[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2021-41133 in flatpak for stretch LTS.

Wed Oct 13 09:11:45 BST 2021


Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ad3e151c by Chris Lamb at 2021-10-13T09:10:38+01:00
Triage CVE-2021-41133 in flatpak for stretch LTS.

- - - - -
eb66502e by Chris Lamb at 2021-10-13T09:10:39+01:00
Triage CVE-2021-3671 in heimdal and samba for stretch LTS.

- - - - -
cc20786f by Chris Lamb at 2021-10-13T09:10:40+01:00
Triage CVE-2020-28282 in node-getobject for stretch LTS.

- - - - -
e1550786 by Chris Lamb at 2021-10-13T09:11:24+01:00
data/dla-needed.txt: Triage redmine for stretch LTS (CVE-2021-42326)

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -715,6 +715,7 @@ CVE-2021-41133 (Flatpak is a system for building, distributing, and running sand
 	{DSA-4984-1}
 	- flatpak 1.12.1-1 (bug #995935)
 	[buster] - flatpak <ignored> (Not exploitable with Debian buster kernel, intrusive to backport; requires updated libseccomp)
+	[stretch] - flatpak <ignored> (Difficult to exploit)
 	NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
 	NOTE: Sourcewise fixed in 1.12.0-1 already, but 1.12.1-1 adds stricter dependency
 	NOTE: to libseccomp 2.5.2 so that CVE-2021-41133 is fully prevented.
@@ -11099,9 +11100,11 @@ CVE-2021-3671 (A null pointer de-reference was found in the way samba kerberos s
 	- heimdal <unfixed>
 	[bullseye] - heimdal <no-dsa> (Minor issue)
 	[buster] - heimdal <no-dsa> (Minor issue)
+	[stretch] - heimdal <no-dsa> (Minor issue)
 	- samba <unfixed>
 	[bullseye] - samba <no-dsa> (Minor issue)
 	[buster] - samba <no-dsa> (Minor issue)
+	[stretch] - samba <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2013080
 	NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14770
 	NOTE: Fixed by: https://github.com/heimdal/heimdal/commit/04171147948d0a3636bc6374181926f0fb2ec83a
@@ -64934,6 +64937,7 @@ CVE-2020-28282 (Prototype pollution vulnerability in 'getobject' version 0.1.0 a
 	- node-getobject 1.0.2-1
 	[bullseye] - node-getobject <no-dsa> (Minor issue)
 	[buster] - node-getobject <no-dsa> (Minor issue)
+	[stretch] - node-getobject <no-dsa> (Minor issue)
 	NOTE: https://github.com/cowboy/node-getobject/commit/84071748fa407caa8f824e0d0b9c1cde9ec56633 (v1.0.0)
 CVE-2020-28281 (Prototype pollution vulnerability in 'set-object-value' versions 0.0.0 ...)
 	NOT-FOR-US: react-atomic-organism


=====================================
data/dla-needed.txt
=====================================
@@ -88,6 +88,10 @@ redis (Chris Lamb)
   NOTE: 20211004: Fixed in sid and experimental. (lamby)
   NOTE: 20211006: buster-pu filed in #995825. (lamby)
 --
+redmine
+  NOTE: 20211013: Issue appears to be private, so may require comparison of release
+  NOTE: 20211013: tarballs to find upstream changeset. (lamby)
+--
 rustc
   NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable
   NOTE: https://bugs.debian.org/928422



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/612ec9208554f8640eeef9fee038c15ae020f606...e1550786777f9e7ae53a1b4a7f1635dc4eb9caed

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/612ec9208554f8640eeef9fee038c15ae020f606...e1550786777f9e7ae53a1b4a7f1635dc4eb9caed
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211013/61e63e41/attachment.htm>
