[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Thu Sep 23 15:49:52 BST 2021 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ef0fe6e5 by Moritz Muehlenhoff at 2021-09-23T16:48:29+02:00
buster/bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1610,6 +1610,7 @@ CVE-2021-40824 (A logic error in the room key sharing functionality of Element A
 CVE-2021-40823 (A logic error in the room key sharing functionality of matrix-js-sdk ( ...)
 	- element-web <itp> (bug #866502)
 	- node-matrix-js-sdk <unfixed> (bug #994213)
+	[bullseye] - node-matrix-js-sdk <no-dsa> (Minor issue)
 	NOTE: https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing/
 	NOTE: https://github.com/matrix-org/matrix-js-sdk/commit/894c24880da0e1cc81818f51c0db80e3c9fb2be9 (v12.4.1)
 CVE-2021-40822
@@ -3210,6 +3211,7 @@ CVE-2021-3737 [client can enter an infinite loop on a 100 Continue response from
 	RESERVED
 	[experimental] - python3.9 3.9.6-1
 	- python3.9 <unfixed>
+	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
 	- python3.5 <removed>
 	- python3.4 <removed>
@@ -6771,6 +6773,7 @@ CVE-2021-38598 (OpenStack Neutron before 16.4.1, 17.x before 17.1.3, and 18.0.0
 	NOTE: https://review.opendev.org/c/openstack/neutron/+/785917/
 CVE-2021-38597 (wolfSSL before 4.8.1 incorrectly skips OCSP verification in certain si ...)
 	- wolfssl <unfixed> (bug #992174)
+	[bullseye] - wolfssl <no-dsa> (Minor issue)
 	NOTE: https://github.com/wolfSSL/wolfssl/commit/f93083be72a3b3d956b52a7ec13f307a27b6e093
 CVE-2021-38596
 	RESERVED
@@ -6922,6 +6925,8 @@ CVE-2019-25052 (In Linaro OP-TEE before 3.7.0, by using inconsistent or malforme
 	NOT-FOR-US: Linaro/OP-TEE OP-TEE
 CVE-2021-38511 (An issue was discovered in the tar crate before 0.4.36 for Rust. When  ...)
 	- rust-tar <unfixed> (bug #992173)
+	[bullseye] - rust-tar <no-dsa> (Minor issue)
+	[buster] - rust-tar <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2021-0080.html
 	NOTE: https://github.com/alexcrichton/tar-rs/issues/238
 CVE-2021-38540 (The variable import endpoint was not protected by authentication in Ai ...)
@@ -7263,16 +7268,19 @@ CVE-2021-38383 (OwnTone (aka owntone-server) through 28.1 has a use-after-free i
 	NOT-FOR-US: OwnTone
 CVE-2021-38382 (Live555 through 1.08 does not handle Matroska and Ogg files properly.  ...)
 	- liblivemedia <removed>
+	[buster] - liblivemedia <ignored> (Minor issue)
 	[stretch] - liblivemedia <no-dsa> (Minor issue)
 	NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021959.html
 	NOTE: http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.06]
 CVE-2021-38381 (Live555 through 1.08 does not handle MPEG-1 or 2 files properly. Sendi ...)
 	- liblivemedia <removed>
+	[buster] - liblivemedia <ignored> (Minor issue)
 	[stretch] - liblivemedia <no-dsa> (Minor issue)
 	NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021961.html
 	NOTE: http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.09]
 CVE-2021-38380 (Live555 through 1.08 mishandles huge requests for the same MP3 stream, ...)
 	- liblivemedia <removed>
+	[buster] - liblivemedia <ignored> (Minor issue)
 	[stretch] - liblivemedia <no-dsa> (Minor issue)
 	NOTE: http://lists.live555.com/pipermail/live-devel/2021-August/021954.html
 	NOTE: http://www.live555.com/liveMedia/public/changelog.txt#[2021.08.04]
@@ -20262,6 +20270,7 @@ CVE-2021-32840
 	RESERVED
 CVE-2021-32839 (sqlparse is a non-validating SQL parser module for Python. In sqlparse ...)
