[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed May 12 21:37:32 BST 2021



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8a1df16c by Moritz Muehlenhoff at 2021-05-12T22:36:10+02:00
bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -100,8 +100,9 @@ CVE-2021-3544 [vhost-user-gpu: multiple memory leaks]
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01158.html
 CVE-2021-3548 [OOB in dmg2img.c memcpy() causing undefined behavior]
 	RESERVED
-	- dmg2img <unfixed>
+	- dmg2img <unfixed> (unimportant)
 	NOTE: https://github.com/Lekensteyn/dmg2img/issues/9
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-3543
 	RESERVED
 CVE-2021-32575
@@ -1347,6 +1348,8 @@ CVE-2021-3534
 CVE-2021-3533
 	RESERVED
 	- ansible <unfixed>
+	[bullseye] - ansible <no-dsa> (Minor issue)
+	[buster] - ansible <no-dsa> (Minor issue)
 	- ansible-base <unfixed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956477
 CVE-2021-32026
@@ -1382,6 +1385,8 @@ CVE-2021-32012
 CVE-2021-3532
 	RESERVED
 	- ansible <unfixed>
+	[bullseye] - ansible <no-dsa> (Minor issue)
+	[buster] - ansible <no-dsa> (Minor issue)
 	- ansible-base <undetermined>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1956464
 CVE-2021-3531
@@ -6912,6 +6917,7 @@ CVE-2021-3480
 	RESERVED
 CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in versions bef ...)
 	- openexr <unfixed> (bug #986796)
+	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370
@@ -6919,6 +6925,7 @@ CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in version
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830
 CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in versi ...)
 	- openexr <unfixed> (bug #986796)
+	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409
@@ -6926,6 +6933,7 @@ CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality in
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a
 CVE-2021-3477 (There's a flaw in OpenEXR's deep tile sample size calculations in vers ...)
 	- openexr <unfixed> (bug #986796)
+	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26956
@@ -7469,18 +7477,21 @@ CVE-2021-29425 (In Apache Commons IO before 2.7, When invoking the method FileNa
 	NOTE: https://issues.apache.org/jira/browse/IO-556
 CVE-2021-3476 (A flaw was found in OpenEXR's B44 uncompression functionality in versi ...)
 	- openexr <unfixed> (bug #986796)
+	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24787
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9
 CVE-2021-3475 (There is a flaw in OpenEXR in versions before 3.0.0-beta. An attacker  ...)
 	- openexr <unfixed> (bug #986796)
+	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25297
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753
 CVE-2021-3474 (There's a flaw in OpenEXR in versions before 3.0.0-beta. A crafted inp ...)
 	- openexr <unfixed> (bug #986796)
+	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24831
@@ -14870,6 +14881,7 @@ CVE-2021-26292
 	RESERVED
 CVE-2021-26291 (Apache Maven will follow repositories that are defined in a dependency ...)
 	- maven <unfixed> (bug #988155)
+	[bullseye] - maven <no-dsa> (Minor issue)
 	[buster] - maven <no-dsa> (Minor issue)
 	[stretch] - maven <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/04/23/5
@@ -27645,6 +27657,7 @@ CVE-2021-21253 (OnlineVotingSystem is an open source project hosted on GitHub. O
 	NOT-FOR-US: OnlineVotingSystem
 CVE-2021-21252 (The jQuery Validation Plugin provides drop-in validation for your exis ...)
 	- civicrm <unfixed> (bug #980892)
+	[bullseye] - civicrm <no-dsa> (Minor issue)
 	- otrs2 6.0.32-4 (bug #980891)
 	[buster] - otrs2 <ignored> (Non-free not supported)
 	[stretch] - otrs2 <ignored> (Non-free not supported)
@@ -30057,6 +30070,7 @@ CVE-2021-20297 [Setting match.path and activating a profiles crashes NetworkMana
 	NOTE: Fixed by: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/420784e342da4883f6debdfe10cde68507b10d27
 CVE-2021-20296 (A flaw was found in OpenEXR in versions before 3.0.0-beta. A crafted i ...)
 	- openexr <unfixed> (bug #986796)
+	[bullseye] - openexr <no-dsa> (Minor issue)
 	[buster] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24854
@@ -30188,6 +30202,7 @@ CVE-2021-20268 (An out-of-bounds access flaw was found in the Linux kernel's imp
 CVE-2021-20267
 	RESERVED
 	- neutron <unfixed> (bug #985104)
+	[bullseye] - neutron <no-dsa> (Minor issue)
 	[buster] - neutron <no-dsa> (Minor issue)
 	[stretch] - neutron <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/neutron/+bug/1902917
@@ -30633,6 +30648,7 @@ CVE-2021-20181 [9pfs: Fully restart unreclaim loop]
 CVE-2021-20180
 	RESERVED
 	- ansible <unfixed> (bug #985753)
+	[bullseye] - ansible <no-dsa> (Minor issue)
 	[buster] - ansible <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1915808
 	NOTE: https://github.com/ansible-collections/community.general/pull/1635
@@ -30643,6 +30659,7 @@ CVE-2021-20179 (A flaw was found in pki-core. An attacker who has successfully c
 CVE-2021-20178 [user data leak in snmp_facts module]
 	RESERVED
 	- ansible <unfixed> (bug #985753)
+	[bullseye] - ansible <no-dsa> (Minor issue)
 	[buster] - ansible <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1914774
 	NOTE: https://github.com/ansible-collections/community.general/pull/1621
@@ -49912,6 +49929,7 @@ CVE-2020-24393 (TweetStream 2.6.1 uses the library eventmachine in an insecure w
 	NOT-FOR-US: TweetStream
 CVE-2020-24392 (In voloko twitter-stream 0.1.10, missing TLS hostname validation allow ...)
 	- ruby-twitter-stream <unfixed>
+	[bullseye] - ruby-twitter-stream <no-dsa> (Minor issue)
 	[buster] - ruby-twitter-stream <no-dsa> (Minor issue)
 	[stretch] - ruby-twitter-stream <no-dsa> (Minor issue)
 	NOTE: https://securitylab.github.com/advisories/GHSL-2020-097-voloko-twitter-stream
@@ -77405,7 +77423,8 @@ CVE-2019-20791 (OpenThread before 2019-12-13 has a stack-based buffer overflow i
 	NOT-FOR-US: OpenThread
 CVE-2018-21232 (re2c before 2.0 has uncontrolled recursion that causes stack consumpti ...)
 	- re2c <unfixed>
-	[buster] - re2c <no-dsa> (Minor issue)
+	[bullseye] - re2c <ignored> (Minor issue)
+	[buster] - re2c <ignored> (Minor issue)
 	[stretch] - re2c <no-dsa> (Minor issue)
 	[jessie] - re2c <no-dsa> (Minor issue)
 	NOTE: https://github.com/skvadrik/re2c/issues/219



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a1df16c91b448f2e93e79253ef199cea0f123eb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a1df16c91b448f2e93e79253ef199cea0f123eb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210512/96e5aad0/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list