[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue May 18 19:52:47 BST 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
a8b6651a by Moritz Muehlenhoff at 2021-05-18T20:52:20+02:00
bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -4612,6 +4612,8 @@ CVE-2021-31163
RESERVED
CVE-2021-31162 (In the standard library in Rust before 1.52.0, a double free can occur ...)
- rustc <unfixed>
+ [bullseye] - rustc <no-dsa> (Minor issue)
+ [buster] - rustc <no-dsa> (Minor issue)
NOTE: https://github.com/rust-lang/rust/issues/83618
NOTE: https://github.com/rust-lang/rust/pull/83629
CVE-2021-31161
@@ -5662,6 +5664,8 @@ CVE-2021-30642 (An input validation flaw in the Symantec Security Analytics web
NOT-FOR-US: Symantec
CVE-2020-36323 (In the standard library in Rust before 1.52.0, there is an optimizatio ...)
- rustc <unfixed>
+ [bullseye] - rustc <no-dsa> (Minor issue)
+ [buster] - rustc <no-dsa> (Minor issue)
NOTE: https://github.com/rust-lang/rust/issues/80335
NOTE: https://github.com/rust-lang/rust/pull/81728
CVE-2020-36322 (An issue was discovered in the FUSE filesystem implementation in the L ...)
@@ -6141,14 +6145,20 @@ CVE-2021-30488
RESERVED
CVE-2020-36318 (In the standard library in Rust before 1.49.0, VecDeque::make_contiguo ...)
- rustc <unfixed> (bug #986803)
+ [bullseye] - rustc <no-dsa> (Minor issue)
+ [buster] - rustc <no-dsa> (Minor issue)
NOTE: https://github.com/rust-lang/rust/issues/79808
NOTE: https://github.com/rust-lang/rust/pull/79814
CVE-2020-36317 (In the standard library in Rust before 1.49.0, String::retain() functi ...)
- rustc <unfixed> (bug #986803)
+ [bullseye] - rustc <no-dsa> (Minor issue)
+ [buster] - rustc <no-dsa> (Minor issue)
NOTE: https://github.com/rust-lang/rust/issues/78498
NOTE: https://github.com/rust-lang/rust/pull/78499
CVE-2015-20001 (In the standard library in Rust before 1.2.0, BinaryHeap is not panic- ...)
- rustc 1.2.0+dfsg1-1
+ [bullseye] - rustc <no-dsa> (Minor issue)
+ [buster] - rustc <no-dsa> (Minor issue)
NOTE: https://github.com/rust-lang/rust/issues/25842
NOTE: https://github.com/rust-lang/rust/pull/25856
CVE-2021-30487 (In the topic moving API in Zulip Server 3.x before 3.4, organization a ...)
@@ -7478,6 +7488,7 @@ CVE-2021-30002 (An issue was discovered in the Linux kernel before 5.11.3 when a
NOTE: https://git.kernel.org/linus/fb18802a338b36f675a388fc03d2aa504a0d0899
CVE-2021-3482 (A flaw was found in Exiv2 in versions before and including 0.27.4-RC1. ...)
- exiv2 <unfixed> (bug #986888)
+ [bullseye] - exiv2 <no-dsa> (Minor issue)
[buster] - exiv2 <no-dsa> (Minor issue)
[stretch] - exiv2 <postponed> (Minor issue; can be fixed in next update)
NOTE: https://github.com/Exiv2/exiv2/issues/1522
@@ -8583,6 +8594,7 @@ CVE-2021-29471 (Synapse is a Matrix reference homeserver written in python (pypi
NOTE: https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c (v1.33.2)
CVE-2021-29470 (Exiv2 is a command-line utility and C++ library for reading, writing, ...)
- exiv2 <unfixed> (bug #987450)
+ [bullseye] - exiv2 <no-dsa> (Minor issue)
[buster] - exiv2 <no-dsa> (Minor issue)
[stretch] - exiv2 <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-8949-hhfh-j7rj
@@ -8605,12 +8617,14 @@ CVE-2021-29465 (Discord-Recon is a bot for the Discord chat service. Versions of
NOT-FOR-US: Discord-Recon
CVE-2021-29464 (Exiv2 is a command-line utility and C++ library for reading, writing, ...)
