[Git][security-tracker-team/security-tracker][master] Reserve DLA-2826-1 for mbedtls
Emilio Pozuelo Monfort (@pochu)
pochu at debian.org
Tue Nov 23 13:03:14 GMT 2021
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b9cd936f by Emilio Pozuelo Monfort at 2021-11-23T14:02:56+01:00
Reserve DLA-2826-1 for mbedtls
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -52149,7 +52149,6 @@ CVE-2021-24119 (In Trusted Firmware Mbed TLS 2.24.0, a side-channel vulnerabilit
- mbedtls <unfixed>
[bullseye] - mbedtls <no-dsa> (Minor issue)
[buster] - mbedtls <no-dsa> (Minor issue)
- [stretch] - mbedtls <no-dsa> (Minor issue)
NOTE: Fixed in 2.26.0: https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0
CVE-2021-24118
RESERVED
@@ -227247,7 +227246,6 @@ CVE-2017-18259 (Dolibarr ERP/CRM is affected by stored Cross-Site Scripting (XSS
CVE-2018-9989 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffe ...)
{DLA-1518-1}
- mbedtls 2.8.0-1
- [stretch] - mbedtls <no-dsa> (Minor issue)
- polarssl <removed>
[wheezy] - polarssl <no-dsa> (Minor issue)
NOTE: https://github.com/ARMmbed/mbedtls/commit/5224a7544c95552553e2e6be0b4a789956a6464e
@@ -227256,7 +227254,6 @@ CVE-2018-9989 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a
CVE-2018-9988 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has a buffe ...)
{DLA-1518-1}
- mbedtls 2.8.0-1
- [stretch] - mbedtls <no-dsa> (Minor issue)
- polarssl <removed>
[wheezy] - polarssl <no-dsa> (Minor issue)
NOTE: https://github.com/ARMmbed/mbedtls/commit/027f84c69f4ef30c0693832a6c396ef19e563ca1
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[23 Nov 2021] DLA-2826-1 mbedtls - security update
+ {CVE-2018-9988 CVE-2018-9989 CVE-2020-36475 CVE-2020-36476 CVE-2020-36478 CVE-2021-24119}
+ [stretch] - mbedtls 2.4.2-1+deb9u4
[22 Nov 2021] DLA-2825-1 libmodbus - security update
{CVE-2019-14462 CVE-2019-14463}
[stretch] - libmodbus 3.0.6-2+deb9u1
=====================================
data/dla-needed.txt
=====================================
@@ -69,9 +69,6 @@ linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
-mbedtls (Emilio)
- NOTE: 20211122: CVEs backported, but one of them introduces a test regression, investigating (Emilio)
---
nvidia-graphics-drivers
NOTE: package is in non-free but also in packages-to-support
NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9cd936f441e1f0317169b34eefffb6f72c04480
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9cd936f441e1f0317169b34eefffb6f72c04480
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211123/d0595059/attachment.htm>
More information about the debian-security-tracker-commits
mailing list