[Git][security-tracker-team/security-tracker][master] buster/bullseye triage
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Sat Jan 29 10:56:34 GMT 2022
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
0650b366 by Moritz Muehlenhoff at 2022-01-29T11:56:16+01:00
buster/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -736,6 +736,7 @@ CVE-2022-0358
RESERVED
- qemu <unfixed>
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044863
+ NOTE: https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca
CVE-2022-0357
RESERVED
CVE-2022-0356
@@ -15904,6 +15905,7 @@ CVE-2021-3929 [nvme: DMA reentrancy issue leads to use-after-free]
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020298
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/556
NOTE: Proposed patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html
+ NOTE: No upstream patch as of 2022-01-28
CVE-2021-43400 (An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after- ...)
- bluez 5.62-1 (bug #998626)
[bullseye] - bluez <no-dsa> (Minor issue; can be fixed in point release)
@@ -25675,6 +25677,7 @@ CVE-2021-3750 [hcd-ehci: DMA reentrancy issue leads to use-after-free]
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/541
NOTE: Fix for whole class of DMA MMIO reentrancy issues: https://gitlab.com/qemu-project/qemu/-/issues/556
NOTE: Patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html
+ NOTE: No upstream patch as of 2022-01-28
CVE-2021-3749 (axios is vulnerable to Inefficient Regular Expression Complexity ...)
- node-axios 0.21.3+dfsg-1
[bullseye] - node-axios 0.21.1+dfsg-1+deb11u1
@@ -26258,6 +26261,7 @@ CVE-2021-3735 [ahci: deadlock issue leads to denial of service]
[buster] - qemu <no-dsa> (Minor issue)
[stretch] - qemu <postponed> (Fix along with a future DLA)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997184
+ NOTE: No upstream patch as of 2022-01-28
CVE-2021-40083 (Knot Resolver before 5.3.2 is prone to an assertion failure, triggerab ...)
[experimental] - knot-resolver 5.4.1-1
- knot-resolver 5.4.1-2 (bug #991463)
@@ -28343,6 +28347,7 @@ CVE-2021-3713 (An out-of-bounds write flaw was found in the UAS (USB Attached SC
- qemu 1:6.1+dfsg-2 (bug #992727)
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1994640
+ NOTE: https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a
CVE-2021-39230 (Butter is a system usability utility. Due to a kernel error the JPNS k ...)
NOT-FOR-US: Butter
CVE-2021-39229 (Apprise is an open source library which allows you to send a notificat ...)
@@ -39035,6 +39040,7 @@ CVE-2021-3608 [pvrdma: uninitialized memory unmap in pvrdma_ring_init()]
[buster] - qemu <no-dsa> (Minor issue)
[stretch] - qemu <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973383
+ NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=66ae37d8cc313f89272e711174a846a229bcdbd3CVE-2021-3594
CVE-2021-3607 [pvrdma: unchecked malloc size due to integer overflow in init_dev_ring()]
RESERVED
- qemu 1:5.2+dfsg-11 (bug #990564)
@@ -44578,7 +44584,7 @@ CVE-2021-32606 (In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net
CVE-2021-3545 (An information disclosure vulnerability was found in the virtio vhost- ...)
{DSA-4980-1}
- qemu 1:6.1+dfsg-1 (bug #989042)
- [buster] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <not-affected> (Only minimal support present and not installed in binary packages)
[stretch] - qemu <not-affected> (The vulnerable code was introduced later)
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01155.html
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01153.html
@@ -44586,7 +44592,7 @@ CVE-2021-3545 (An information disclosure vulnerability was found in the virtio v
CVE-2021-3544 (Several memory leaks were found in the virtio vhost-user GPU device (v ...)
{DSA-4980-1}
- qemu 1:6.1+dfsg-1 (bug #989042)
- [buster] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <not-affected> (Only minimal support present and not installed in binary packages)
[stretch] - qemu <not-affected> (The vulnerable code was introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1958935
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01155.html
@@ -44825,7 +44831,7 @@ CVE-2021-32563 (An issue was discovered in Thunar before 4.16.7 and 4.17.x befor
CVE-2021-3546 (An out-of-bounds write vulnerability was found in the virtio vhost-use ...)
{DSA-4980-1}
- qemu 1:6.1+dfsg-1 (bug #989042)
- [buster] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <not-affected> (Only minimal support present and not installed in binary packages)
[stretch] - qemu <not-affected> (The vulnerable code was introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1958978
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01155.html
@@ -46275,6 +46281,8 @@ CVE-2021-3527 (A flaw was found in the USB redirector device (usb-redir) of QEMU
NOTE: Initial patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00564.html
NOTE: Revisited: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01372.html
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01373.html
+ NOTE: https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
+ NOTE: https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
CVE-2021-3526
REJECTED
CVE-2021-3525
@@ -47474,6 +47482,7 @@ CVE-2021-3507 (A heap buffer overflow was found in the floppy disk emulator of Q
[buster] - qemu <no-dsa> (Minor issue)
[stretch] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1951118
+ NOTE: No upstream patch as of 2022-01-28
CVE-2021-3506 (An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c ...)