- exiv2 <unfixed> (bug #988242)
+ [bullseye] - exiv2 <no-dsa> (Minor issue)
[buster] - exiv2 <not-affected> (Vulnerable code introduced later)
[stretch] - exiv2 <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-jgm9-5fw5-pw9p
NOTE: https://github.com/Exiv2/exiv2/commit/f9308839198aca5e68a65194f151a1de92398f54
CVE-2021-29463 (Exiv2 is a command-line utility and C++ library for reading, writing, ...)
- exiv2 <unfixed> (bug #988241)
+ [bullseye] - exiv2 <no-dsa> (Minor issue)
[buster] - exiv2 <not-affected> (webp support introduced in 0.27)
[stretch] - exiv2 <not-affected> (webp support introduced in 0.27)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-5p8g-9xf3-gfrr
@@ -8629,6 +8643,7 @@ CVE-2021-29459 (XWiki Platform is a generic wiki platform offering runtime servi
NOT-FOR-US: XWiki
CVE-2021-29458 (Exiv2 is a command-line utility and C++ library for reading, writing, ...)
- exiv2 <unfixed> (bug #987277)
+ [bullseye] - exiv2 <no-dsa> (Minor issue)
[buster] - exiv2 <no-dsa> (Minor issue)
[stretch] - exiv2 <no-dsa> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-57jj-75fm-9rq5
@@ -8641,6 +8656,7 @@ CVE-2021-29458 (Exiv2 is a command-line utility and C++ library for reading, wri
NOTE: https://github.com/Exiv2/exiv2/commit/06d2db6e5fd2fcca9c060e95fc97f8a5b5d4c22d
CVE-2021-29457 (Exiv2 is a command-line utility and C++ library for reading, writing, ...)
- exiv2 <unfixed> (bug #987277)
+ [bullseye] - exiv2 <no-dsa> (Minor issue)
[buster] - exiv2 <no-dsa> (Minor issue)
[stretch] - exiv2 <no-dsa> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/security/advisories/GHSA-v74w-h496-cgqm
@@ -9993,21 +10009,31 @@ CVE-2021-28880
RESERVED
CVE-2021-28879 (In the standard library in Rust before 1.52.0, the Zip implementation ...)
- rustc <unfixed> (bug #986803)
+ [bullseye] - rustc <no-dsa> (Minor issue)
+ [buster] - rustc <no-dsa> (Minor issue)
NOTE: https://github.com/rust-lang/rust/issues/82282
NOTE: https://github.com/rust-lang/rust/pull/82289
CVE-2021-28878 (In the standard library in Rust before 1.52.0, the Zip implementation ...)
- rustc <unfixed> (bug #986803)
+ [bullseye] - rustc <no-dsa> (Minor issue)
+ [buster] - rustc <no-dsa> (Minor issue)
NOTE: https://github.com/rust-lang/rust/issues/82291
NOTE: https://github.com/rust-lang/rust/pull/82292
CVE-2021-28877 (In the standard library in Rust before 1.51.0, the Zip implementation ...)
- rustc <unfixed> (bug #986803)
+ [bullseye] - rustc <no-dsa> (Minor issue)
+ [buster] - rustc <no-dsa> (Minor issue)
NOTE: https://github.com/rust-lang/rust/pull/80670
CVE-2021-28876 (In the standard library in Rust before 1.52.0, the Zip implementation ...)
- rustc <unfixed> (bug #986803)
+ [bullseye] - rustc <no-dsa> (Minor issue)
+ [buster] - rustc <no-dsa> (Minor issue)
NOTE: https://github.com/rust-lang/rust/issues/81740
NOTE: https://github.com/rust-lang/rust/pull/81741
CVE-2021-28875 (In the standard library in Rust before 1.50.0, read_to_end() does not ...)
- rustc <unfixed> (bug #986803)
+ [bullseye] - rustc <no-dsa> (Minor issue)
+ [buster] - rustc <no-dsa> (Minor issue)
NOTE: https://github.com/rust-lang/rust/issues/80894
NOTE: https://github.com/rust-lang/rust/pull/80895
CVE-2021-28874 (SerenityOS fixed as of c9f25bca048443e317f1994ba9b106f2386688c3 contai ...)
@@ -65073,6 +65099,8 @@ CVE-2020-17524
REJECTED
CVE-2020-17523 (Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a spec ...)
