Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6705aa2a by Moritz Muehlenhoff at 2020-10-27T19:24:08+01:00
buster triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -562,6 +562,7 @@ CVE-2020-27662
CVE-2020-27661 [divide by zero in dwc2_handle_packet() in hw/usb/hcd-dwc2.c]
RESERVED
- qemu <unfixed> (bug #972864)
+ [buster] - qemu <postponed> (Fix along in future DSA)
[stretch] - qemu <postponed> (Fix along in future DLA)
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg04263.html
NOTE: Fixed by:
https://git.qemu.org/?p=qemu.git;a=commit;h=bea2a9e3e00b275dc40cfa09c760c715b8753e03
@@ -1648,6 +1649,7 @@ CVE-2020-27151
CVE-2020-27153 (In BlueZ before 5.55, a double free was found in the gatttool
disconne ...)
{DLA-2410-1}
- bluez 5.55-1
+ [buster] - bluez <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1884817
NOTE:
https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a
CVE-2020-27150
@@ -3731,6 +3733,7 @@ CVE-2019-20921 (bootstrap-select before 1.13.6 allows
Cross-Site Scripting (XSS)
NOT-FOR-US: bootstrap-select
CVE-2019-20920 (Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to
Arbitrar ...)
- node-handlebars 3:4.5.3-1
+ [buster] - node-handlebars <no-dsa> (Minor issue)
- libjs-handlebars <removed>
[stretch] - libjs-handlebars <no-dsa> (Only reverse depends was
diaspora which not in stretch)
NOTE: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
@@ -4952,6 +4955,7 @@ CVE-2020-25627
RESERVED
CVE-2020-25626 (A flaw was found in Django REST Framework versions before
3.12.0 and b ...)
- djangorestframework 3.12.1-1 (bug #971554)
+ [buster] - djangorestframework <no-dsa> (Minor issue)
[stretch] - djangorestframework <no-dsa> (Minor issue)
NOTE:
https://github.com/encode/django-rest-framework/commit/4121b01b912668c049b26194a9a107c27a332429
NOTE: Fixed upstream in 3.12.0 and 3.11.2
@@ -7970,11 +7974,13 @@ CVE-2020-24268
CVE-2020-24267
RESERVED
CVE-2020-24266 (An issue was discovered in tcpreplay tcpprep v4.3.3. There is
a heap b ...)
- - tcpreplay <unfixed> (bug #972889)
+ - tcpreplay <unfixed> (bug #972889; unimportant)
NOTE: https://github.com/appneta/tcpreplay/issues/617
+ NOTE: Crash in CLI tool, no security impact
CVE-2020-24265 (An issue was discovered in tcpreplay tcpprep v4.3.3. There is
a heap b ...)
- - tcpreplay <unfixed> (bug #972890)
+ - tcpreplay <unfixed> (bug #972890; unimportant)
NOTE: https://github.com/appneta/tcpreplay/issues/616
+ NOTE: Crash in CLI tool, no security impact
CVE-2020-24264
RESERVED
CVE-2020-24263
@@ -30380,6 +30386,7 @@ CVE-2020-13944 (In Apache Airflow < 1.10.12, the
"origin" parameter passed to
CVE-2020-13943 (If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to
10.0.0-M7 ...)
{DLA-2407-1}
- tomcat9 9.0.38-1
+ [buster] - tomcat9 <no-dsa> (Minor issue)
- tomcat8 <removed>
NOTE:
https://github.com/apache/tomcat/commit/55911430df13f8c9998fbdee1f9716994d2db59b
(9.0.38)
NOTE:
https://github.com/apache/tomcat/commit/9d7def063b47407a09a2f9202beed99f4dcb292a
(8.5.58)
@@ -30582,6 +30589,7 @@ CVE-2020-13872 (Royal TS before 5 has a 0.0.0.0
listener, which makes it easier
CVE-2020-13871 (SQLite 3.32.2 has a use-after-free in resetAccumulator in
select.c bec ...)
{DLA-2340-1}
- sqlite3 3.32.2-2
+ [buster] - sqlite3 <not-affected> (Vulnerability introduced later)
[jessie] - sqlite3 <not-affected> (Vulnerable code not present)
NOTE: New fix: https://www.sqlite.org/src/info/44a58d6cb135a104
NOTE: Fixed by: https://www.sqlite.org/src/info/79eff1d0383179c4
@@ -53383,6 +53391,7 @@ CVE-2020-5422 (BOSH System Metrics Server releases
prior to 0.1.0 exposed the UA
NOT-FOR-US: BOSH System Metrics Server
CVE-2020-5421 (In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17,
5.0.0 - 5. ...)
- libspring-java <unfixed>
+ [buster] - libspring-java <no-dsa> (Minor issue)
[stretch] - libspring-java <no-dsa> (Minor issue)
NOTE: https://tanzu.vmware.com/security/cve-2020-5421
CVE-2020-5420 (Cloud Foundry Routing (Gorouter) versions prior to 0.206.0
allow a mal ...)
@@ -124819,6 +124828,7 @@ CVE-2019-0210 (In Apache Thrift 0.9.3 to 0.12.0, a
server implemented in Go usin
[experimental] - thrift 0.13.0-1
- thrift 0.13.0-2
NOTE: https://www.openwall.com/lists/oss-security/2019/10/17/2
+ NOTE:
https://github.com/apache/thrift/commit/264a3f318ed3e9e51573f67f963c8509786bcec2
CVE-2019-0209
REJECTED
CVE-2019-0208
@@ -158327,7 +158337,8 @@ CVE-2018-6958 (VMware vRealize Automation (vRA) prior
to 7.3.1 contains a vulner
CVE-2018-6957 (VMware Workstation (14.x before 14.1.1, 12.x) and Fusion (10.x
before ...)
NOT-FOR-US: VMware
CVE-2017-18188 (OpenRC opentmpfiles through 0.1.3, when the
fs.protected_hardlinks sys ...)
- NOT-FOR-US: opentmpfiles
+ - opentmpfiles <unfixed>
+ NOTE: https://github.com/OpenRC/opentmpfiles/issues/3
CVE-2017-18187 (In ARM mbed TLS before 2.7.0, there is a bounds-check bypass
through a ...)
{DSA-4147-1 DSA-4138-1}
- mbedtls 2.7.0-2
=====================================
data/dsa-needed.txt
=====================================
@@ -19,6 +19,8 @@ chromium
knot-resolver
Santiago Ruano Rincón proposed a debdiff for review
--
+libproxy
+--
linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v4.19.y versions.
@@ -30,3 +32,5 @@ pdns-recursor
xcftools
Hugo proposed to work on this update
--
+xen
+--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6705aa2a2a298f6287a427cefd8faf6704db6b57
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6705aa2a2a298f6287a427cefd8faf6704db6b57
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
