[Git][security-tracker-team/security-tracker][master] buster/bullseye triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Mon Jan 31 17:59:03 GMT 2022 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
bc12ea8c by Moritz Muehlenhoff at 2022-01-31T18:58:31+01:00
buster/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3146,11 +3146,13 @@ CVE-2021-46350 (There is an Assertion 'ecma_is_value_object (value)' failed at j
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/4936
 CVE-2021-46349 (There is an Assertion 'type == ECMA_OBJECT_TYPE_GENERAL || type == ECM ...)
 	- iotjs <unfixed> (bug #1004288)
+	[bullseye] - iotjs <no-dsa> (Minor issue)
 	[buster] - iotjs <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/jerryscript-project/jerryscript/pull/4954
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/4937
 CVE-2021-46348 (There is an Assertion 'ECMA_STRING_IS_REF_EQUALS_TO_ONE (string_p)' fa ...)
 	- iotjs <unfixed> (bug #1004288)
+	[bullseye] - iotjs <no-dsa> (Minor issue)
 	[buster] - iotjs <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/jerryscript-project/jerryscript/pull/4961
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/4941
@@ -3160,6 +3162,8 @@ CVE-2021-46347 (There is an Assertion 'ecma_object_check_class_name_is_object (o
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/4938
 CVE-2021-46346 (There is an Assertion 'local_tza == ecma_date_local_time_zone_adjustme ...)
 	- iotjs <unfixed> (bug #1004288)
+	[bullseye] - iotjs <no-dsa> (Minor issue)
+	[buster] - iotjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/jerryscript-project/jerryscript/pull/4955
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/4939
 CVE-2021-46345 (There is an Assertion 'cesu8_cursor_p == cesu8_end_p' failed at /jerry ...)
@@ -3182,6 +3186,7 @@ CVE-2021-46341
 	RESERVED
 CVE-2021-46340 (There is an Assertion 'context_p->stack_top_uint8 == SCAN_STACK_TRY ...)
 	- iotjs <unfixed> (bug #1004288)
+	[bullseye] - iotjs <no-dsa> (Minor issue)
 	[buster] - iotjs <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/jerryscript-project/jerryscript/pull/4964
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/4924
@@ -3190,6 +3195,8 @@ CVE-2021-46339 (There is an Assertion 'lit_is_valid_cesu8_string (string_p, stri
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/4935
 CVE-2021-46338 (There is an Assertion 'ecma_is_lexical_environment (object_p)' failed  ...)
 	- iotjs <unfixed> (bug #1004288)
+	[bullseye] - iotjs <no-dsa> (Minor issue)
+	[buster] - iotjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/jerryscript-project/jerryscript/pull/4943
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/4933
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/4900
@@ -3295,6 +3302,8 @@ CVE-2022-0262 (Cross-site Scripting (XSS) - Stored in Packagist pimcore/pimcore
 	NOT-FOR-US: pimcore
 CVE-2022-0261 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...)
 	- vim <unfixed>
+	[bullseye] - vim <no-dsa> (Minor issue)
+	[buster] - vim <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/fa795954-8775-4f23-98c6-d4d4d3fe8a82
 	NOTE: https://github.com/vim/vim/commit/9f8c304c8a390ade133bac29963dc8e56ab14cbc (v8.2.4120)
 CVE-2022-0260 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...)
@@ -4848,6 +4857,8 @@ CVE-2021-46171 (Modex v2.11 was discovered to contain a NULL pointer dereference
 	NOT-FOR-US: Modex
 CVE-2021-46170 (An issue was discovered in JerryScript commit a6ab5e9. There is an Use ...)
