[Git][security-tracker-team/security-tracker][master] 15 commits: Add ntfs-3g to dla-needed
Utkarsh Gupta (@utkarsh)
utkarsh at debian.org
Mon Sep 6 01:07:15 BST 2021
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker
Commits:
33845efe by Utkarsh Gupta at 2021-09-06T05:24:23+05:30
Add ntfs-3g to dla-needed
- - - - -
8bed5736 by Utkarsh Gupta at 2021-09-06T05:25:14+05:30
Mark CVE-2021-33582/cyrus-imapd as no-dsa for stretch
- - - - -
5ba42625 by Utkarsh Gupta at 2021-09-06T05:25:49+05:30
Mark CVE-2020-18771/exiv2 as no-dsa for exiv2
- - - - -
25e0a217 by Utkarsh Gupta at 2021-09-06T05:26:12+05:30
Mark CVE-2020-18899/exiv2 as no-dsa for exiv2
- - - - -
dbac216e by Utkarsh Gupta at 2021-09-06T05:27:30+05:30
Mark CVE-2021-38171/ffmpeg as postponed
- - - - -
c37e270e by Utkarsh Gupta at 2021-09-06T05:28:12+05:30
Mark CVE-2021-40330/git as no-dsa for stretch
- - - - -
9a4eb519 by Utkarsh Gupta at 2021-09-06T05:28:46+05:30
Mark CVE-2020-19481/gpac as ignored for stretch
- - - - -
24ced9e9 by Utkarsh Gupta at 2021-09-06T05:29:14+05:30
Mark CVE-2021-40491/inetutils as no-dsa for stretch
- - - - -
1b1be700 by Utkarsh Gupta at 2021-09-06T05:29:38+05:30
Mark CVE-2021-36370/mc as no-dsa for stretch
- - - - -
c87e6a51 by Utkarsh Gupta at 2021-09-06T05:30:02+05:30
Mark CVE-2021-35368/modsecurity-crs as no-dsa for stretch
- - - - -
4f3f5dc9 by Utkarsh Gupta at 2021-09-06T05:31:04+05:30
Mark CVE-2021-23434/node-object-path as end-of-life for stretch
- - - - -
b54551cc by Utkarsh Gupta at 2021-09-06T05:33:01+05:30
Mark CVE-2021-32610/php-pear as no-dsa for stretch
- - - - -
b0e1617b by Utkarsh Gupta at 2021-09-06T05:34:15+05:30
Mark CVE-2017-9525/systemd-cron as no-dsa for stretch
- - - - -
8693cc65 by Utkarsh Gupta at 2021-09-06T05:35:55+05:30
Mark CVE-2021-37701/node-tar as end-of-life for stretch
- - - - -
50664b82 by Utkarsh Gupta at 2021-09-06T05:36:36+05:30
Mark CVE-2021-37712/node-tar as end-of-life in stretch
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -191,6 +191,7 @@ CVE-2021-40491 (The ftp client in GNU Inetutils before 2.2 does not validate add
- inetutils 2:2.2-1 (bug #993476)
[bullseye] - inetutils <no-dsa> (Minor issue)
[buster] - inetutils <no-dsa> (Minor issue)
+ [stretch] - inetutils <no-dsa> (Minor issue)
NOTE: https://lists.gnu.org/archive/html/bug-inetutils/2021-06/msg00002.html
NOTE: https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=58cb043b190fd04effdaea7c9403416b436e50dd
CVE-2021-40490 (A race condition was discovered in ext4_write_inline_data_end in fs/ex ...)
@@ -441,6 +442,7 @@ CVE-2021-40330 (git_connect_git in connect.c in Git before 2.30.1 allows a repos
- git 1:2.30.1-1
[bullseye] - git <no-dsa> (Minor issue)
[buster] - git <no-dsa> (Minor issue)
+ [stretch] - git <no-dsa> (Minor issue)
NOTE: https://github.com/git/git/commit/a02ea577174ab8ed18f847cf1693f213e0b9c473
CVE-2021-40329
RESERVED
@@ -5343,6 +5345,7 @@ CVE-2021-38171 (adts_decode_extradata in libavformat/adtsenc.c in FFmpeg 4.4 doe
- ffmpeg <unfixed>
[bullseye] - ffmpeg <postponed> (Wait for 4.3.3)
[buster] - ffmpeg <postponed> (Wait for 4.1.7)
+ [stretch] - ffmpeg <postponed> (Wait to be fixed in buster first)
NOTE: https://github.com/FFmpeg/FFmpeg/commit/9ffa49496d1aae4cbbb387aac28a9e061a6ab0a6
CVE-2021-38170
RESERVED
@@ -6374,6 +6377,7 @@ CVE-2021-37713 (The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0
NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh
CVE-2021-37712 (The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, a ...)
- node-tar <unfixed>
+ [stretch] - node-tar <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p
CVE-2021-37711 (Versions prior to 6.4.3.1 contain an authenticated server-side request ...)
NOT-FOR-US: Shopware
@@ -6397,6 +6401,7 @@ CVE-2021-37702 (Pimcore is an open source data & experience management platf
NOT-FOR-US: Pimcore
CVE-2021-37701 (The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, an ...)
- node-tar 6.1.7+~cs11.3.10-1
+ [stretch] - node-tar <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc
CVE-2021-37700 (@github/paste-markdown is an npm package for pasting markdown objects. ...)
