[Git][security-tracker-team/security-tracker][master] Add new trafficserver issues

Wed Nov 3 05:59:32 GMT 2021


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8c660d04 by Salvatore Bonaccorso at 2021-11-03T06:59:12+01:00
Add new trafficserver issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1360,8 +1360,10 @@ CVE-2015-10001 (The WP-Stats WordPress plugin before 2.52 does not have CSRF che
 	NOT-FOR-US: WordPress plugin
 CVE-2021-43083
 	RESERVED
-CVE-2021-43082
+CVE-2021-43082 [heap-buffer-overflow with stats-over-http plugin]
 	RESERVED
+	- trafficserver <unfixed>
+	NOTE: https://www.openwall.com/lists/oss-security/2021/11/02/11
 CVE-2021-3915
 	RESERVED
 CVE-2020-36505 (The Delete All Comments Easily WordPress plugin through 1.3 is lacking ...)
@@ -6025,8 +6027,10 @@ CVE-2021-3828 (nltk is vulnerable to Inefficient Regular Expression Complexity .
 	[stretch] - nltk <no-dsa> (Minor issue)
 	NOTE: https://github.com/nltk/nltk/commit/277711ab1dec729e626b27aab6fa35ea5efbd7e6
 	NOTE: https://github.com/nltk/nltk/pull/2816
-CVE-2021-41585
+CVE-2021-41585 [ATS stops accepting connections on FreeBSD]
 	RESERVED
+	- trafficserver <not-affected> (Only affects FreeBSD)
+	NOTE: https://www.openwall.com/lists/oss-security/2021/11/02/11
 CVE-2021-41584 (Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a  ...)
 	NOT-FOR-US: Gradle Enterprise
 CVE-2021-41583 (vpn-user-portal (aka eduVPN or Let's Connect!) before 2.3.14, as packa ...)
@@ -14227,8 +14231,12 @@ CVE-2021-38163 (SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.
 	NOT-FOR-US: SAP
 CVE-2021-38162 (SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22 ...)
 	NOT-FOR-US: SAP
-CVE-2021-38161
+CVE-2021-38161 [Not validating origin TLS certificate]
 	RESERVED
+	- trafficserver 9.1.0+ds-1
+	NOTE: https://www.openwall.com/lists/oss-security/2021/11/02/11
+	NOTE: Mark first 9.x version as the fixed version as workaround, the issue does
+	NOTE: not affect the 9.x series.
 CVE-2021-38166 (In kernel/bpf/hashtab.c in the Linux kernel through 5.13.8, there is a ...)
 	{DSA-4978-1}
 	- linux 5.14.6-1
@@ -16610,12 +16618,18 @@ CVE-2021-37159 (hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel
 	NOTE: https://www.spinics.net/lists/linux-usb/msg202228.html
 CVE-2021-37150
 	RESERVED
-CVE-2021-37149
+CVE-2021-37149 [Request Smuggling - multiple attacks]
 	RESERVED
-CVE-2021-37148
+	 - trafficserver <unfixed>
+	NOTE: https://www.openwall.com/lists/oss-security/2021/11/02/11
+CVE-2021-37148 [Request Smuggling - transfer encoding validation]
 	RESERVED
-CVE-2021-37147
+	 - trafficserver <unfixed>
+	NOTE: https://www.openwall.com/lists/oss-security/2021/11/02/11
+CVE-2021-37147 [Request Smuggling - LF line ending]
 	RESERVED
+	 - trafficserver <unfixed>
+	NOTE: https://www.openwall.com/lists/oss-security/2021/11/02/11
 CVE-2021-37146 (An infinite loop in Open Robotics ros_comm XMLRPC server in ROS Melodi ...)
 	[experimental] - ros-ros-comm 1.15.13+ds1-1
 	- ros-ros-comm 1.15.13+ds1-2



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c660d0417487c62570724834ad43869a059adb3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c660d0417487c62570724834ad43869a059adb3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211103/cfac53fd/attachment.htm>
