[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Jan 17 16:40:44 GMT 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7155dbe5 by Moritz Muehlenhoff at 2022-01-17T17:26:32+01:00
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -6570,12 +6570,16 @@ CVE-2021-45105 (Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12
 CVE-2021-31566 [symbolic links incorrectly followed when changing modes, times, ACL and flags of a file while extracting an archive]
 	RESERVED
 	- libarchive 3.5.2-1 (bug #1001990)
+	[bullseye] - libarchive <no-dsa> (Minor issue)
+	[buster] - libarchive <no-dsa> (Minor issue)
 	NOTE: https://github.com/libarchive/libarchive/issues/1566
 	NOTE: https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043 (v3.5.2)
 	NOTE: https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b (v3.5.2)
 CVE-2021-23177 [extracting a symlink with ACLs modifies ACLs of target]
 	RESERVED
 	- libarchive 3.5.2-1 (bug #1001986)
+	[bullseye] - libarchive <no-dsa> (Minor issue)
+	[buster] - libarchive <no-dsa> (Minor issue)
 	NOTE: https://github.com/libarchive/libarchive/issues/1565
 	NOTE: https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad (v3.5.2)
 CVE-2022-21943
@@ -7964,6 +7968,7 @@ CVE-2021-44717 (Go before 1.16.12 and 1.17.x before 1.17.5 on UNIX allows write
 	- golang-1.15 1.15.15-5
 	[bullseye] - golang-1.15 1.15.15-1~deb11u2
 	- golang-1.11 <removed>
+	[buster] - golang-1.11 <no-dsa> (Minor issue)
 	- golang-1.8 <removed>
 	- golang-1.7 <removed>
 	NOTE: https://github.com/golang/go/issues/50057
@@ -9803,10 +9808,14 @@ CVE-2021-4000 (showdoc is vulnerable to URL Redirection to Untrusted Site ...)
 CVE-2021-3999 [Off-by-one buffer overflow/underflow in getcwd()]
 	RESERVED
 	- glibc <unfixed>
+	[bullseye] - glibc <no-dsa> (Minor issue)
+	[buster] - glibc <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28769
 CVE-2021-3998 [Unexpected return value from realpath() for too long results]
 	RESERVED
 	- glibc <unfixed>
+	[bullseye] - glibc <no-dsa> (Minor issue)
+	[buster] - glibc <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28770
 	NOTE: https://patchwork.sourceware.org/project/glibc/patch/20220113055920.3155918-1-siddhesh@sourceware.org/
 CVE-2021-3997 [Uncontrolled recursion in systemd's systemd-tmpfiles]
@@ -9941,6 +9950,7 @@ CVE-2021-44039
 	RESERVED
 CVE-2021-44038 (An issue was discovered in Quagga through 1.2.4. Unsafe chown/chmod op ...)
 	- quagga <removed>
+	[buster] - quagga <no-dsa> (Minor issue)
 	[stretch] - quagga <postponed> (revisit when/if fixed upstream)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1191890
 	NOTE: Debian installed systemd unit files install the problematic redhat/*.service
@@ -39086,6 +39096,7 @@ CVE-2021-33431
 	RESERVED
 CVE-2021-33430 (A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_N ...)
 	- numpy 1:1.21.4-2
+	[bullseye] - numpy <no-dsa> (Minor issue)
 	NOTE: https://github.com/numpy/numpy/issues/18939
 	NOTE: https://github.com/numpy/numpy/pull/18989
 	NOTE: https://github.com/numpy/numpy/commit/16f7824b4d935b6aee98298ca4123d57174a6f2e (v1.22.0.dev0)


=====================================
data/dsa-needed.txt
=====================================
@@ -29,12 +29,17 @@ linux (carnil)
 --
 ndpi/oldstable
 --
+nss
+--
 nodejs (jmm)
 --
 pillow (jmm)
 --
 python-pysaml2 (jmm)
 --
+rpki-client/stable
+  new 7.6 release required libretls, which isn't in Bullseye
+--
 ruby2.5/oldstable
   Maintainer is preparing updates
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7155dbe5fe85c561f31a848b8f13a75fef301c81

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7155dbe5fe85c561f31a848b8f13a75fef301c81
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220117/fb7b7e8e/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list