[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
38011ab3 by Moritz Mühlenhoff at 2022-01-04T17:16:49+01:00
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -834,6 +834,8 @@ CVE-2021-45961
 	RESERVED
 CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...)
 	- mruby <unfixed>
+	[bullseye] - mruby <no-dsa> (Minor issue)
+	[buster] - mruby <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/
 	NOTE: https://github.com/mruby/mruby/commit/28ccc664e5dcd3f9d55173e9afde77c4705a9ab6
 CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...)
@@ -1087,9 +1089,13 @@ CVE-2021-4189 [ftplib should not use the host from the PASV response]
 	RESERVED
 	- python3.10 <not-affected> (Fixed before initial upload to Debian unstable)
 	- python3.9 3.9.7-1
+	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
+	[buster] - python3.7 <no-dsa> (Minor issue)
 	- python3.5 <removed>
 	- python2.7 <unfixed>
+	[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
+	[buster] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue43285
 	NOTE: https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e (master)
 	NOTE: https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335 (v3.9.3)
@@ -4298,6 +4304,8 @@ CVE-2021-45041 (SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated
 	NOT-FOR-US: SuiteCRM
 CVE-2021-4110 (mruby is vulnerable to NULL Pointer Dereference ...)
 	- mruby <unfixed> (bug #1001768)
+	[bullseye] - mruby <no-dsa> (Minor issue)
+	[buster] - mruby <no-dsa> (Minor issue)
 	[stretch] - mruby <postponed> (revisit when/if fix is complete)
 	NOTE: https://huntr.dev/bounties/4ce5dc47-2512-4c87-8609-453adc8cad20
 	NOTE: https://github.com/mruby/mruby/commit/f5e10c5a79a17939af763b1dcf5232ce47e24a34
@@ -4756,6 +4764,8 @@ CVE-2021-44848 (In Cibele Thinfinity VirtualUI before 3.0, /changePassword retur
 	NOT-FOR-US: Cibele Thinfinity VirtualUI
 CVE-2021-44847 (A stack-based buffer overflow in handle_request function in DHT.c in t ...)
 	- libtoxcore 0.2.13-1 (bug #1001711)
+	[bullseye] - libtoxcore <no-dsa> (Minor issue)
+	[buster] - libtoxcore <no-dsa> (Minor issue)
 	NOTE: https://github.com/TokTok/c-toxcore/pull/1718
 	NOTE: https://blog.tox.chat/2021/12/stack-based-buffer-overflow-vulnerability-in-udp-packet-handling-in-toxcore-cve-2021-44847/
 	NOTE: Introduced by: https://github.com/TokTok/c-toxcore/commit/71260e38e8d12547b0e55916daf6cadd72f52e19 (v0.1.9)
@@ -16602,11 +16612,13 @@ CVE-2021-41497 (Null pointer reference in CMS_Conservative_increment_obj in RaRe
 	NOT-FOR-US: RaRe-Technologies bounter
 CVE-2021-41496 (Buffer overflow in the array_from_pyobj function of fortranobject.c in ...)
 	- numpy <unfixed>
+	[bullseye] - numpy <no-dsa> (Minor issue)
 	NOTE: https://github.com/numpy/numpy/issues/19000
 	NOTE: https://github.com/numpy/numpy/pull/20630
 	NOTE: https://github.com/numpy/numpy/commit/271010f1037150e95017f803f4214b8861e528f2
 CVE-2021-41495 (Null Pointer Dereference vulnerability exists in numpy.sort in NumPy & ...)
 	- numpy <unfixed>
+	[bullseye] - numpy <no-dsa> (Minor issue)
 	NOTE: https://github.com/numpy/numpy/issues/19038
 	TODO: check for classification/severity
 CVE-2021-41494
@@ -26994,6 +27006,8 @@ CVE-2021-37233
 	RESERVED
 CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124.204813 ...)
 	- atomicparsley 20210715.151551.e7ad03a-1 (bug #993366)
+	[bullseye] - atomicparsley <no-dsa> (Minor issue)
+	[buster] - atomicparsley <no-dsa> (Minor issue)
 	[stretch] - atomicparsley <no-dsa> (Minor issue)
 	- gtkpod <unfixed> (bug #993376)
 	[bullseye] - gtkpod <ignored> (Minor issue)
@@ -27003,6 +27017,8 @@ CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124.
 	NOTE: https://github.com/wez/atomicparsley/issues/32
 CVE-2021-37231 (A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499 ...)
 	- atomicparsley 20210715.151551.e7ad03a-1 (bug #993372)
+	[bullseye] - atomicparsley <no-dsa> (Minor issue)
+	[buster] - atomicparsley <no-dsa> (Minor issue)
 	[stretch] - atomicparsley <no-dsa> (Minor issue)
 	- gtkpod <unfixed> (bug #993375)
 	[bullseye] - gtkpod <ignored> (Minor issue)
@@ -34279,9 +34295,9 @@ CVE-2021-34142
 	RESERVED
 CVE-2021-34141 (Incomplete string comparison in the numpy.core component in NumPy1.9.x ...)
 	- numpy <unfixed>
+	[bullseye] - numpy <no-dsa> (Minor issue)
 	NOTE: https://github.com/numpy/numpy/issues/18993
 	NOTE: https://github.com/numpy/numpy/commit/eeef9d4646103c3b1afd3085f1393f2b3f9575b2 (v1.23.0.dev0)
-	TODO: check
 CVE-2021-34140
 	RESERVED
 CVE-2021-34139


=====================================
data/dsa-needed.txt
=====================================
@@ -33,6 +33,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v4.19.y versions.
 --
+lxml
+--
 ndpi/oldstable
 --
 nodejs (jmm)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38011ab3d22176ecbdf1f0b555ada37a5d0dec01

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38011ab3d22176ecbdf1f0b555ada37a5d0dec01
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220104/91dc8a7d/attachment.htm>