde68507b10d27
CVE-2021-20296 (A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted i ...)
- openexr <unfixed> (bug #986796)
+ [bullseye] - openexr <no-dsa> (Minor issue)
[buster] - openexr <no-dsa> (Minor issue)
[stretch] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24854
@@ -30188,6 +30202,7 @@ CVE-2021-20268 (An out-of-bounds access flaw was found in the Linux kernel's imp
CVE-2021-20267
RESERVED
- neutron <unfixed> (bug #985104)
+ [bullseye] - neutron <no-dsa> (Minor issue)
[buster] - neutron <no-dsa> (Minor issue)
[stretch] - neutron <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/neutron/+bug/1902917
@@ -30633,6 +30648,7 @@ CVE-2021-20181 [9pfs: Fully restart unreclaim loop]
CVE-2021-20180
RESERVED
- ansible <unfixed> (bug #985753)
+ [bullseye] - ansible <no-dsa> (Minor issue)
[buster] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1915808
NOTE: https://github.com/ansible-collections/community.general/pull/1635
@@ -30643,6 +30659,7 @@ CVE-2021-20179 (A flaw was found in pki-core. An attacker who has successfully c
CVE-2021-20178 [user data leak in snmp_facts module]
RESERVED
- ansible <unfixed> (bug #985753)
+ [bullseye] - ansible <no-dsa> (Minor issue)
[buster] - ansible <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1914774
NOTE: https://github.com/ansible-collections/community.general/pull/1621
@@ -49912,6 +49929,7 @@ CVE-2020-24393 (TweetStream 2.6.1 uses the library eventmachine in an insecure w
NOT-FOR-US: TweetStream
CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname validation allow ...)
- ruby-twitter-stream <unfixed>
+ [bullseye] - ruby-twitter-stream <no-dsa> (Minor issue)
[buster] - ruby-twitter-stream <no-dsa> (Minor issue)
[stretch] - ruby-twitter-stream <no-dsa> (Minor issue)
NOTE: https://securitylab.github.com/advisories/GHSL-2020-097-voloko-twitter-stream
@@ -77405,7 +77423,8 @@ CVE-2019-20791 (OpenThread before 2019-12-13 has a stack-based buffer overflow i
NOT-FOR-US: OpenThread
CVE-2018-21232 (re2c before 2.0 has uncontrolled recursion that causes stack consumpti ...)
- re2c <unfixed>
- [buster] - re2c <no-dsa> (Minor issue)
+ [bullseye] - re2c <ignored> (Minor issue)
+ [buster] - re2c <ignored> (Minor issue)
[stretch] - re2c <no-dsa> (Minor issue)
[jessie] - re2c <no-dsa> (Minor issue)
NOTE: https://github.com/skvadrik/re2c/issues/219
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a1df16c91b448f2e93e79253ef199cea0f123eb
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a1df16c91b448f2e93e79253ef199cea0f123eb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210512/96e5aad0/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list