[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon May 24 22:17:07 BST 2021
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
137fe025 by Moritz Mühlenhoff at 2021-05-24T23:16:44+02:00
bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -4909,6 +4909,7 @@ CVE-2021-31403 (Non-constant-time comparison of CSRF tokens in UIDL request hand
NOT-FOR-US: Vaadin
CVE-2021-3502 (A flaw was found in avahi 0.8-5. A reachable assertion is present in a ...)
- avahi <unfixed> (bug #986018)
+ [bullseye] - avahi <no-dsa> (Minor issue)
[buster] - avahi <not-affected> (Vulnerable code introduced later)
[stretch] - avahi <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/lathiat/avahi/issues/338
@@ -9005,6 +9006,8 @@ CVE-2020-36284 (Union Pay up to 3.4.93.4.9, for android, contains a CWE-347: Imp
NOT-FOR-US: Union Pay
CVE-2021-3480 (A flaw was found in slapi-nis in versions before 0.56.7. A NULL pointe ...)
- slapi-nis <unfixed> (bug #988736)
+ [bullseye] - slapi-nis <no-dsa> (Minor issue)
+ [buster] - slapi-nis <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1944640
NOTE: https://pagure.io/slapi-nis/c/c7417ea2d534712e559b56ed45baa91c5d3d44db?branch=master
CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in versions bef ...)
@@ -10006,6 +10009,7 @@ CVE-2021-3469
CVE-2021-3468 [Local DoS by event-busy-loop from writing long lines to /run/avahi-daemon/socket]
RESERVED
- avahi <unfixed> (bug #984938)
+ [bullseye] - avahi <no-dsa> (Minor issue)
[buster] - avahi <no-dsa> (Minor issue)
[stretch] - avahi <postponed> (Minor issue; can be fixed in next DLA)
NOTE: https://github.com/lathiat/avahi/pull/330
@@ -10803,19 +10807,29 @@ CVE-2021-28908
CVE-2021-28907
RESERVED
CVE-2021-28906 (In function read_yin_leaf() in libyang <= v1.0.225, it doesn't chec ...)
- - libyang <unfixed>
+ - libyang <unfixed> (bug #989060)
+ [bullseye] - libyang <no-dsa> (Minor issue)
+ [buster] - libyang <no-dsa> (Minor issue)
NOTE: https://github.com/CESNET/libyang/issues/1455
CVE-2021-28905 (In function lys_node_free() in libyang <= v1.0.225, it asserts that ...)
- - libyang <unfixed>
+ - libyang <unfixed> (bug #989060)
+ [bullseye] - libyang <no-dsa> (Minor issue)
+ [buster] - libyang <no-dsa> (Minor issue)
NOTE: https://github.com/CESNET/libyang/issues/1452
CVE-2021-28904 (In function ext_get_plugin() in libyang <= v1.0.225, it doesn't che ...)
- - libyang <unfixed>
+ - libyang <unfixed> (bug #989060)
+ [bullseye] - libyang <no-dsa> (Minor issue)
+ [buster] - libyang <no-dsa> (Minor issue)
NOTE: https://github.com/CESNET/libyang/issues/1451
CVE-2021-28903 (A stack overflow in libyang <= v1.0.225 can cause a denial of servi ...)
- - libyang <unfixed>
+ - libyang <unfixed> (bug #989060)
+ [bullseye] - libyang <no-dsa> (Minor issue)
+ [buster] - libyang <no-dsa> (Minor issue)
NOTE: https://github.com/CESNET/libyang/issues/1453
CVE-2021-28902 (In function read_yin_container() in libyang <= v1.0.225, it doesn't ...)
