[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2021-37714,jsoup as no-dsa in Stretch

Wed Oct 20 13:54:40 BST 2021


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
bfa8c0d4 by Markus Koschany at 2021-10-20T14:51:20+02:00
Mark CVE-2021-37714,jsoup as no-dsa in Stretch

As privately discussed with the security team I am going to mark CVE-2021-37714
as no-dsa because benefit/risk factor is rather low and the DoS vulnerabilities
can also be mitigated.

- - - - -
4125e626 by Markus Koschany at 2021-10-20T14:52:36+02:00
Remove jsoup from dla-needed.txt

- - - - -
a26a6b6c by Markus Koschany at 2021-10-20T14:53:59+02:00
Claim salt in dla-needed.txt

Let's take a look why this one hasn't been issued yet.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -13057,6 +13057,7 @@ CVE-2021-37714 (jsoup is a Java library for working with HTML. Those using jsoup
 	- jsoup 1.14.2-1 (bug #992590)
 	[bullseye] - jsoup <no-dsa> (Minor issue)
 	[buster] - jsoup <no-dsa> (Minor issue)
+	[stretch] - jsoup <no-dsa> (Minor issue)
 	NOTE: https://github.com/jhy/jsoup/security/advisories/GHSA-m72m-mhq2-9p6c
 CVE-2021-37713 (The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, a ...)
 	- node-tar <not-affected> (Only affects node-tar on Windows)


=====================================
data/dla-needed.txt
=====================================
@@ -44,10 +44,6 @@ firmware-nonfree
   NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
   NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
 --
-jsoup
-  NOTE: 20211016: I'm still waiting for some feedback from the security team. I will keep
-  NOTE: 20211016: jsoup in dla-needed.txt until they get back to me. (apo)
---
 linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
@@ -92,7 +88,7 @@ rustc
   NOTE: https://bugs.debian.org/928422
   NOTE: Perhaps fix with the next rustc update for a new Firefox? (bunk)
 --
-salt
+salt (Markus Koschany)
   NOTE: 20210329: WIP (utkarsh)
   NOTE: 20210510: patches ready; reviewing and testing with donfede, damien, and bdrung. (utkarsh)
   NOTE: 20210510: will try to release ASAP; also preparing update for buster (DSA). (utkarsh)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ee707906131d52052e068698f162bf8daedf8bc3...a26a6b6c10c645912193cf98d818f0d4be2f6727

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ee707906131d52052e068698f162bf8daedf8bc3...a26a6b6c10c645912193cf98d818f0d4be2f6727
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20211020/21ba6b59/attachment-0001.htm>
