[Git][security-tracker-team/security-tracker][master] 8 commits: Mark CVE-2021-3828/nltk as no-dsa for stretch

Mon Oct 4 00:57:26 BST 2021


Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1a203d1f by Utkarsh Gupta at 2021-10-04T05:18:31+05:30
Mark CVE-2021-3828/nltk as no-dsa for stretch

- - - - -
e970ca03 by Utkarsh Gupta at 2021-10-04T05:19:14+05:30
Mark CVE-2021-38562/request-tracker4 as no-dsa for stretch

- - - - -
93294ddd by Utkarsh Gupta at 2021-10-04T05:19:43+05:30
Mark CVE-2021-37146/ros-ros-comm as no-dsa for stretch

- - - - -
ff2f6cf5 by Utkarsh Gupta at 2021-10-04T05:20:38+05:30
Mark CVE-2021-3521/rpm as no-dsa for stretch

- - - - -
1015bb33 by Utkarsh Gupta at 2021-10-04T05:21:23+05:30
Add mediawiki to dla-needed

- - - - -
50f1016a by Utkarsh Gupta at 2021-10-04T05:22:38+05:30
Add openssh to dla-needed

- - - - -
fd65706b by Utkarsh Gupta at 2021-10-04T05:23:31+05:30
Add python3.5 to dla-needed

- - - - -
2815ef9c by Utkarsh Gupta at 2021-10-04T05:26:45+05:30
Add notes for packages

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -636,6 +636,7 @@ CVE-2021-3828 (nltk is vulnerable to Inefficient Regular Expression Complexity .
 	- nltk <unfixed> (bug #995226)
 	[bullseye] - nltk <no-dsa> (Minor issue)
 	[buster] - nltk <no-dsa> (Minor issue)
+	[stretch] - nltk <no-dsa> (Minor issue)
 	NOTE: https://github.com/nltk/nltk/commit/277711ab1dec729e626b27aab6fa35ea5efbd7e6
 	NOTE: https://github.com/nltk/nltk/pull/2816
 CVE-2021-41585
@@ -7609,6 +7610,7 @@ CVE-2021-38562
 	- request-tracker4 4.4.4+dfsg-3 (bug #995175)
 	[bullseye] - request-tracker4 <no-dsa> (Minor issue; will be fixed via point release)
 	[buster] - request-tracker4 <no-dsa> (Minor issue; will be fixed via point release)
+	[stretch] - request-tracker4 <no-dsa> (Minor issue)
 	NOTE: https://github.com/bestpractical/rt/commit/70749bb66cb13dd70bd53340c371038a5f3ca57c (rt-5.0.2)
 	NOTE: https://github.com/bestpractical/rt/commit/d16f8cf13c2af517ee55a85e7b91a0267477189f (rt-4.4.5)
 	NOTE: https://github.com/bestpractical/rt/commit/d16f8cf13c2af517ee55a85e7b91a0267477189f (rt-4.2.17)
@@ -10959,6 +10961,7 @@ CVE-2021-37146 (An infinite loop in Open Robotics ros_comm XMLRPC server in ROS
 	- ros-ros-comm <unfixed>
 	[bullseye] - ros-ros-comm <no-dsa> (Minor issue)
 	[buster] - ros-ros-comm <no-dsa> (Minor issue)
+	[stretch] - ros-ros-comm <no-dsa> (Minor issue)
 	NOTE: https://discourse.ros.org/t/new-packages-for-melodic-2021-09-27/22446
 	NOTE: https://discourse.ros.org/t/new-packages-for-noetic-2021-09-27/22447
 	NOTE: https://github.com/ros/ros_comm/pull/2185
@@ -23651,6 +23654,7 @@ CVE-2021-3521
 	- rpm <unfixed>
 	[bullseye] - rpm <no-dsa> (Minor issue)
 	[buster] - rpm <no-dsa> (Minor issue)
+	[stretch] - rpm <no-dsa> (Minor issue)
 	NOTE: https://github.com/rpm-software-management/rpm/pull/1788
 CVE-2021-3520 (There's a flaw in lz4. An attacker who submits a crafted file to an ap ...)
 	{DSA-4919-1 DLA-2657-1}


=====================================
data/dla-needed.txt
=====================================
@@ -30,6 +30,9 @@ cacti (Roberto C. Sánchez)
 debian-archive-keyring (Utkarsh)
   NOTE: https://lists.debian.org/debian-lts/2021/08/msg00037.html
   NOTE: 20210920: Raphael answered. will backport today. (utkarsh)
+  NOTE: 20211003: waiting for Jonathan to get back as his keys
+  NOTE: 20211003: seemed to have expired and the build is thus
+  NOTE: 20211003: failing. Or at least appears to be. :( (utkarsh)
 --
 exiv2 (Thorsten Alteholz)
 --
@@ -50,6 +53,8 @@ linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
 --
+mediawiki
+--
 mosquitto
   NOTE: 20210805: coordinating upload to buster before DLA for Stretch (codehelp)
   NOTE: 20210806: CVE-2021-34432 ignored in buster and stretch. Vulnerable code not accessible. (codehelp)
@@ -62,6 +67,18 @@ nvidia-graphics-drivers
   NOTE: package is in non-free but also in packages-to-support
   NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in Stretch, no fix available for CVE-2021-1077
 --
+openssh (Utkarsh)
+  NOTE: 20211003: a backporting error for CVE-2018-15473 was reported in
+  NOTE: 20211003: Ubuntu (and can see the same code differences here);
+  NOTE: 20211003: check if that needs to be fixed; talking to -security.
+  NOTE: 20211003: also CVE-2021-41617 is new; might be a good idea to
+  NOTE: 20211003: club both these together. (utkarsh)
+--
+python3.5 (Utkarsh)
+  NOTE: 20211003: whilst looks like a no-dsa/postponed candidate on a
+  NOTE: 20211003: quick look, Canonical issued an update via the ESM
+  NOTE: 20211003: pocket. Needs another look. (utkarsh)
+--
 python-babel
   NOTE: 20210617: CVE-2021-20095 withdrawn, cf. 251b6e33 and #987824 (abhijith)
   NOTE: 20210620: http://people.debian.org/~abhijith/backport_of_3a700b5.patch (abhijith)
@@ -71,6 +88,8 @@ ruby2.3
   NOTE: 20210802: Utkarsh already uploaded a fix for sid/bullseye. (utkarsh)
   NOTE: 20210816: wip, backporting patches; a bit hard. (utkarsh)
   NOTE: 20210920: in midst of backporting patches. (utkarsh)
+  NOTE: 20211003: only backporting CVE-2021-31810 is left, which has a bit
+  NOTE: 20211003: of difference whilst going back to ruby2.3. (utkarsh)
 --
 rustc
   NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f487d2e240c1acd2616fea5f775666467131a824...2815ef9c3f9982704a655303f85724e4854296cd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f487d2e240c1acd2616fea5f775666467131a824...2815ef9c3f9982704a655303f85724e4854296cd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211003/b1176d3b/attachment-0001.htm>