 	- iotjs <unfixed>
+	[bullseye] - iotjs <no-dsa> (Minor issue)
+	[buster] - iotjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/4917
 	NOTE: https://github.com/jerryscript-project/jerryscript/pull/4942/commits/5e1fdd1d1e75105b43392b4bb3996099cdc50f3d
 CVE-2021-46169 (Modex v2.11 was discovered to contain an Use-After-Free vulnerability  ...)
@@ -5323,6 +5334,8 @@ CVE-2022-22731
 	RESERVED
 CVE-2022-0144 (shelljs is vulnerable to Improper Privilege Management ...)
 	- node-shelljs 0.8.5+~cs0.8.10-1
+	[bullseye] - node-shelljs <no-dsa> (Minor issue)
+	[buster] - node-shelljs <no-dsa> (Minor issue)
 	[stretch] - node-shelljs <end-of-life> (Nodejs in stretch not covered by security support)
 	NOTE: https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/
 	NOTE: https://github.com/shelljs/shelljs/issues/1058
@@ -12939,6 +12952,8 @@ CVE-2021-4020 (janus-gateway is vulnerable to Improper Neutralization of Input D
 	NOTE: Issues only in janus-demos built from src:janus
 CVE-2021-4019 (vim is vulnerable to Heap-based Buffer Overflow ...)
 	- vim 2:8.2.3995-1
+	[bullseye] - vim <no-dsa> (Minor issue)
+	[buster] - vim <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/d8798584-a6c9-4619-b18f-001b9a6fca92
 	NOTE: https://github.com/vim/vim/commit/bd228fd097b41a798f90944b5d1245eddd484142 (v8.2.3669)
 CVE-2021-44220
@@ -41403,6 +41418,7 @@ CVE-2021-33967
 	RESERVED
 CVE-2021-33966 (Cross site scripting (XSS) vulnerability in spotweb 1.4.9, allows auth ...)
 	- spotweb <removed>
+	[buster] - spotweb <no-dsa> (Minor issue)
 	NOTE: https://packetstormsecurity.com/files/162731/Spotweb-Develop-1.4.9-Cross-Site-Scripting.html
 CVE-2021-33965 (China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /a ...)
 	NOT-FOR-US: China Mobile An Lianbao WF-1 router
@@ -52963,7 +52979,7 @@ CVE-2021-29634
 CVE-2021-29633
 	RESERVED
 CVE-2021-29632 (In FreeBSD 13.0-STABLE before n247428-9352de39c3dc, 12.2-STABLE before ...)
-	- kfreebsd-10 <unfixed>
+	- kfreebsd-10 <unfixed> (unimportant)
 	NOTE: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:01.vt.asc
 CVE-2021-29631 (In FreeBSD 13.0-STABLE before n246941-20f96f215562, 12.2-STABLE before ...)
 	NOT-FOR-US: FreeBSD
@@ -107078,9 +107094,13 @@ CVE-2020-19862
 	RESERVED
 CVE-2020-19861 (When a zone file in ldns 1.7.1 is parsed, the function ldns_nsec3_salt ...)
 	- ldns <unfixed>
+	[bullseye] - ldns <no-dsa> (Minor issue)
+	[buster] - ldns <no-dsa> (Minor issue)
 	NOTE: https://github.com/NLnetLabs/ldns/issues/51
 CVE-2020-19860 (When ldns version 1.7.1 verifies a zone file, the ldns_rr_new_frm_str_ ...)
 	- ldns <unfixed>
+	[bullseye] - ldns <no-dsa> (Minor issue)
+	[buster] - ldns <no-dsa> (Minor issue)
 	NOTE: https://github.com/NLnetLabs/ldns/issues/50
 	NOTE: https://github.com/NLnetLabs/ldns/commit/15d96206996bea969fbc918eb0a4a346f514b9f3
 CVE-2020-19859


=====================================
data/dsa-needed.txt
=====================================
@@ -52,6 +52,8 @@ ruby2.7/stable
 --
 runc
 --
+samba
+--
 trafficserver (jmm)
   wait until status for CVE-2021-38161 is clarified (upstream patch got reverted)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc12ea8c6b9fdd613efc7d36e170e5c1bc419ced

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc12ea8c6b9fdd613efc7d36e170e5c1bc419ced
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220131/55563f4b/attachment.htm>

More information about the debian-security-tracker-commits mailing list