[Git][security-tracker-team/security-tracker][master] CVE-2021-42387/8, CVE-2021-43304/5 - clickhouse unfixed

Thu Mar 24 12:46:57 GMT 2022


Neil Williams pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c31d6a99 by Neil Williams at 2022-03-24T12:46:27+00:00
CVE-2021-42387/8, CVE-2021-43304/5 - clickhouse unfixed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -26982,9 +26982,15 @@ CVE-2021-43307
 CVE-2021-43306
 	RESERVED
 CVE-2021-43305 (Heap buffer overflow in Clickhouse's LZ4 compression codec when parsin ...)
-	TODO: check
+	- clickhouse <unfixed> (bug #1008216)
+	NOTE: https://github.com/ClickHouse/ClickHouse/commit/2aea1c8d4a5be320365472052d8a48bf69fd9fe9 (v22.3.2.2-lts)
+	NOTE: https://github.com/ClickHouse/ClickHouse/commit/6d83eacec42c7c403c99804a713a9d38caa4a45d (v22.3.2.2-lts)
+	NOTE: https://github.com/ClickHouse/ClickHouse/pull/27136
 CVE-2021-43304 (Heap buffer overflow in Clickhouse's LZ4 compression codec when parsin ...)
-	TODO: check
+	- clickhouse <unfixed> (bug #1008216)
+	NOTE: https://github.com/ClickHouse/ClickHouse/commit/2aea1c8d4a5be320365472052d8a48bf69fd9fe9 (v22.3.2.2-lts)
+	NOTE: https://github.com/ClickHouse/ClickHouse/commit/6d83eacec42c7c403c99804a713a9d38caa4a45d (v22.3.2.2-lts)
+	NOTE: https://github.com/ClickHouse/ClickHouse/pull/27136
 CVE-2021-43303 (Buffer overflow in PJSUA API when calling pjsua_call_dump. An attacker ...)
 	- asterisk <unfixed>
 	- pjproject <removed>
@@ -31163,15 +31169,21 @@ CVE-2021-42392 (The org.h2.util.JdbcUtils.getConnection method of the H2 databas
 	NOTE: Fixed by https://github.com/h2database/h2database/commit/41dd2a4cf89da9dd18239debbf73f88da6184ec7
 	NOTE: https://github.com/h2database/h2database/commit/956c6241868332c5b440f5d55ea8fdc1e51ae4fd
 CVE-2021-42391 (Divide-by-zero in Clickhouse's Gorilla compression codec when parsing  ...)
-	TODO: check
+	- clickhouse <not-affected> (Vulnerable code introduced later)
 CVE-2021-42390 (Divide-by-zero in Clickhouse's DeltaDouble compression codec when pars ...)
-	TODO: check
+	- clickhouse <not-affected> (Vulnerable code introduced later)
 CVE-2021-42389 (Divide-by-zero in Clickhouse's Delta compression codec when parsing a  ...)
-	TODO: check
+	- clickhouse <not-affected> (Vulnerable code introduced later)
 CVE-2021-42388 (Heap out-of-bounds read in Clickhouse's LZ4 compression codec when par ...)
-	TODO: check
+	- clickhouse <unfixed> (bug #1008216)
+	NOTE: https://github.com/ClickHouse/ClickHouse/commit/2aea1c8d4a5be320365472052d8a48bf69fd9fe9 (v22.3.2.2-lts)
+	NOTE: https://github.com/ClickHouse/ClickHouse/commit/6d83eacec42c7c403c99804a713a9d38caa4a45d (v22.3.2.2-lts)
+	NOTE: https://github.com/ClickHouse/ClickHouse/pull/27136
 CVE-2021-42387 (Heap out-of-bounds read in Clickhouse's LZ4 compression codec when par ...)
-	TODO: check
+	- clickhouse <unfixed> (bug #1008216)
+	NOTE: https://github.com/ClickHouse/ClickHouse/commit/2aea1c8d4a5be320365472052d8a48bf69fd9fe9 (v22.3.2.2-lts)
+	NOTE: https://github.com/ClickHouse/ClickHouse/commit/6d83eacec42c7c403c99804a713a9d38caa4a45d (v22.3.2.2-lts)
+	NOTE: https://github.com/ClickHouse/ClickHouse/pull/27136
 CVE-2021-42386 (A use-after-free in Busybox's awk applet leads to denial of service an ...)
 	- busybox <unfixed> (bug #999567)
 	[bullseye] - busybox <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c31d6a995b0e75799ffbec9dc71eb7d153f7c732

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c31d6a995b0e75799ffbec9dc71eb7d153f7c732
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220324/5fbe1149/attachment.htm>
