[Git][security-tracker-team/security-tracker][master] Marked CVE-2021-3121 as no-dsa as discussed via email. Removed...

Ola Lundqvist (@opal) opal at debian.org
Wed May 19 08:11:27 BST 2021 


Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6c673013 by Ola Lundqvist at 2021-05-19T09:11:02+02:00
Marked CVE-2021-3121 as no-dsa as discussed via email. Removed golang-gogoprotobuf from dla-needed as a result since no other CVEs are open for this package.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -22069,7 +22069,9 @@ CVE-2021-3122 (CMCAgent in NCR Command Center Agent 16.3 on Aloha POS/BOH server
 	NOT-FOR-US: CMCAgent in NCR Command Center Agent
 CVE-2021-3121 (An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarsha ...)
 	- golang-gogoprotobuf 1.3.2-1
+	[jessie] - golang-gogoprotobuf <no-dsa> (Minor issue; Can be considered when some major issue is found)
 	NOTE: https://github.com/gogo/protobuf/commit/b03c65ea87cdc3521ede29f62fe3ce239267c1bc
+	NOTE: To fix the problem a lot of software packages need to re-generate their source code and rebuild.
 CVE-2021-3120 (An arbitrary file upload vulnerability in the YITH WooCommerce Gift Ca ...)
 	NOT-FOR-US: YITH WooCommerce Gift Cards Premium plugin for WordPress
 CVE-2021-3119 (Zetetic SQLCipher 4.x before 4.4.3 has a NULL pointer dereferencing is ...)


=====================================
data/dla-needed.txt
=====================================
@@ -42,15 +42,6 @@ firmware-nonfree
 golang-github-appc-cni (Thorsten Alteholz)
   NOTE: 20210517: still WIP, trying to automize golang updates
 --
-golang-gogoprotobuf
-  NOTE: 20210218: If you have any idea why this is called the "skippy peanut butter" issue, I would be mildly interested. (lamby)
-  NOTE: 20210308: The only explanation I have is that Skippy is a peanut butter brand and the fix is related to a variable called skippy (Ola)
-  NOTE: 20210308: Patch prepared and available http://apt.inguza.net/stretch-lts/golang-gogoprotobuf/CVE-2021-3121-1.patch
-  NOTE: 20210308: If anyone have a good way to regression test the package this information is appreciated.
-  NOTE: 20210308: If anyone have information on what the result of the missing range check is, that information is also appreciated.
-  NOTE: 20210318: The generated code is in many other go packages.
-  NOTE: 20210329: See discussion at https://lists.debian.org/debian-lts/2021/03/msg00011.html
---
 gpac (Thorsten Alteholz)
   NOTE: 20210510: WIP
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c673013b77312aa77501142f1e8a18da233c6c0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c673013b77312aa77501142f1e8a18da233c6c0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210519/069e0199/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list