[Git][security-tracker-team/security-tracker][master] libbpf fixed in sid
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Mon Jul 11 18:54:50 BST 2022
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
caf8187f by Moritz Muehlenhoff at 2022-07-11T19:54:35+02:00
libbpf fixed in sid
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -39666,15 +39666,23 @@ CVE-2021-45942 (OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in I
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1209
NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/11cad77da87c4fa2aab7d58dd5339e254db7937e
CVE-2021-45941 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in _ ...)
- - libbpf <unfixed>
+ - libbpf 0.7.0-2
+ [bullseye] - libbpf <postponed> (No actionable information, revisit when/if more details available)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1576.yaml
- TODO: check details on fixing commit upstream, furthermore intorducing commit is only when oss-fuzz started
+ NOTE: Fixed in 0.7.0 upstream per identified range of commits
+ NOTE: It's unclear if 0.3 is affected, the introducing commit presented by oss-fuzz is misleading
+ NOTE: since that refers to the first version when oss-fuzz started to test libbpf. If anyone confirms
+ NOTE: via bisecting that 0.3.0 is affected, this can be revisited
CVE-2021-45940 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (4 bytes) in _ ...)
- - libbpf <unfixed>
+ - libbpf 0.7.0-2
+ [bullseye] - libbpf <postponed> (No actionable information, revisit when/if more details available)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868
NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1562.yaml
- TODO: check details on fixing commit upstream, furthermore intorducing commit is only when oss-fuzz started
+ NOTE: Fixed in 0.7.0 upstream per identified range of commits
+ NOTE: It's unclear if 0.3 is affected, the introducing commit presented by oss-fuzz is misleading
+ NOTE: since that refers to the first version when oss-fuzz started to test libbpf. If anyone confirms
+ NOTE: via bisecting that 0.3.0 is affected, this can be revisited
CVE-2021-45939 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...)
NOT-FOR-US: uWebSockets
CVE-2021-45938 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf8187f8a7db3d457c1caf4785be7ae0d8bf908
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf8187f8a7db3d457c1caf4785be7ae0d8bf908
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220711/c714bca5/attachment.htm>
More information about the debian-security-tracker-commits
mailing list