[Git][security-tracker-team/security-tracker][master] 3 commits: mark CVE-2021-41054 as postponed for Stretch

Tue Sep 21 23:03:42 BST 2021


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
60357035 by Thorsten Alteholz at 2021-09-21T23:55:22+02:00
mark CVE-2021-41054 as postponed for Stretch

- - - - -
2a282ba5 by Thorsten Alteholz at 2021-09-22T00:02:00+02:00
mark CVE-2021-21897 as no-dsa for Stretch

- - - - -
34355851 by Thorsten Alteholz at 2021-09-22T00:03:28+02:00
Reserve DLA-2762-1 for grilo

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1439,6 +1439,7 @@ CVE-2021-41054 (tftpd_file.c in atftp through 0.7.4 has a buffer overflow becaus
 	- atftp 0.7.git20210915-1
 	[bullseye] - atftp <no-dsa> (Minor issue; can be fixed via point release)
 	[buster] - atftp <no-dsa> (Minor issue; can be fixed via point release)
+	[stretch] - atftp <postponed> (Minor issue)
 	NOTE: https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/
 CVE-2021-3798 [Soft token does not check if an EC key is valid]
 	RESERVED
@@ -47079,6 +47080,7 @@ CVE-2021-21897 (A code execution vulnerability exists in the DL_Dxf::handleLWPol
 	- dxflib 3.26.4-1
 	[bullseye] - dxflib <no-dsa> (Minor issue)
 	[buster] - dxflib <no-dsa> (Minor issue)
+	[stretch] - dxflib <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1346
 	NOTE: https://github.com/qcad/qcad/commit/1eeffc5daf5a06cf6213ffc19e95923cdebb2eb8
 	TODO: check, horizon-eda, cloudcompare, kicad embedds it, but needs to check if actually used and issue affects those


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[22 Sep 2021] DLA-2762-1 grilo - security update
+	{CVE-2021-39365}
+	[stretch] - grilo 0.3.2-2+deb9u1
 [18 Sep 2021] DLA-2761-1 openssl1.0 - security update
 	[stretch] - openssl1.0 1.0.2u-1~deb9u5
 [18 Sep 2021] DLA-2760-1 nettle - security update


=====================================
data/dla-needed.txt
=====================================
@@ -35,10 +35,6 @@ firmware-nonfree
   NOTE: 20210731: WIP: https://salsa.debian.org/lts-team/packages/firmware-nonfree
   NOTE: 20210828: Most CVEs are difficult to backport. Contacted Ben regarding possible "ignore" tag
 --
-grilo (Thorsten Alteholz)
-  NOTE: 20210825: ssl-use-system-ca-file is used in libsoup2.4 since version 2.38
-  NOTE: 20210912: maintainer ok, testing package
---
 jsoup (Markus Koschany)
 --
 krb5 (Adrian Bunk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e5674efb404a858ede15524c4b47d1d42eb8c86c...34355851496275fe6611f3d0134f99e758ed6735

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e5674efb404a858ede15524c4b47d1d42eb8c86c...34355851496275fe6611f3d0134f99e758ed6735
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210921/9b2b31c8/attachment-0001.htm>
