[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue May 18 19:52:47 BST 2021



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a8b6651a by Moritz Muehlenhoff at 2021-05-18T20:52:20+02:00
bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -4612,6 +4612,8 @@ CVE-2021-31163
 	RESERVED
 CVE-2021-31162 (In the standard library in Rust before 1.52.0, a double free can occur ...)
 	- rustc <unfixed>
+	[bullseye] - rustc <no-dsa> (Minor issue)
+	[buster] - rustc <no-dsa> (Minor issue)
 	NOTE: https://github.com/rust-lang/rust/issues/83618
 	NOTE: https://github.com/rust-lang/rust/pull/83629
 CVE-2021-31161
@@ -5662,6 +5664,8 @@ CVE-2021-30642 (An input validation flaw in the Symantec Security Analytics web
 	NOT-FOR-US: Symantec
 CVE-2020-36323 (In the standard library in Rust before 1.52.0, there is an optimizatio ...)
 	- rustc <unfixed>
+	[bullseye] - rustc <no-dsa> (Minor issue)
+	[buster] - rustc <no-dsa> (Minor issue)
 	NOTE: https://github.com/rust-lang/rust/issues/80335
 	NOTE: https://github.com/rust-lang/rust/pull/81728
 CVE-2020-36322 (An issue was discovered in the FUSE filesystem implementation in the L ...)
@@ -6141,14 +6145,20 @@ CVE-2021-30488
 	RESERVED
 CVE-2020-36318 (In the standard library in Rust before 1.49.0, VecDeque::make_contiguo ...)
 	- rustc <unfixed> (bug #986803)
+	[bullseye] - rustc <no-dsa> (Minor issue)
+	[buster] - rustc <no-dsa> (Minor issue)
 	NOTE: https://github.com/rust-lang/rust/issues/79808
 	NOTE: https://github.com/rust-lang/rust/pull/79814
 CVE-2020-36317 (In the standard library in Rust before 1.49.0, String::retain() functi ...)
 	- rustc <unfixed> (bug #986803)
+	[bullseye] - rustc <no-dsa> (Minor issue)
+	[buster] - rustc <no-dsa> (Minor issue)
 	NOTE: https://github.com/rust-lang/rust/issues/78498
 	NOTE: https://github.com/rust-lang/rust/pull/78499
 CVE-2015-20001 (In the standard library in Rust before 1.2.0, BinaryHeap is not panic- ...)
 	- rustc 1.2.0+dfsg1-1
+	[bullseye] - rustc <no-dsa> (Minor issue)
+	[buster] - rustc <no-dsa> (Minor issue)
 	NOTE: https://github.com/rust-lang/rust/issues/25842
 	NOTE: https://github.com/rust-lang/rust/pull/25856
 CVE-2021-30487 (In the topic moving API in Zulip Server 3.x before 3.4, organization a ...)
@@ -7478,6 +7488,7 @@ CVE-2021-30002 (An issue was discovered in the Linux kernel before 5.11.3 when a
 	NOTE: https://git.kernel.org/linus/fb18802a338b36f675a388fc03d2aa504a0d0899
 CVE-2021-3482 (A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. ...)
 	- exiv2 <unfixed> (bug #986888)
+	[bullseye] - exiv2 <no-dsa> (Minor issue)
 	[buster] - exiv2 <no-dsa> (Minor issue)
 	[stretch] - exiv2 <postponed> (Minor issue; can be fixed in next update)
 	NOTE: https://github.com/Exiv2/exiv2/issues/1522
@@ -8583,6 +8594,7 @@ CVE-2021-29471 (Synapse is a Matrix reference homeserver written in python (pypi
 	NOTE: https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c (v1.33.2)
 CVE-2021-29470 (Exiv2 is a command-line utility and C++ library for reading, writing,  ...)
 	- exiv2 <unfixed> (bug #987450)
+	[bullseye] - exiv2 <no-dsa> (Minor issue)
 	[buster] - exiv2 <no-dsa> (Minor issue)
 	[stretch] - exiv2 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj
@@ -8605,12 +8617,14 @@ CVE-2021-29465 (Discord-Recon is a bot for the Discord chat service. Versions of
 	NOT-FOR-US: Discord-Recon
 CVE-2021-29464 (Exiv2 is a command-line utility and C++ library for reading, writing,  ...)
