[Git][security-tracker-team/security-tracker][master] 2 commits: Revert "mark CVE-2021-21419 as not-affected for Buster"
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat May 22 13:51:31 BST 2021
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f7b35090 by Salvatore Bonaccorso at 2021-05-22T14:47:54+02:00
Revert "mark CVE-2021-21419 as not-affected for Buster"
This reverts commit dc893f404583c840bf069f9f02c4a67e369ed524.
The issue is/might still present in the no compression support case (but
in this case less likely to be possible to exploited).
Details in https://github.com/eventlet/eventlet/commit/1412f5e4125b4313f815778a1acb4d3336efcd07#commitcomment-51161227
GHSA-9p9m-jm8w-94p2 as well mentions affected versions to include those
which have not compression or per message deflate extension support.
- - - - -
753324dd by Salvatore Bonaccorso at 2021-05-22T14:50:48+02:00
Mark CVE-2021-21419/python-eventlet as no-dsa for buster
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -29314,10 +29314,12 @@ CVE-2021-21420 (vscode-stripe is an extension for Visual Studio Code. A vulnerab
NOT-FOR-US: vscode-stripe Visual Studio Code extension
CVE-2021-21419 (Eventlet is a concurrent networking library for Python. A websocket pe ...)
- python-eventlet 0.26.1-7 (bug #988342)
- [buster] - python-eventlet <not-affected> (Vulnerable code (compression extension) introduced later)
+ [buster] - python-eventlet <no-dsa> (Minor issue)
[stretch] - python-eventlet <not-affected> (Vulnerable code (compression extension) introduced later)
NOTE: https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2
NOTE: Fixed by: https://github.com/eventlet/eventlet/commit/1412f5e4125b4313f815778a1acb4d3336efcd07
+ NOTE: Issue present as well in versions before introduction of per-message-defalte extension
+ NOTE: or compression extension support.
CVE-2021-21418 (ps_emailsubscription is a newsletter subscription module for the Prest ...)
NOT-FOR-US: PrestaShop
CVE-2021-21417 (fluidsynth is a software synthesizer based on the SoundFont 2 specific ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dc893f404583c840bf069f9f02c4a67e369ed524...753324dd72823297064f02b83d5976a746df0d9d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dc893f404583c840bf069f9f02c4a67e369ed524...753324dd72823297064f02b83d5976a746df0d9d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210522/e356e2a3/attachment.htm>
More information about the debian-security-tracker-commits
mailing list