[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Wed Oct 13 18:52:55 BST 2021


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
72e1d1ae by Moritz Muehlenhoff at 2021-10-13T19:50:12+02:00
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1056,6 +1056,8 @@ CVE-2021-3854
 	RESERVED
 CVE-2021-XXXX [RUSTSEC-2021-0119: Out-of-bounds write in nix::unistd::getgrouplist]
 	- rust-nix 0.19.0-2 (bug #995562)
+	[bullseye] - rust-nix <no-dsa> (Minor issue)
+	[buster] - rust-nix <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0119.html
 	NOTE: https://github.com/nix-rust/nix/issues/1541
 CVE-2021-41970
@@ -2570,8 +2572,9 @@ CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification o
 	NOTE: https://github.com/mariocasciaro/object-path/commit/e6bb638ffdd431176701b3e9024f80050d0ef0a6
 CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a ...)
 	- shiro <unfixed>
+	[bullseye] - shiro <no-dsa> (Minor issue)
+	[buster] - shiro <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/09/17/1
-	TODO: check
 CVE-2021-41302 (ECOA BAS controller stores sensitive data (backup exports) in clear-te ...)
 	NOT-FOR-US: ECOA BAS controller
 CVE-2021-41301 (ECOA BAS controller is vulnerable to configuration disclosure when dir ...)
@@ -12411,11 +12414,15 @@ CVE-2021-37138
 CVE-2021-37137
 	RESERVED
 	- netty <unfixed>
+	[bullseye] - netty <no-dsa> (Minor issue)
+	[buster] - netty <no-dsa> (Minor issue)
 	NOTE: https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363
 	NOTE: Fixed by: https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f (netty-4.1.68.Final)
 CVE-2021-37136
 	RESERVED
 	- netty <unfixed>
+	[bullseye] - netty <no-dsa> (Minor issue)
+	[buster] - netty <no-dsa> (Minor issue)
 	NOTE: https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv
 	NOTE: Fixed by: https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020 (netty-4.1.68.Final)
 CVE-2021-37135


=====================================
data/dsa-needed.txt
=====================================
@@ -50,6 +50,8 @@ salt
 --
 squashfs-tools (carnil)
 --
+thunderbird (jmm)
+--
 tomcat9
   Markus Koschany proposed an update for CVE-2021-41079, plus a regression fix
   from previous CVE-2021-30640 and another non-security fix for #987179, might



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72e1d1aebace35b90cf42d26f208bc11213c8586

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72e1d1aebace35b90cf42d26f208bc11213c8586
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211013/0e088a35/attachment-0001.htm>