 	- sqlparse <unfixed> (bug #994841)
+	[bullseye] - sqlparse <no-dsa> (Minor issue)
 	[buster] - sqlparse <not-affected> (Vulnerable code introduced later)
 	[stretch] - sqlparse <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-p5w8-wqhj-9hhf
@@ -28064,6 +28073,7 @@ CVE-2021-29922 (library/std/src/net/parser.rs in Rust before 1.53.0 does not pro
 CVE-2021-29921 (In Python before 3,9,5, the ipaddress library mishandles leading zero  ...)
 	[experimental] - python3.9 3.9.5-1
 	- python3.9 <unfixed> (bug #989195)
+	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue36384#msg392423
 	NOTE: https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc (v3.10.0b1)
 	NOTE: https://github.com/python/cpython/commit/5374fbc31446364bf5f12e5ab88c5493c35eaf04 (v3.9.5)
@@ -65215,6 +65225,7 @@ CVE-2020-27512
 	RESERVED
 CVE-2020-27511 (An issue was discovered in the stripTags and unescapeHTML components i ...)
 	- prototypejs <unfixed> (bug #991898)
+	[bullseye] - prototypejs <no-dsa> (Minor issue)
 	NOTE: https://github.com/prototypejs/prototype/blame/dee2f7d8611248abce81287e1be4156011953c90/src/prototype/lang/string.js#L283
 	NOTE: https://github.com/yetingli/PoCs/blob/main/CVE-2020-27511/Prototype.md
 	NOTE: CVE mentions newer version but vulnerable code exists in older versions too
@@ -78833,10 +78844,12 @@ CVE-2020-21549
 	RESERVED
 CVE-2020-21548 (Libsixel 1.8.3 contains a heap-based buffer overflow in the sixel_enco ...)
 	- libsixel 1.8.6-1
+	[buster] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/saitoha/libsixel/issues/116
 	NOTE: https://github.com/saitoha/libsixel/commit/9d0a7ff417b66d80a4bff714de1f27b24742f55a (v1.8.4)
 CVE-2020-21547 (Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_fun ...)
 	- libsixel 1.8.6-1
+	[buster] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/saitoha/libsixel/issues/114
 	NOTE: https://github.com/saitoha/libsixel/commit/9d0a7ff417b66d80a4bff714de1f27b24742f55a (v1.8.4)
 CVE-2020-21546
@@ -79862,14 +79875,17 @@ CVE-2020-21051
 	RESERVED
 CVE-2020-21050 (Libsixel prior to v1.8.3 contains a stack buffer overflow in the funct ...)
 	- libsixel 1.8.6-1
+	[buster] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/saitoha/libsixel/commit/7808a06b88c11dbc502318cdd51fa374f8cd47ee (v1.8.3)
 	NOTE: https://github.com/saitoha/libsixel/issues/75
 CVE-2020-21049 (An invalid read in the stb_image.h component of libsixel prior to v1.8 ...)
 	- libsixel 1.8.6-1
+	[buster] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/saitoha/libsixel/issues/74
 	NOTE: https://github.com/saitoha/libsixel/commit/0b1e0b3f7b44233f84e5c9f512f8c90d6bbbe33d (v1.8.5)
 CVE-2020-21048 (An issue in the dither.c component of libsixel prior to v1.8.4 allows  ...)
 	- libsixel 1.8.6-1
+	[buster] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/saitoha/libsixel/issues/73
 	NOTE: https://github.com/saitoha/libsixel/commit/cb373ab6614c910407c5e5a93ab935144e62b037 (v1.8.4)
 	NOTE: https://github.com/saitoha/libsixel/commit/26ac06f3623279348f0dce2d191a9b6ca0c80226 (v1.8.4)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef0fe6e5ab9c57627cfbf720a19fa07b76401bff

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef0fe6e5ab9c57627cfbf720a19fa07b76401bff
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210923/5a6dea46/attachment.htm>

More information about the debian-security-tracker-commits mailing list