 	- exiv2 <unfixed> (bug #988242)
+	[bullseye] - exiv2 <no-dsa> (Minor issue)
 	[buster] - exiv2 <not-affected> (Vulnerable code introduced later)
 	[stretch] - exiv2 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-jgm9-5fw5-pw9p
 	NOTE: https://github.com/Exiv2/exiv2/commit/f9308839198aca5e68a65194f151a1de92398f54
 CVE-2021-29463 (Exiv2 is a command-line utility and C++ library for reading, writing,  ...)
 	- exiv2 <unfixed> (bug #988241)
+	[bullseye] - exiv2 <no-dsa> (Minor issue)
 	[buster] - exiv2 <not-affected> (webp support introduced in 0.27)
 	[stretch] - exiv2 <not-affected> (webp support introduced in 0.27)
 	NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-5p8g-9xf3-gfrr
@@ -8629,6 +8643,7 @@ CVE-2021-29459 (XWiki Platform is a generic wiki platform offering runtime servi
 	NOT-FOR-US: XWiki
 CVE-2021-29458 (Exiv2 is a command-line utility and C++ library for reading, writing,  ...)
 	- exiv2 <unfixed> (bug #987277)
+	[bullseye] - exiv2 <no-dsa> (Minor issue)
 	[buster] - exiv2 <no-dsa> (Minor issue)
 	[stretch] - exiv2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-57jj-75fm-9rq5
@@ -8641,6 +8656,7 @@ CVE-2021-29458 (Exiv2 is a command-line utility and C++ library for reading, wri
 	NOTE: https://github.com/Exiv2/exiv2/commit/06d2db6e5fd2fcca9c060e95fc97f8a5b5d4c22d
 CVE-2021-29457 (Exiv2 is a command-line utility and C++ library for reading, writing,  ...)
 	- exiv2 <unfixed> (bug #987277)
+	[bullseye] - exiv2 <no-dsa> (Minor issue)
 	[buster] - exiv2 <no-dsa> (Minor issue)
 	[stretch] - exiv2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm
@@ -9993,21 +10009,31 @@ CVE-2021-28880
 	RESERVED
 CVE-2021-28879 (In the standard library in Rust before 1.52.0, the Zip implementation  ...)
 	- rustc <unfixed> (bug #986803)
+	[bullseye] - rustc <no-dsa> (Minor issue)
+	[buster] - rustc <no-dsa> (Minor issue)
 	NOTE: https://github.com/rust-lang/rust/issues/82282
 	NOTE: https://github.com/rust-lang/rust/pull/82289
 CVE-2021-28878 (In the standard library in Rust before 1.52.0, the Zip implementation  ...)
 	- rustc <unfixed> (bug #986803)
+	[bullseye] - rustc <no-dsa> (Minor issue)
+	[buster] - rustc <no-dsa> (Minor issue)
 	NOTE: https://github.com/rust-lang/rust/issues/82291
 	NOTE: https://github.com/rust-lang/rust/pull/82292
 CVE-2021-28877 (In the standard library in Rust before 1.51.0, the Zip implementation  ...)
 	- rustc <unfixed> (bug #986803)
+	[bullseye] - rustc <no-dsa> (Minor issue)
+	[buster] - rustc <no-dsa> (Minor issue)
 	NOTE: https://github.com/rust-lang/rust/pull/80670
 CVE-2021-28876 (In the standard library in Rust before 1.52.0, the Zip implementation  ...)
 	- rustc <unfixed> (bug #986803)
+	[bullseye] - rustc <no-dsa> (Minor issue)
+	[buster] - rustc <no-dsa> (Minor issue)
 	NOTE: https://github.com/rust-lang/rust/issues/81740
 	NOTE: https://github.com/rust-lang/rust/pull/81741
 CVE-2021-28875 (In the standard library in Rust before 1.50.0, read_to_end() does not  ...)
 	- rustc <unfixed> (bug #986803)
+	[bullseye] - rustc <no-dsa> (Minor issue)
+	[buster] - rustc <no-dsa> (Minor issue)
 	NOTE: https://github.com/rust-lang/rust/issues/80894
 	NOTE: https://github.com/rust-lang/rust/pull/80895
 CVE-2021-28874 (SerenityOS fixed as of c9f25bca048443e317f1994ba9b106f2386688c3 contai ...)
