[Git][security-tracker-team/security-tracker][master] trixie triage

Moritz Muehlenhoff (@jmm) jmm at debian.org
Sat Apr 19 21:11:54 BST 2025 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3f3ae5d8 by Moritz Muehlenhoff at 2025-04-19T22:08:58+02:00
trixie triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -178186,6 +178186,7 @@ CVE-2023-29580 (yasm 1.3.0.55.g101bc was discovered to contain a segmentation vi
 	NOTE: Crash in CLI tool, no security impact
 CVE-2023-29579 (yasm 1.3.0.55.g101bc was discovered to contain a stack overflow via th ...)
 	- yasm <unfixed> (bug #1035951)
+	[trixie] - yasm <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - yasm <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - yasm <no-dsa> (Minor issue)
 	[buster] - yasm <no-dsa> (Minor issue)
@@ -303825,11 +303826,12 @@ CVE-2021-3739 (A NULL pointer dereference flaw was found in the btrfs_rm_device
 	NOTE: https://www.openwall.com/lists/oss-security/2021/08/25/3
 CVE-2021-3735 (A deadlock issue was found in the AHCI controller device of QEMU. It o ...)
 	- qemu <unfixed> (bug #1014767)
+	[trixie] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[buster] - qemu <postponed> (Minor issue, waiting for patch)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997184
-	NOTE: No upstream patch as of 2024-08-06
+	NOTE: No upstream patch as of 2025-04-19
 CVE-2021-40083 (Knot Resolver before 5.3.2 is prone to an assertion failure, triggerab ...)
 	[experimental] - knot-resolver 5.4.1-1
 	- knot-resolver 5.4.1-2 (bug #991463)
@@ -320334,6 +320336,7 @@ CVE-2021-33465 (An issue was discovered in yasm version 1.3.0. There is a NULL p
 	NOTE: Crash in CLI tool, no security impact
 CVE-2021-33464 (An issue was discovered in yasm version 1.3.0. There is a heap-buffer- ...)
 	- yasm <unfixed> (bug #1016353)
+	[trixie] - yasm <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - yasm <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - yasm <no-dsa> (Minor issue)
 	[buster] - yasm <no-dsa> (Minor issue)
@@ -356235,13 +356238,14 @@ CVE-2020-35504 (A NULL pointer dereference flaw was found in the SCSI emulation
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba
 CVE-2020-35503 (A NULL pointer dereference flaw was found in the megasas-gen2 SCSI hos ...)
 	- qemu <unfixed> (bug #979678)
+	[trixie] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[buster] - qemu <postponed> (Minor issue, waiting for sanctioned patch)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910346
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg06065.html
 	NOTE: https://patchew.org/QEMU/20201224175441.67538-1-mcascell@redhat.com/
-	NOTE: No sanctioned upstream patch as of 2024-08-06
+	NOTE: No sanctioned upstream patch as of 2025-04-19
 CVE-2020-35502 (A flaw was found in Privoxy in versions before 3.0.29. Memory leaks wh ...)
 	{DLA-2548-1}
 	- privoxy 3.0.29-1
@@ -372290,13 +372294,14 @@ CVE-2020-25744 (SaferVPN before 5.0.3.3 on Windows could allow low-privileged us
 	NOT-FOR-US: SaferVPN
 CVE-2020-25743 (hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereferen ...)
 	- qemu <unfixed> (bug #970940)
+	[trixie] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[bookworm] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[buster] - qemu <postponed> (Minor issue, waiting for sanctioned patch)
 	NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01568.html
 	NOTE: https://patchew.org/QEMU/20200903183138.2161977-1-ppandit@redhat.com/
 	NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fide_nullptr1
-	NOTE: No sanctioned upstream patch as of 2024-08-11
+	NOTE: No sanctioned upstream patch as of 2025-04-19
 CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL p ...)
 	- qemu <unfixed> (bug #971390)
 	[bookworm] - qemu <postponed> (Minor issue, revisit when fixed upstream)
@@ -372680,14 +372685,11 @@ CVE-2020-25659 (python-cryptography 3.2 is vulnerable to Bleichenbacher timing a
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1889988
 	NOTE: https://github.com/pyca/cryptography/commit/58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494 (3.2)
 CVE-2020-25658 (It was found that python-rsa is vulnerable to Bleichenbacher timing at ...)
-	- python-rsa <unfixed> (bug #974685)
-	[bookworm] - python-rsa <postponed> (Minor issue, revisit when fixed upstream)
-	[bullseye] - python-rsa <no-dsa> (Minor issue)
-	[buster] - python-rsa <no-dsa> (Minor issue)
-	[stretch] - python-rsa <no-dsa> (Minor issue)
+	- python-rsa <unfixed> (unimportant; bug #974685)
 	NOTE: https://github.com/sybrenstuvel/python-rsa/issues/165
 	NOTE: Presumed fix upstream in 4.7 does not address the issue:
 	NOTE: https://github.com/sybrenstuvel/python-rsa/issues/165#issuecomment-727580521
+	NOTE: The library doesn't intend to guard against this: https://github.com/sybrenstuvel/python-rsa/issues/165#issuecomment-1603113867
 CVE-2020-25657 (A flaw was found in all released versions of m2crypto, where they are  ...)
 	- m2crypto 0.38.0-4 (bug #975002)
 	[bullseye] - m2crypto <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f3ae5d8e35e10149c78ded4625e86dacb1b4026

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f3ae5d8e35e10149c78ded4625e86dacb1b4026
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250419/088cb4ce/attachment.htm>

More information about the debian-security-tracker-commits mailing list