- - libyang <unfixed>
+ - libyang <unfixed> (bug #989060)
+ [bullseye] - libyang <no-dsa> (Minor issue)
+ [buster] - libyang <no-dsa> (Minor issue)
NOTE: https://github.com/CESNET/libyang/issues/1454
CVE-2021-28901
RESERVED
@@ -11309,7 +11323,7 @@ CVE-2021-28679
CVE-2021-28678
RESERVED
[experimental] - pillow 8.2.0-1
- - pillow <unfixed>
+ - pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
@@ -11317,7 +11331,7 @@ CVE-2021-28678
CVE-2021-28677
RESERVED
[experimental] - pillow 8.2.0-1
- - pillow <unfixed>
+ - pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
@@ -11325,7 +11339,7 @@ CVE-2021-28677
CVE-2021-28676
RESERVED
[experimental] - pillow 8.2.0-1
- - pillow <unfixed>
+ - pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos
@@ -11333,7 +11347,7 @@ CVE-2021-28676
CVE-2021-28675
RESERVED
[experimental] - pillow 8.2.0-1
- - pillow <unfixed>
+ - pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675-fix-dos-in-psdimageplugin
@@ -11383,6 +11397,7 @@ CVE-2021-3449 (An OpenSSL TLS server may crash if sent a maliciously crafted ren
CVE-2021-28687 [HVM soft-reset crashes toolstack]
RESERVED
- xen <unfixed>
+ [bullseye] - xen <postponed> (Fix along with next round of updates)
[buster] - xen <not-affected> (Vulnerable code introduced later)
[stretch] - xen <not-affected> (Vulnerable code introduced later)
NOTE: https://xenbits.xen.org/xsa/advisory-368.html
@@ -19635,7 +19650,7 @@ CVE-2021-25289 (An issue was discovered in Pillow before 8.1.1. TiffDecode has a
CVE-2021-25288
RESERVED
[experimental] - pillow 8.2.0-1
- - pillow <unfixed>
+ - pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode
@@ -19643,10 +19658,11 @@ CVE-2021-25288
CVE-2021-25287
RESERVED
[experimental] - pillow 8.2.0-1
- - pillow <unfixed>
+ - pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode
+ NOTE: https://github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87
CVE-2021-3185 (A flaw was found in the gstreamer h264 component of gst-plugins-bad be ...)
{DSA-4833-1 DLA-2528-1}
- gst-plugins-bad1.0 1.18.1-1
@@ -37759,26 +37775,31 @@ CVE-2020-26235 (In Rust time crate from version 0.2.7 and before version 0.2.23,
NOTE: Deprecated in: https://github.com/time-rs/time/commit/f153a1ca5fdfec979f16c49619e6034cc67e186d (v0.2.23)
CVE-2020-35914 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [bullseye] - rust-lock-api <no-dsa> (Minor issue)
[buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
CVE-2020-35913 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [bullseye] - rust-lock-api <no-dsa> (Minor issue)
[buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
CVE-2020-35912 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [bullseye] - rust-lock-api <no-dsa> (Minor issue)
[buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
CVE-2020-35911 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [bullseye] - rust-lock-api <no-dsa> (Minor issue)
[buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
CVE-2020-35910 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [bullseye] - rust-lock-api <no-dsa> (Minor issue)
[buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
@@ -48707,26 +48728,32 @@ CVE-2020-25781 (An issue was discovered in file_download.php in MantisBT before
- mantis <removed>
CVE-2020-25796 (An issue was discovered in the sized-chunks crate through 0.6.2 for Ru ...)
- rust-sized-chunks <unfixed> (bug #970586)
+ [bullseye] - rust-sized-chunks <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html
NOTE: https://github.com/bodil/sized-chunks/issues/11
CVE-2020-25795 (An issue was discovered in the sized-chunks crate through 0.6.2 for Ru ...)
- rust-sized-chunks <unfixed> (bug #970586)
+ [bullseye] - rust-sized-chunks <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html
NOTE: https://github.com/bodil/sized-chunks/issues/11
CVE-2020-25794 (An issue was discovered in the sized-chunks crate through 0.6.2 for Ru ...)
- rust-sized-chunks <unfixed> (bug #970586)
+ [bullseye] - rust-sized-chunks <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html
NOTE: https://github.com/bodil/sized-chunks/issues/11
CVE-2020-25793 (An issue was discovered in the sized-chunks crate through 0.6.2 for Ru ...)
- rust-sized-chunks <unfixed> (bug #970586)
+ [bullseye] - rust-sized-chunks <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html
NOTE: https://github.com/bodil/sized-chunks/issues/11
CVE-2020-25792 (An issue was discovered in the sized-chunks crate through 0.6.2 for Ru ...)
- rust-sized-chunks <unfixed> (bug #970586)
+ [bullseye] - rust-sized-chunks <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html
NOTE: https://github.com/bodil/sized-chunks/issues/11
CVE-2020-25791 (An issue was discovered in the sized-chunks crate through 0.6.2 for Ru ...)
