[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri May 21 17:37:40 BST 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d5240b5e by Moritz Muehlenhoff at 2021-05-21T18:37:24+02:00
bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -9372,6 +9372,8 @@ CVE-2021-29463 (Exiv2 is a command-line utility and C++ library for reading, wri
NOTE: https://github.com/Exiv2/exiv2/commit/783b3a6ff15ed6f82a8f8e6c8a6f3b84a9b04d4b
CVE-2021-29462 (The Portable SDK for UPnP Devices is an SDK for development of UPnP de ...)
- pupnp-1.8 <unfixed> (bug #987326)
+ [bullseye] - pupnp-1.8 <no-dsa> (Minor issue)
+ [buster] - pupnp-1.8 <no-dsa> (Minor issue)
- libupnp <removed>
NOTE: https://github.com/pupnp/pupnp/security/advisories/GHSA-6hqq-w3jq-9fhg
NOTE: https://github.com/pupnp/pupnp/commit/21fd85815da7ed2578d0de7cac4c433008f0ecd4
@@ -12071,6 +12073,8 @@ CVE-2021-28303
RESERVED
CVE-2021-28302 (A stack overflow in pupnp 1.16.1 can cause the denial of service throu ...)
- pupnp-1.8 <unfixed> (bug #986833)
+ [bullseye] - pupnp-1.8 <no-dsa> (Minor issue)
+ [buster] - pupnp-1.8 <no-dsa> (Minor issue)
- libupnp <removed>
NOTE: https://github.com/pupnp/pupnp/issues/249
CVE-2021-28301
@@ -15638,6 +15642,7 @@ CVE-2021-26813 (markdown2 >=1.0.1.18, fixed in 2.4.0, is affected by a regula
- python-markdown2 <unfixed> (bug #984668)
[buster] - python-markdown2 <no-dsa> (Minor issue)
NOTE: https://github.com/trentm/python-markdown2/pull/387
+ NOTE: https://github.com/trentm/python-markdown2/commit/7b651260739647de5198323e0445b1618750c374
CVE-2021-26812 (Cross Site Scripting (XSS) in the Jitsi Meet 2.7 through 2.8.3 plugin ...)
NOT-FOR-US: Moodle plugin
CVE-2021-26811
@@ -29739,6 +29744,8 @@ CVE-2021-21241 (The Python "Flask-Security-Too" package is used for adding secur
NOTE: https://github.com/Flask-Middleware/flask-security/commit/61d313150b5f620d0b800896c4f2199005e84b1f (3.4.5)
CVE-2021-21240 (httplib2 is a comprehensive HTTP client library for Python. In httplib ...)
- python-httplib2 <unfixed> (bug #982738)
+ [bullseye] - python-httplib2 <no-dsa> (Minor issue)
+ [buster] - python-httplib2 <no-dsa> (Minor issue)
[stretch] - python-httplib2 <no-dsa> (Minor issue)
NOTE: https://github.com/httplib2/httplib2/security/advisories/GHSA-93xj-8mrv-444m
NOTE: https://github.com/httplib2/httplib2/commit/bd9ee252c8f099608019709e22c0d705e98d26bc (v0.19.0)
@@ -39520,16 +39527,18 @@ CVE-2020-28593 (A unauthenticated backdoor exists in the configuration server fu
CVE-2020-28592 (A heap-based buffer overflow vulnerability exists in the configuration ...)
NOT-FOR-US: Cosori Smart 5.8-Quart Air Fryer CS158-AF
CVE-2020-28591 (An out-of-bounds read vulnerability exists in the AMF File AMFParserCo ...)
- - slic3r 1.3.0+dfsg1-4 (bug #985620)
+ - slic3r 1.3.0+dfsg1-4 (unimportant; bug #985620)
[stretch] - slic3r <not-affected> (Vulnerable code not present)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1215
NOTE: https://github.com/slic3r/Slic3r/issues/5061
NOTE: https://github.com/slic3r/Slic3r/pull/5063
+ NOTE: Crash in enduser application, no security impact
CVE-2020-28590 (An out-of-bounds read vulnerability exists in the Obj File TriangleMes ...)