NOT-FOR-US: Node paste-markdown
@@ -9366,6 +9371,7 @@ CVE-2021-36370 (An issue was discovered in Midnight Commander through 4.8.26. Wh
- mc 3:4.8.27-1 (bug #993404)
[bullseye] - mc <no-dsa> (Minor issue)
[buster] - mc <no-dsa> (Minor issue)
+ [stretch] - mc <no-dsa> (Minor issue)
NOTE: https://github.com/MidnightCommander/mc/commit/9235d3c232d13ad7f973346077c9cf2eaa77dc5f
CVE-2021-36369
RESERVED
@@ -11739,6 +11745,7 @@ CVE-2021-35368 [CRS Request Body Bypass]
- modsecurity-crs 3.3.2-1 (bug #992000)
[bullseye] - modsecurity-crs <no-dsa> (Minor issue)
[buster] - modsecurity-crs <no-dsa> (Minor issue)
+ [stretch] - modsecurity-crs <no-dsa> (Minor issue)
NOTE: https://coreruleset.org/20210630/cve-2021-35368-crs-request-body-bypass/
NOTE: https://github.com/coreruleset/coreruleset/pull/2143
NOTE: https://github.com/coreruleset/coreruleset/commit/132c19c8f21c8cd4d3cd484d4f34ef786ee39b05 (v3.4-dev)
@@ -15835,6 +15842,7 @@ CVE-2021-33582 (Cyrus IMAP before 3.4.2 allows remote attackers to cause a denia
- cyrus-imapd 3.4.2-1 (bug #993433)
[bullseye] - cyrus-imapd <no-dsa> (Minor issue; pending fix via point release)
[buster] - cyrus-imapd <no-dsa> (Minor issue; can be fixed via point release)
+ [stretch] - cyrus-imapd <no-dsa> (Minor issue; can be fixed via point release)
- cyrus-imapd-2.4 <removed>
NOTE: https://cyrus.topicbox.com/groups/announce/T3dde0a2352462975-M1386fc44adf967e072f8df13/cyrus-imap-3-4-2-3-2-8-and-3-0-16-released
NOTE: https://github.com/cyrusimap/cyrus-imapd/commit/0fb658f1727f4446f7f33adcc428ba4c9eeabe3e (master)
@@ -18240,6 +18248,7 @@ CVE-2021-32610 (In Archive_Tar before 1.4.14, symlinks can refer to targets outs
- php-pear <unfixed> (bug #991541)
[bullseye] - php-pear <no-dsa> (Minor issue)
[buster] - php-pear <no-dsa> (Minor issue)
+ [stretch] - php-pear <no-dsa> (Minor issue)
NOTE: https://www.drupal.org/sa-core-2021-004
NOTE: https://pear.php.net/package/Archive_Tar/download/1.4.14/
NOTE: https://github.com/pear/Archive_Tar/commit/b5832439b1f37331fb4f87e67fe4f61ca26bf7d4 (1.4.14)
@@ -40890,6 +40899,7 @@ CVE-2021-23434 (This affects the package object-path before 0.11.6. A type confu
- node-object-path 0.11.7-1
[bullseye] - node-object-path <no-dsa> (Minor issue)
[buster] - node-object-path <no-dsa> (Minor issue)
+ [stretch] - node-object-path <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453
NOTE: https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb
CVE-2021-23433
@@ -80168,6 +80178,7 @@ CVE-2020-19482
CVE-2020-19481 (An issue was discovered in GPAC before 0.8.0, as demonstrated by MP4Bo ...)
- gpac 1.0.1+dfsg1-2
[buster] - gpac <ignored> (Minor issue)
+ [stretch] - gpac <ignored> (Minor issue)
NOTE: https://github.com/gpac/gpac/commit/2320eb73afba753b39b7147be91f7be7afc0eeb7
NOTE: https://github.com/gpac/gpac/issues/1265
NOTE: https://github.com/gpac/gpac/issues/1266
@@ -81371,6 +81382,7 @@ CVE-2020-18900 (** DISPUTED ** A heap-based buffer overflow in the libexe_io_han
CVE-2020-18899 (An uncontrolled memory allocation in DataBufdata(subBox.length-sizeof( ...)
- exiv2 0.27.2-6
[buster] - exiv2 <no-dsa> (Minor issue)
+ [stretch] - exiv2 <no-dsa> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/742
NOTE: https://github.com/Exiv2/exiv2/commit/051b5d9df1f4669117937b7a40104404cc252993 (0.27.1)
CVE-2020-18898 (A stack exhaustion issue in the printIFDStructure function of Exiv2 0. ...)
@@ -81643,6 +81655,7 @@ CVE-2020-18772
CVE-2020-18771 (Exiv2 0.27.99.0 has a global buffer over-read in Exiv2::Internal::Niko ...)
- exiv2 0.27.2-6
[buster] - exiv2 <no-dsa> (Minor issue)
+ [stretch] - exiv2 <no-dsa> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/756
CVE-2020-18770
RESERVED
@@ -265714,6 +265727,7 @@ CVE-2017-9525 (In the cron package through 3.0pl1-128 on Debian, and through 3.0
- systemd-cron <unfixed> (bug #993731)
[bullseye] - systemd-cron <no-dsa> (Minor issue)
[buster] - systemd-cron <no-dsa> (Minor issue)
+ [stretch] - systemd-cron <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2017/06/08/3
CVE-2017-9523 (The Sophos Web Appliance before 4.3.2 has XSS in the FTP redirect page ...)
NOT-FOR-US: Sophos
=====================================
data/dla-needed.txt
=====================================
@@ -12,6 +12,8 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
+--
+ntfs-3g
--
amd64-microcode
NOTE: 20210831: no binary package was built, possibly due to non-free-specific rules
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d89acc85f59ee22026fe430f3de26f5c09826ff1...50664b823612eda8ce529df11ccca2034deef28d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d89acc85f59ee22026fe430f3de26f5c09826ff1...50664b823612eda8ce529df11ccca2034deef28d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210906/d40b170d/attachment.htm>
More information about the debian-security-tracker-commits
mailing list