[Git][security-tracker-team/security-tracker][master] Update notes on CVE-2021-41190

Salvatore Bonaccorso (@carnil) carnil at debian.org
Sat Nov 20 09:22:18 GMT 2021 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d56d88cc by Salvatore Bonaccorso at 2021-11-20T10:20:37+01:00
Update notes on CVE-2021-41190

This is bit cumbersome to track. My understanding is that the CVE is
specifically for the specification issue. Several container projects
have mitigated the issue by releasing updates. Such as the mentioned
containerd and golang-github-opencontainers-image-spec.

As such keep it for now as NFU, tough making a note on the mitigations
in software.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9993,7 +9993,12 @@ CVE-2021-41192
 CVE-2021-41191 (Roblox-Purchasing-Hub is an open source Roblox product purchasing hub. ...)
 	NOT-FOR-US: Roblox-Purchasing-Hub
 CVE-2021-41190 (The OCI Distribution Spec project defines an API protocol to facilitat ...)
-	NOT-FOR-US: OCI Distribution Spec
+	NOT-FOR-US: OCI Distribution Specification
+	NOTE: Issue in the OCI Distribution Specification. Software mitigations are applied to
+	NOTE: containerd/1.5.8~ds1-1 and golang-github-opencontainers-image-spec/1.0.2-1
+	NOTE: https://www.openwall.com/lists/oss-security/2021/11/19/10
+	NOTE: https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m
+	NOTE: https://github.com/opencontainers/image-spec/security/advisories/GHSA-77vh-xpmg-72qh
 CVE-2021-41189 (DSpace is an open source turnkey repository application. In version 7. ...)
 	NOT-FOR-US: DSpace
 CVE-2021-41188 (Shopware is open source e-commerce software. Versions prior to 5.7.6 c ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d56d88cc5c785d969a508f0628331a10384de55d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d56d88cc5c785d969a508f0628331a10384de55d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211120/dac96b3e/attachment.htm>

More information about the debian-security-tracker-commits mailing list