[Git][security-tracker-team/security-tracker][master] 3 commits: add eterm, mrxvt, rxvt, rxvt-unicode

Fri May 21 10:27:32 BST 2021


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
aeccc126 by Thorsten Alteholz at 2021-05-21T11:17:44+02:00
add eterm, mrxvt, rxvt, rxvt-unicode

- - - - -
b0028ed4 by Thorsten Alteholz at 2021-05-21T11:19:28+02:00
mark CVE-2021-3561 as no-dsa for Stretch

- - - - -
20129e44 by Thorsten Alteholz at 2021-05-21T11:27:06+02:00
add thunderbird

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -12,6 +12,7 @@ CVE-2021-3561 [Global buffer overflow in fig2dev/read.c in function read_objects
 	RESERVED
 	- fig2dev 1:3.2.8-3
 	[buster] - fig2dev <no-dsa> (Minor issue)
+	[stretch] - fig2dev <no-dsa> (Minor issue)
 	- transfig <removed>
 	NOTE: https://sourceforge.net/p/mcj/tickets/116/
 	NOTE: https://sourceforge.net/p/mcj/fig2dev/ci/6827c09d2d6491cb2ae3ac7196439ff3aa791fd9/


=====================================
data/dla-needed.txt
=====================================
@@ -39,6 +39,9 @@ condor
   NOTE: 20200727: Waiting on maintainer feedback: https://lists.debian.org/debian-lts/2020/07/msg00108.html (roberto)
   NOTE: 20210205: Some patches seems to be available but not clear if it solves the whole issue or not. (ola)
 --
+eterm
+  NOTE: 20210521: src/term.c:process_escape_seq(), probably just disable vulnerable escape sequence
+--
 golang-github-appc-cni (Thorsten Alteholz)
   NOTE: 20210517: still WIP, trying to automize golang updates
 --
@@ -59,6 +62,9 @@ linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
 --
+mrxvt
+  NOTE: 20210521: src/command.c:rxvt_process_graphics(), probably just disable vulnerable escape sequence or introduce Opt_insecure
+--
 nvidia-graphics-drivers
   NOTE: package is in non-free but also in packages-to-support
   NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077
@@ -75,6 +81,10 @@ prosody
 ring (Thorsten Alteholz)
   NOTE: 20210510: WIP (need to update other releases first)
 --
+rxvt
+--
+rxvt-unicode
+--
 ruby-actionpack-page-caching
   NOTE: 20200819: Upstream's patch on does not apply due to subsequent
   NOTE: 20200819: refactoring. However, a quick look at the private
@@ -129,6 +139,8 @@ spotweb
   NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286
   NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc)
 --
+thunderbird
+--
 xmlbeans (Roberto C. Sánchez)
   NOTE: 20210222: Affected code changed significantly from 2.6.0 to 3.0.0 (the
   NOTE: 20210222: upstream release with the fix).  Trying to determine how to



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ddc1f2e32f1ac3c16974b254c3c48b1ccc9d8c13...20129e443d93ace6147a2402b6cf2802462cdb6b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ddc1f2e32f1ac3c16974b254c3c48b1ccc9d8c13...20129e443d93ace6147a2402b6cf2802462cdb6b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210521/de2de719/attachment-0001.htm>