- rust-sized-chunks <unfixed> (bug #970586)
+ [bullseye] - rust-sized-chunks <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html
NOTE: https://github.com/bodil/sized-chunks/issues/11
CVE-2020-25780 (In CommCell in Commvault before 14.68, 15.x before 15.58, 16.x before ...)
@@ -52178,6 +52205,7 @@ CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation overflow and segmentatio
{DLA-2381-1}
- lua5.4 5.4.1-1 (bug #971613)
- lua5.3 <unfixed> (bug #988734)
+ [bullseye] - lua5.3 <no-dsa> (Minor issue)
[buster] - lua5.3 <no-dsa> (Minor issue)
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html
NOTE: (lua5.4) https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b
@@ -52250,6 +52278,7 @@ CVE-2020-24345 (** DISPUTED ** JerryScript through 2.3.0 allows stack consumptio
NOTE: Disputed JerryScript issue
CVE-2020-24344 (JerryScript through 2.3.0 has a (function({a=arguments}){const argumen ...)
- iotjs <unfixed> (bug #988213)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3976
NOTE: https://github.com/jerryscript-project/jerryscript/commit/841d536fce1ce29267cdf0ea12be4026e1c35d3a
@@ -75203,6 +75232,8 @@ CVE-2020-13950
RESERVED
CVE-2020-13949 (In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send sho ...)
- thrift <unfixed> (bug #988949)
+ [bullseye] - thrift <no-dsa> (Minor issue)
+ [buster] - thrift <no-dsa> (Minor issue)
NOTE: https://seclists.org/oss-sec/2021/q1/140
CVE-2020-13948 (While investigating a bug report on Apache Superset, it was determined ...)
NOT-FOR-US: Apache Superset
@@ -85423,6 +85454,7 @@ CVE-2020-10694
RESERVED
CVE-2020-10693 (A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in ...)
- libhibernate-validator-java <unfixed> (bug #988946)
+ [bullseye] - libhibernate-validator-java <no-dsa> (Minor issue)
[buster] - libhibernate-validator-java <not-affected> (EL support added in 5.x)
[stretch] - libhibernate-validator-java <not-affected> (EL support added in 5.x)
[jessie] - libhibernate-validator-java <not-affected> (EL support added in 5.x)
@@ -89991,6 +90023,7 @@ CVE-2018-21034 (In Argo versions prior to v1.5.0-rc1, it was possible for authen
NOT-FOR-US: Argo
CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext HTTP, a ...)
- lxc-templates <unfixed> (bug #988730)
+ [bullseye] - lxc-templates <ignored> (Minor issue)
[buster] - lxc-templates <ignored> (Minor issue)
- lxc 1:3.0.3-1 (low)
[stretch] - lxc <no-dsa> (Minor issue)
@@ -140505,6 +140538,7 @@ CVE-2019-10220 (Linux kernel CIFS implementation, version 4.9.0 is vulnerable to
[stretch] - linux 4.9.210-1
CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml validat ...)
- libhibernate-validator-java <unfixed> (bug #948235)
+ [bullseye] - libhibernate-validator-java <no-dsa> (Minor issue)
[buster] - libhibernate-validator-java <not-affected> (Vulnerable code was introduced later)
[stretch] - libhibernate-validator-java <not-affected> (Vulnerable code was introduced later)
[jessie] - libhibernate-validator-java <not-affected> (Vulnerable code was introduced later)
@@ -248294,6 +248328,7 @@ CVE-2017-9272 (The Bi-directional driver in IDM 4.5 before 4.0.3.0 could be susc
NOT-FOR-US: IDM
CVE-2017-9271 (The commandline package update tool zypper writes HTTP proxy credentia ...)
- zypper <unfixed> (low; bug #988152)
+ [bullseye] - zypper <ignored> (Minor issue)
[buster] - zypper <ignored> (Minor issue)
[jessie] - zypper <ignored> (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1050625
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/137fe02558c704211ce59a92a2f5ad2843a764de
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/137fe02558c704211ce59a92a2f5ad2843a764de
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210524/6ff00918/attachment.htm>
More information about the debian-security-tracker-commits
mailing list