{DLA-2690-1}
- linux 5.10.38-1
@@ -59979,6 +59988,7 @@ CVE-2021-3392 (A use-after-free flaw was found in the MegaRAID emulator of QEMU.
[buster] - qemu <postponed> (Minor issue)
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html
NOTE: https://bugs.launchpad.net/qemu/+bug/1914236
+ NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d
CVE-2021-26597 (An issue was discovered in Nokia NetAct 18A. A remote user, authentica ...)
NOT-FOR-US: Nokia NetAct 18A
CVE-2021-26596 (An issue was discovered in Nokia NetAct 18A. A malicious user can chan ...)
@@ -76942,6 +76952,7 @@ CVE-2021-20255 (A stack overflow via an infinite recursion vulnerability was fou
[buster] - qemu <postponed> (Minor issue)
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1
+ NOTE: No upstream patch as of 2022-01-28
CVE-2021-20254 (A flaw was found in samba. The Samba smbd file server must map Windows ...)
{DLA-2668-1}
- samba 2:4.13.5+dfsg-2 (bug #987811)
@@ -77709,7 +77720,7 @@ CVE-2020-35506 (A use-after-free vulnerability was found in the am53c974 SCSI ho
[experimental] - qemu 1:6.0+dfsg-1~exp0
- qemu 1:6.0+dfsg-3 (bug #984454)
[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
- [buster] - qemu <postponed> (Fix along in future DSA)
+ [buster] - qemu <not-affected> (Vulnerable code not present, FIFO support added later)
[stretch] - qemu <postponed> (Fix along in future DLA)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909996
NOTE: https://bugs.launchpad.net/qemu/+bug/1909247
@@ -77747,6 +77758,7 @@ CVE-2020-35503 (A NULL pointer dereference flaw was found in the megasas-gen2 SC
[buster] - qemu <postponed> (Fix along in future DSA)
[stretch] - qemu <postponed> (Fix along in future DLA)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910346
+ NOTE: No upstream patch as of 2022-01-28
CVE-2020-35502 (A flaw was found in Privoxy in versions before 3.0.29. Memory leaks wh ...)
{DLA-2548-1}
- privoxy 3.0.29-1
@@ -93533,6 +93545,7 @@ CVE-2020-25743 (hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer der
[stretch] - qemu <postponed> (Fix along in future DLA)
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01568.html
NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fide_nullptr1
+ NOTE: No upstream patch as of 2022-01-28
CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL p ...)
- qemu <unfixed> (bug #971390)
[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
@@ -93540,6 +93553,7 @@ CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a
[stretch] - qemu <postponed> (Fix along in future DLA)
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05294.html
NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Flsi_nullptr1
+ NOTE: No upstream patch as of 2022-01-28
CVE-2020-25741 (fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer d ...)
- qemu <unfixed> (bug #970939)
[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
@@ -93547,6 +93561,7 @@ CVE-2020-25741 (fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL poi
[stretch] - qemu <postponed> (Fix along in future DLA)
NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg07779.html
NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Ffdc_nullptr1
+ NOTE: No upstream patch as of 2022-01-28
CVE-2020-25740
RESERVED
CVE-2020-25739 (An issue was discovered in the gon gem before gon-6.4.0 for Ruby. Mult ...)
@@ -119421,6 +119436,7 @@ CVE-2020-14394 [infinite loop in xhci_ring_chain_length() in hw/usb/hcd-xhci.c]
[stretch] - qemu <postponed> (Minor issue, privileged local DoS, low CVSS, no patch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1908004
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/646
+ NOTE: No upstream patch as of 2022-01-28
CVE-2020-14393 (A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local ...)
{DLA-2386-1}
- libdbi-perl 1.643-1
@@ -181118,6 +181134,7 @@ CVE-2019-12067 (The ahci_commit_buf function in ide/ahci.c in QEMU allows attack
NOTE: patch not sanctioned as of 20210202
NOTE: patched function introduced in 2014/2.1.50 but affected code pre-existed
NOTE: https://github.com/qemu/qemu/commit/659142ecf71a0da240ab0ff7cf929ee25c32b9bc
+ NOTE: No upstream patch as of 2022-01-28
CVE-2019-12066
RESERVED
CVE-2019-12065
=====================================
data/dsa-needed.txt
=====================================
@@ -34,9 +34,7 @@ ndpi/oldstable
--
nodejs (jmm)
--
-openjdk-17 (jmm)
---
-prosody
+prosody (jmm)
Regression update needed, cf #1004173
--
python-nbxmpp (jmm)
@@ -54,6 +52,8 @@ ruby2.7/stable
--
runc
--
+spip
+--
trafficserver (jmm)
wait until status for CVE-2021-38161 is clarified (upstream patch got reverted)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0650b36654b88c387d25098c81c5000fdbfe7ca5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0650b36654b88c387d25098c81c5000fdbfe7ca5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220129/9c60d0dd/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list