[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Tue Apr 19 11:01:45 BST 2022


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9980e90e by Moritz Muehlenhoff at 2022-04-19T11:56:57+02:00
buster/bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -34,6 +34,8 @@ CVE-2022-29459
 	RESERVED
 CVE-2022-29458 (ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmen ...)
 	- ncurses <unfixed>
+	[bullseye] - ncurses <no-dsa> (Minor issue)
+	[buster] - ncurses <no-dsa> (Minor issue)
 	NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00014.html
 	NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2022-04/msg00016.html
 CVE-2022-29457 (Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Ex ...)
@@ -844,9 +846,13 @@ CVE-2022-1333 (Mattermost Playbooks plugin v1.24.0 and earlier fails to properly
 CVE-2015-20107 (In Python (aka CPython) through 3.10.4, the mailcap module does not ad ...)
 	- python3.10 <unfixed>
 	- python3.9 <unfixed>
+	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
+	[buster] - python3.7 <no-dsa> (Minor issue)
 	- python3.5 <removed>
 	- python2.7 <unfixed>
+	[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
+	[buster] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue24778
 	NOTE: https://github.com/python/cpython/issues/68966
 	NOTE: https://github.com/python/cpython/pull/91542
@@ -38153,6 +38159,8 @@ CVE-2021-41716 (Maharashtra State Electricity Board Mahavitara Android Applicati
 	NOT-FOR-US: Maharashtra State Electricity Board Mahavitara Android Application
 CVE-2021-41715 (libsixel 1.10.0 is vulnerable to Use after free in libsixel/src/dither ...)
 	- libsixel 1.10.3-1
+	[bullseye] - libsixel <no-dsa> (Minor issue)
+	[buster] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/libsixel/libsixel/commit/d299d67c532a5133a57aade5c35ff8e612c73dd8 (1.10.1)
 	NOTE: https://github.com/libsixel/libsixel/pull/28
 	NOTE: https://github.com/libsixel/libsixel/issues/27
@@ -39593,6 +39601,8 @@ CVE-2021-41120 (sylius/paypal-plugin is a paypal plugin for the Sylius developme
 	NOT-FOR-US: sylius/paypal-plugin
 CVE-2021-41119 (Wire-server is the system server for the wire back-end services. Relea ...)
 	- haskell-aeson <unfixed> (bug #1009678)
+	[bullseye] - haskell-aeson <no-dsa> (Minor issue)
+	[buster] - haskell-aeson <no-dsa> (Minor issue)
 	NOTE: https://cs-syd.eu/posts/2021-09-11-json-vulnerability
 	NOTE: https://github.com/haskell/aeson/issues/864
 	NOTE: https://hackage.haskell.org/package/aeson-2.0.1.0
@@ -40746,6 +40756,8 @@ CVE-2021-40657
 	RESERVED
 CVE-2021-40656 (libsixel before 1.10 is vulnerable to Buffer Overflow in libsixel/src/ ...)
 	- libsixel 1.10.3-1
+	[bullseye] - libsixel <no-dsa> (Minor issue)
+	[buster] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/libsixel/libsixel/commit/dc96cdc27fb53e8595af67aaf68001033c808e42 (1.10.0)
 	NOTE: https://github.com/libsixel/libsixel/pull/26
 	NOTE: https://github.com/libsixel/libsixel/issues/25
@@ -42863,9 +42875,10 @@ CVE-2021-39798 (In Bitmap_createFromParcel of Bitmap.cpp, there is a possible ar
 CVE-2021-39797 (In several functions of of LauncherApps.java, there is a possible esca ...)
 	NOT-FOR-US: Android
 CVE-2021-39796 (In HarmfulAppWarningActivity of HarmfulAppWarningActivity.java, there  ...)
-	- android-platform-frameworks-base <unfixed> (bug #1009626)
+	- android-platform-frameworks-base <unfixed> (unimportant; bug #1009626)
 	NOTE: https://android.googlesource.com/platform/frameworks/base/+/e74a2a320bf896bc30618ce486203bafe453c469
 	NOTE: https://source.android.com/security/bulletin/2022-04-01
+	NOTE: No security impact for Android as provided in Debian
 CVE-2021-39795 (In multiple locations of MediaProvider.java , there is a possible way  ...)
 	NOT-FOR-US: Android
 CVE-2021-39794 (In broadcastPortInfo of AdbService.java, there is a possible way for a ...)
@@ -72994,6 +73007,7 @@ CVE-2021-27918 (encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an
 	- golang-1.16 1.16.3-1
 	- golang-1.15 1.15.9-1
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	- golang-1.8 <removed>
 	[stretch] - golang-1.8 <postponed> (Minor issue, DoS)
 	- golang-1.7 <removed>
@@ -101141,6 +101155,7 @@ CVE-2020-28367 (Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injec
 	{DLA-2460-1}
 	- golang-1.15 1.15.5-1
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	- golang-1.8 <removed>
 	- golang-1.7 <removed>
 	[stretch] - golang-1.7 <ignored> (validation of cgo flags first introduced in golang-1.8 / CVE-2018-6574)
@@ -101149,6 +101164,7 @@ CVE-2020-28367 (Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injec
 CVE-2020-28366 (Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection. ...)
 	- golang-1.15 1.15.5-1
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	- golang-1.8 <removed>
 	[stretch] - golang-1.8 <ignored> (Minor issue, too intrusive to backport)
 	- golang-1.7 <removed>



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9980e90e0d686c5cca91d1980d569897cec826e1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9980e90e0d686c5cca91d1980d569897cec826e1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220419/d1a160bb/attachment.htm>
