[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Wed May 26 18:08:39 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
be014d3f by Moritz Mühlenhoff at 2021-05-26T19:08:21+02:00
bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1204,8 +1204,9 @@ CVE-2021-33033 (The Linux kernel before 5.11.14 has a use-after-free in cipso_v4
 	[buster] - linux 4.19.181-1
 	NOTE: https://git.kernel.org/linus/ad5d07f4a9cd671233ae20983848874731102c08
 CVE-2021-33026 (The Flask-Caching extension through 1.10.1 for Flask relies on Pickle  ...)
-	- flask-caching <unfixed> (bug #988916)
+	- flask-caching <unfixed> (unimportant; bug #988916)
 	NOTE: https://github.com/sh4nks/flask-caching/pull/209
+	NOTE: Negligible security impact
 CVE-2021-33025
 	RESERVED
 CVE-2021-33024
@@ -13435,11 +13436,10 @@ CVE-2021-27907 (Apache Superset up to and including 0.38.0 allowed the creation
 CVE-2021-27906 (A carefully crafted PDF file can trigger an OutOfMemory-Exception whil ...)
 	- libpdfbox2-java 2.0.23-1 (bug #986008)
 	[buster] - libpdfbox2-java <no-dsa> (Minor issue)
-	- libpdfbox-java <unfixed>
-	[buster] - libpdfbox-java <no-dsa> (Minor issue)
-	[stretch] - libpdfbox-java <no-dsa> (Minor issue)
+	- libpdfbox-java <not-affected> (Only affects 2.x)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/03/19/10
 	NOTE: https://issues.apache.org/jira/browse/PDFBOX-5112
+	NOTE: https://github.com/apache/pdfbox/commit/8c47be1011c11dc47300faecffd8ab32fba3646f
 CVE-2021-27905 (The ReplicationHandler (normally registered at "/replication" under a  ...)
 	- lucene-solr 3.6.2+dfsg-23
 	[buster] - lucene-solr <ignored> (Minor issue)
@@ -13648,9 +13648,7 @@ CVE-2021-27808
 CVE-2021-27807 (A carefully crafted PDF file can trigger an infinite loop while loadin ...)
 	- libpdfbox2-java 2.0.23-1 (bug #986006)
 	[buster] - libpdfbox2-java <no-dsa> (Minor issue)
-	- libpdfbox-java <unfixed>
-	[buster] - libpdfbox-java <no-dsa> (Minor issue)
-	[stretch] - libpdfbox-java <no-dsa> (Minor issue)
+	- libpdfbox-java <not-affected> (Only affects 2.x)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/03/19/9
 CVE-2021-27806
 	RESERVED
@@ -18410,9 +18408,9 @@ CVE-2021-3202
 CVE-2021-3201
 	RESERVED
 CVE-2021-3200 (Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * t ...)
-	- libsolv <undetermined>
+	- libsolv <unfixed> (unimportant)
 	NOTE: https://github.com/openSUSE/libsolv/issues/416
-	TODO: check
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-3199 (Directory traversal with remote code execution can occur in /upload in ...)
 	NOT-FOR-US: ONLYOFFICE Document Server
 CVE-2021-3198
@@ -49081,6 +49079,7 @@ CVE-2020-25724
 	RESERVED
 	- resteasy <unfixed>
 	- resteasy3.0 <unfixed>
+	[bullseye] - resteasy3.0 <no-dsa> (Minor issue)
 	[buster] - resteasy3.0 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1899354 (lacks details ATM)
 CVE-2020-25723 (A reachable assertion issue was found in the USB EHCI emulation code o ...)
@@ -51289,6 +51288,7 @@ CVE-2020-24862
 	RESERVED
 CVE-2020-25016 (A safety violation was discovered in the rgb crate before 0.8.20 for R ...)
 	- rust-rgb <unfixed> (bug #969213)
+	[bullseye] - rust-rgb <no-dsa> (Minor issue)
 	[buster] - rust-rgb <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0029.html
 	NOTE: https://github.com/kornelski/rust-rgb/issues/35
@@ -53504,7 +53504,6 @@ CVE-2020-23857
 	RESERVED
 CVE-2020-23856 (Use-after-Free vulnerability in cflow 1.6 in the void call(char *name, ...)
 	- cflow <unfixed> (unimportant; bug #988985)
-	[stretch] - cflow <no-dsa> (Minor issue)
 	NOTE: https://lists.gnu.org/archive/html/bug-cflow/2020-07/msg00000.html
 	NOTE: Crash in CLI tool, no security impact
 CVE-2020-23855
@@ -134707,6 +134706,7 @@ CVE-2019-12401 (Solr versions 1.3.0 to 1.4.1, 3.1.0 to 3.6.2 and 4.0.0 to 4.10.4
 	NOTE: when parsing specially crafted XML data.
 CVE-2019-12400 (In version 2.0.3 Apache Santuario XML Security for Java, a caching mec ...)
 	- libxml-security-java <unfixed> (bug #935548)
+	[bullseye] - libxml-security-java <no-dsa> (Minor issue)
 	[buster] - libxml-security-java <no-dsa> (Minor issue)
 	[stretch] - libxml-security-java <not-affected> (Vulnerable code introduced in 2.0.3)
 	[jessie] - libxml-security-java <not-affected> (Vulnerable code introduced in 2.0.3)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be014d3ff2471d055e0a5df42c5e9c9aa6c42e9d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be014d3ff2471d055e0a5df42c5e9c9aa6c42e9d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210526/3c71f364/attachment.htm>

More information about the debian-security-tracker-commits mailing list