[Git][security-tracker-team/security-tracker][master] pillow fixed in sid

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Oct 11 15:47:18 BST 2021



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
253d29da by Moritz Muehlenhoff at 2021-10-11T16:47:05+02:00
pillow fixed in sid
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3011,6 +3011,7 @@ CVE-2021-40823 (A logic error in the room key sharing functionality of matrix-js
 	- element-web <itp> (bug #866502)
 	- node-matrix-js-sdk <unfixed> (bug #994213)
 	[bullseye] - node-matrix-js-sdk <no-dsa> (Minor issue)
+	[buster] - node-matrix-js-sdk <no-dsa> (Minor issue)
 	NOTE: https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing/
 	NOTE: https://github.com/matrix-org/matrix-js-sdk/commit/894c24880da0e1cc81818f51c0db80e3c9fb2be9 (v12.4.1)
 CVE-2021-40822
@@ -4798,6 +4799,8 @@ CVE-2021-3739
 CVE-2021-3735 [ahci: deadlock issue leads to denial of service]
 	RESERVED
 	- qemu <unfixed>
+	[bullseye] - qemu <no-dsa> (Minor issue)
+	[buster] - qemu <no-dsa> (Minor issue)
 	[stretch] - qemu <postponed> (Fix along with a future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997184
 CVE-2021-40083 (Knot Resolver before 5.3.2 is prone to an assertion failure, triggerab ...)
@@ -10137,9 +10140,11 @@ CVE-2021-37846
 CVE-2021-37845
 	RESERVED
 	- citadel <unfixed>
+	[buster] - citadel <ignored> (Minor issue)
 	[stretch] - citadel <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://uncensored.citadel.org/readfwd?go=Citadel Security?view=0?start_reading_at=2099264259#2099264259
 	NOTE: https://nostarttls.secvuln.info/
+	NOTE: CVE-2020-29547 and CVE-2021-37845 seem like dupes
 CVE-2021-37844
 	RESERVED
 CVE-2021-3677 [Memory disclosure in certain queries]
@@ -32597,6 +32602,7 @@ CVE-2021-28703
 	RESERVED
 CVE-2021-28702 (PCI devices with RMRRs not deassigned correctly Certain PCI devices in ...)
 	- xen <unfixed>
+	[bullseye] - xen <postponed> (Minor issue, fix along with next DSA)
 	[buster] - xen <not-affected> (Vulnerable code introduced later)
 	[stretch] - xen <not-affected> (Vulnerable code introduced later)
 	NOTE: https://xenbits.xen.org/xsa/advisory-386.html
@@ -45284,7 +45290,9 @@ CVE-2021-23439 (This affects the package file-upload-with-preview before 4.2.0.
 CVE-2021-23438 (This affects the package mpath before 0.8.4. A type confusion vulnerab ...)
 	NOT-FOR-US: Node mpath
 CVE-2021-23437 (The package pillow 5.2.0 and before 8.3.2 are vulnerable to Regular Ex ...)
-	- pillow <unfixed>
+	- pillow 8.3.2-1
+	[bullseye] - pillow <no-dsa> (Minor issue)
+	[buster] - pillow <no-dsa> (Minor issue)
 	[stretch] - pillow <postponed> (Minor issue, can be fixed in the next DLA)
 	NOTE: https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
 	NOTE: https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443
@@ -58284,9 +58292,11 @@ CVE-2020-29548 (An issue was discovered in SmarterTools SmarterMail through 100.
 CVE-2020-29547
 	RESERVED
 	- citadel <unfixed>
+	[buster] - citadel <ignored> (Minor issue)
 	[stretch] - citadel <postponed> (Minor issue, revisit when fixed upstream)
 	NOTE: https://uncensored.citadel.org/readfwd?go=Citadel Security?view=0?start_reading_at=2099264259#2099264259
 	NOTE: https://nostarttls.secvuln.info/
+	NOTE: CVE-2020-29547 and CVE-2021-37845 seem like dupes
 CVE-2020-29546
 	RESERVED
 CVE-2020-29545
@@ -78132,6 +78142,7 @@ CVE-2020-22618
 	RESERVED
 CVE-2020-22617 (Ardour v5.12 contains a use-after-free vulnerability in the component  ...)
 	- ardour 1:6.0.0~ds0-1
+	[buster] - ardour <no-dsa> (Minor issue)
 	NOTE: https://tracker.ardour.org/view.php?id=7926
 	NOTE: https://github.com/Ardour/ardour/commit/96daa4036a425ff3f23a7dfcba57bfb0f942bec6 (6.0-pre1)
 CVE-2020-22616
@@ -81884,8 +81895,7 @@ CVE-2020-20900
 CVE-2020-20899
 	REJECTED
 CVE-2020-20898 (Integer Overflow vulnerability in function filter16_prewitt in libavfi ...)
-	- ffmpeg 7:4.3-2
-	[buster] - ffmpeg <ignored> (Minor issue)
+	- ffmpeg 7:4.3-2 (unimportant)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/99f8d32129dd233d4eb2efa44678a0bc44869f23 (4.3)
 	NOTE: https://trac.ffmpeg.org/ticket/8263
 CVE-2020-20897


=====================================
data/dsa-needed.txt
=====================================
@@ -28,11 +28,13 @@ ffmpeg/oldstable (jmm)
 --
 icu
 --
+libreoffice (jmm)
+--
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v4.19.y versions.
 --
-ndpi
+ndpi/oldstable
 --
 nodejs (jmm)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/253d29dadf194cffb9422ef59150c1730f668667

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/253d29dadf194cffb9422ef59150c1730f668667
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211011/14cb2a4c/attachment.htm>


More information about the debian-security-tracker-commits mailing list