- slic3r <unfixed>
[stretch] - slic3r <not-affected> (Vulnerable code not present)
NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1213
NOTE: https://github.com/slic3r/Slic3r/issues/5074
+ NOTE: Crash in enduser application, no security impact
CVE-2020-28589
RESERVED
CVE-2020-28588 (An information disclosure vulnerability exists in the /proc/pid/syscal ...)
@@ -48758,6 +48767,7 @@ CVE-2020-25716
CVE-2020-25715
RESERVED
- dogtag-pki <unfixed> (bug #988153)
+ [bullseye] - dogtag-pki <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1891016
NOTE: https://github.com/dogtagpki/pki/commit/13f4c7fe7d71d42b46b25f3e8472ef7f35da5dd6
CVE-2020-25714
@@ -49150,6 +49160,7 @@ CVE-2020-25634
CVE-2020-25633 (A flaw was found in RESTEasy client in all versions of RESTEasy up to ...)
- resteasy <unfixed> (bug #970585)
- resteasy3.0 <unfixed>
+ [bullseye] - resteasy3.0 <ignored> (Minor issue)
[buster] - resteasy3.0 <ignored> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1879042
CVE-2020-25632 (A flaw was found in grub2 in versions prior to 2.06. The rmmod impleme ...)
@@ -70070,6 +70081,7 @@ CVE-2020-15710 (Potential double free in Bluez 5 module of PulseAudio could allo
CVE-2020-15709 (Versions of add-apt-repository before 0.98.9.2, 0.96.24.32.14, 0.96.20 ...)
{DLA-2339-1}
- software-properties <unfixed> (bug #968850)
+ [bullseye] - software-properties <no-dsa> (Minor issue)
[buster] - software-properties <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/08/03/1
NOTE: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286
@@ -75344,6 +75356,7 @@ CVE-2020-13849 (The MQTT protocol 3.1.1 requires a server to set a timeout value
CVE-2020-13848 (Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attac ...)
{DLA-2585-1 DLA-2238-1}
- pupnp-1.8 <unfixed> (bug #962282)
+ [bullseye] - pupnp-1.8 <no-dsa> (Minor issue)
[buster] - pupnp-1.8 <no-dsa> (Minor issue)
- libupnp <removed>
NOTE: https://github.com/pupnp/pupnp/issues/177
@@ -78335,6 +78348,7 @@ CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before 2020-
[buster] - gupnp 1.0.5-0+deb10u1
- minidlna 1.2.1+dfsg-3 (bug #976594)
- pupnp-1.8 <unfixed> (bug #983206)
+ [bullseye] - pupnp-1.8 <no-dsa> (Minor issue)
[buster] - pupnp-1.8 <no-dsa> (Minor issue)
- libupnp <removed>
[stretch] - libupnp <no-dsa> (Invasive change, hard to backport; chances of regression)
@@ -79091,10 +79105,13 @@ CVE-2020-12414 (IndexedDB should be cleared when leaving private browsing mode a
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2020-23/#CVE-2020-12414
CVE-2020-12413 [racoon attack for NSS]
RESERVED
- - nss <unfixed>
+ - nss 2:3.17-1
[buster] - nss <no-dsa> (Minor issue)
[stretch] - nss <no-dsa> (Minor issue)
NOTE: https://raccoon-attack.com/
+ NOTE: Starting with 3.17 NSS allows to disable reuse of ECDHE keys, marking this
+ NOTE: as the "fixed" version for unstable:
+ NOTE: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17_release_notes
CVE-2020-12412 (By navigating a tab using the history API, an attacker could cause the ...)
- firefox 70.0-1
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/#CVE-2020-12412
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5240b5ecfd4b9297c5fd37b44afa9210e910031
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5240b5ecfd4b9297c5fd37b44afa9210e910031
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210521/8216134a/attachment.htm>
More information about the debian-security-tracker-commits
mailing list