- shiro <unfixed>
+ [bullseye] - shiro <no-dsa> (Minor issue)
+ [buster] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/02/01/3
NOTE: https://issues.apache.org/jira/browse/SHIRO-797
CVE-2020-17522 (When ORT (now via atstccfg) generates ip_allow.config files in Apache ...)
@@ -65107,6 +65135,8 @@ CVE-2020-17511 (In Airflow versions prior to 1.10.13, when creating a user using
- airflow <itp> (bug #819700)
CVE-2020-17510 (Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a spec ...)
- shiro <unfixed>
+ [bullseye] - shiro <no-dsa> (Minor issue)
+ [buster] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/7
NOTE: https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E
NOTE: https://issues.apache.org/jira/secure/ReleaseNote.jspa?version=12349284&styleName=Text&projectId=12310950
@@ -74326,6 +74356,8 @@ CVE-2020-13934 (An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6
NOTE: https://github.com/apache/tomcat/commit/172977f04a5215128f1e278a688983dcd230f399 (9.0.37)
CVE-2020-13933 (Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafte ...)
- shiro <unfixed> (bug #968753)
+ [bullseye] - shiro <no-dsa> (Minor issue)
+ [buster] - shiro <no-dsa> (Minor issue)
NOTE: https://lists.apache.org/thread.html/r539f87706094e79c5da0826030384373f0041068936912876856835f%40%3Cdev.shiro.apache.org%3E
CVE-2020-13932 (In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT p ...)
NOT-FOR-US: Apache ActiveMQ Artemis
@@ -78693,13 +78725,10 @@ CVE-2020-12287 (Incorrect permissions in the Intel(R) Distribution of OpenVINO(T
CVE-2019-20791 (OpenThread before 2019-12-13 has a stack-based buffer overflow in Mesh ...)
NOT-FOR-US: OpenThread
CVE-2018-21232 (re2c before 2.0 has uncontrolled recursion that causes stack consumpti ...)
- - re2c <unfixed>
- [bullseye] - re2c <ignored> (Minor issue)
- [buster] - re2c <ignored> (Minor issue)
- [stretch] - re2c <no-dsa> (Minor issue)
- [jessie] - re2c <no-dsa> (Minor issue)
+ - re2c <unfixed> (unimportant)
NOTE: https://github.com/skvadrik/re2c/issues/219
NOTE: https://www.openwall.com/lists/oss-security/2020/04/27/2
+ NOTE: Crash im CLI tool, no security impact
CVE-2020-12286 (In Octopus Deploy before 2019.12.9 and 2020 before 2020.1.12, the Task ...)
NOT-FOR-US: Octopus Deploy
CVE-2020-12285
@@ -79470,6 +79499,8 @@ CVE-2020-11990 (We have resolved a security issue in the camera plugin that coul
CVE-2020-11989 (Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic ...)
{DLA-2273-1}
- shiro <unfixed>
+ [bullseye] - shiro <no-dsa> (Minor issue)
+ [buster] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/06/22/1
NOTE: https://github.com/apache/shiro/pull/211
NOTE: https://issues.apache.org/jira/browse/SHIRO-753
@@ -107407,6 +107438,8 @@ CVE-2020-1958 (When LDAP authentication is enabled in Apache Druid 0.17.0, calle
CVE-2020-1957 (Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic ...)
{DLA-2273-1 DLA-2181-1}
- shiro <unfixed> (bug #955018)
+ [bullseye] - shiro <no-dsa> (Minor issue)
+ [buster] - shiro <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/03/23/2
NOTE: Fixed by: https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139
NOTE: https://github.com/apache/shiro/pull/203#issuecomment-606270322
@@ -133448,6 +133481,7 @@ CVE-2019-12423 (Apache CXF ships with a OpenId Connect JWK Keys service, which a
NOT-FOR-US: Apache CFX
CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember me" config ...)
- shiro <unfixed> (low; bug #947945)
+ [bullseye] - shiro <no-dsa> (Minor issue)
[buster] - shiro <no-dsa> (Minor issue)
[stretch] - shiro <no-dsa> (Minor issue)
[jessie] - shiro <no-dsa> (Minor issue)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8b6651a4826666e901b10cd42be74039618e636
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8b6651a4826666e901b10cd42be74039618e636
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210518/274b6082/attachment.htm>
More information about the debian-security-tracker-commits
mailing list