@@ -65073,6 +65099,8 @@ CVE-2020-17524
 	REJECTED
 CVE-2020-17523 (Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a spec ...)
 	- shiro <unfixed>
+	[bullseye] - shiro <no-dsa> (Minor issue)
+	[buster] - shiro <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/02/01/3
 	NOTE: https://issues.apache.org/jira/browse/SHIRO-797
 CVE-2020-17522 (When ORT (now via atstccfg) generates ip_allow.config files in Apache  ...)
@@ -65107,6 +65135,8 @@ CVE-2020-17511 (In Airflow versions prior to 1.10.13, when creating a user using
 	- airflow <itp> (bug #819700)
 CVE-2020-17510 (Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a spec ...)
 	- shiro <unfixed>
+	[bullseye] - shiro <no-dsa> (Minor issue)
+	[buster] - shiro <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/7
 	NOTE: https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E
 	NOTE: https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12349284&styleName=Text&projectId=12310950
@@ -74326,6 +74356,8 @@ CVE-2020-13934 (An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6
 	NOTE: https://github.com/apache/tomcat/commit/172977f04a5215128f1e278a688983dcd230f399 (9.0.37)
 CVE-2020-13933 (Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafte ...)
 	- shiro <unfixed> (bug #968753)
+	[bullseye] - shiro <no-dsa> (Minor issue)
+	[buster] - shiro <no-dsa> (Minor issue)
 	NOTE: https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E
 CVE-2020-13932 (In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT p ...)
 	NOT-FOR-US: Apache ActiveMQ Artemis
@@ -78693,13 +78725,10 @@ CVE-2020-12287 (Incorrect permissions in the Intel(R) Distribution of OpenVINO(T
 CVE-2019-20791 (OpenThread before 2019-12-13 has a stack-based buffer overflow in Mesh ...)
 	NOT-FOR-US: OpenThread
 CVE-2018-21232 (re2c before 2.0 has uncontrolled recursion that causes stack consumpti ...)
-	- re2c <unfixed>
-	[bullseye] - re2c <ignored> (Minor issue)
-	[buster] - re2c <ignored> (Minor issue)
-	[stretch] - re2c <no-dsa> (Minor issue)
-	[jessie] - re2c <no-dsa> (Minor issue)
+	- re2c <unfixed> (unimportant)
 	NOTE: https://github.com/skvadrik/re2c/issues/219
 	NOTE: https://www.openwall.com/lists/oss-security/2020/04/27/2
+	NOTE: Crash im CLI tool, no security impact
 CVE-2020-12286 (In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, the Task ...)
 	NOT-FOR-US: Octopus Deploy
 CVE-2020-12285
@@ -79470,6 +79499,8 @@ CVE-2020-11990 (We have resolved a security issue in the camera plugin that coul
 CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...)
 	{DLA-2273-1}
 	- shiro <unfixed>
+	[bullseye] - shiro <no-dsa> (Minor issue)
+	[buster] - shiro <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1
 	NOTE: https://github.com/apache/shiro/pull/211
 	NOTE: https://issues.apache.org/jira/browse/SHIRO-753
@@ -107407,6 +107438,8 @@ CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, calle
 CVE-2020-1957 (Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic ...)
 	{DLA-2273-1 DLA-2181-1}
 	- shiro <unfixed> (bug #955018)
+	[bullseye] - shiro <no-dsa> (Minor issue)
+	[buster] - shiro <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/03/23/2
 	NOTE: Fixed by: https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139
 	NOTE: https://github.com/apache/shiro/pull/203#issuecomment-606270322
@@ -133448,6 +133481,7 @@ CVE-2019-12423 (Apache CXF ships with a OpenId Connect JWK Keys service, which a
 	NOT-FOR-US: Apache CFX
 CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember me" config ...)
 	- shiro <unfixed> (low; bug #947945)
+	[bullseye] - shiro <no-dsa> (Minor issue)
 	[buster] - shiro <no-dsa> (Minor issue)
 	[stretch] - shiro <no-dsa> (Minor issue)
 	[jessie] - shiro <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8b6651a4826666e901b10cd42be74039618e636

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8b6651a4826666e901b10cd42be74039618e636
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210518/274b6082/attachment.htm>


More information about the debian-security-tracker-commits mailing list