Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
82a622b2 by Chris Lamb at 2021-02-18T10:20:11+00:00
data/dla-needed.txt: Triage glib2.0 for stretch LTS (CVE-2021-27218).
- - - - -
49933775 by Chris Lamb at 2021-02-18T10:22:53+00:00
data/dla-needed.txt: Triage golang-gogoprotobuf for stretch LTS (CVE-2021-3121).
- - - - -
482a467c by Chris Lamb at 2021-02-18T10:26:24+00:00
Triage CVE-2020-15469, CVE-2020-15859, CVE-2020-25084, CVE-2020-28916
CVE-2020-29130 & CVE-2020-29443 for qemu for stretch LTS.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -21239,6 +21239,7 @@ CVE-2020-29443 (ide_atapi_cmd_reply_end in
hw/ide/atapi.c in QEMU 5.1.0 allows o
{DLA-2560-1}
- qemu <unfixed>
[buster] - qemu <postponed> (Fix along in future DSA)
+ [stretch] - qemu <postponed> (Can be fixed in future DLA)
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg04255.html
NOTE:
https://git.qemu.org/?p=qemu.git;a=commit;h=813212288970c39b1800f63e83ac6e96588095c6
NOTE:
https://git.qemu.org/?p=qemu.git;a=commit;h=b8d7f1bc59276fec85e4d09f1567613a3e14d31e
@@ -21929,6 +21930,7 @@ CVE-2020-29130 (slirp.c in libslirp through 4.3.1 has a
buffer over-read because
- libslirp 4.4.0-1
- qemu 1:4.1-2
[buster] - qemu <postponed> (Fix along in future DSA)
+ [stretch] - qemu <postponed> (Can be fixed in next DLA)
NOTE:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/2e1dcbc0c2af64fcb17009eaf2ceedd81be2b27f
(v4.4.0)
NOTE: qemu 1:4.1-2 switched to system libslirp, marking that version as
fixed.
CVE-2020-29129 (ncsi.c in libslirp through 4.3.1 has a buffer over-read
because it tri ...)
@@ -22457,6 +22459,7 @@ CVE-2020-28916 (hw/net/e1000e_core.c in QEMU 5.0.0 has
an infinite loop via an R
{DLA-2560-1}
- qemu 1:5.2+dfsg-1 (bug #976388; bug #974687)
[buster] - qemu <postponed> (Fix along in future DSA)
+ [stretch] - qemu <postponed> (Fix along in a future DLA)
NOTE: https://www.openwall.com/lists/oss-security/2020/12/01/2
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg03185.html
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1893895 (duplicate)
@@ -34794,6 +34797,7 @@ CVE-2020-25084 (QEMU 5.0.0 has a use-after-free in
hw/usb/hcd-xhci.c because the
{DLA-2560-1}
- qemu 1:5.2+dfsg-1 (bug #970539)
[buster] - qemu <postponed> (Can be fixed along in next qemu DSA)
+ [stretch] - qemu <postponed> (Can be fixed in next DLA)
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2020-08/msg08050.html
NOTE:
https://lists.nongnu.org/archive/html/qemu-devel/2020-08/msg08043.html
NOTE: https://www.openwall.com/lists/oss-security/2020/09/16/5
@@ -53989,6 +53993,7 @@ CVE-2020-15859 (QEMU 4.2.0 has a use-after-free in
hw/net/e1000e_core.c because
{DLA-2560-1}
- qemu 1:5.2+dfsg-1 (bug #965978)
[buster] - qemu <postponed> (Minor issue, can be fixed along in next
DSA)
+ [stretch] - qemu <postponed> (Minor issue, can be fixed in next DLA)
NOTE: Proposed patch:
https://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05895.html
NOTE: https://bugs.launchpad.net/qemu/+bug/1886362
NOTE:
https://git.qemu.org/?p=qemu.git;a=commit;h=22dc8663d9fc7baa22100544c600b6285a63c7a3
@@ -55103,6 +55108,7 @@ CVE-2020-15469 (In QEMU 4.2.0, a MemoryRegionOps object
may lack read/write call
{DLA-2560-1}
- qemu <unfixed> (low; bug #970253)
[buster] - qemu <postponed> (Minor issue, fix along in next DSA)
+ [stretch] - qemu <postponed> (Minor issue, can be fixed in next DLA)
NOTE: https://www.openwall.com/lists/oss-security/2020/07/02/1
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg09961.html
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00674.html
=====================================
data/dla-needed.txt
=====================================
@@ -46,12 +46,17 @@ dnsmasq (Utkarsh)
firmware-nonfree
NOTE: 20201207: wait for the update in buster and backport that (Emilio)
--
+glib2.0
+--
golang-1.7
--
golang-1.8
--
golang-github-appc-cni (Thorsten Alteholz)
--
+golang-gogoprotobuf
+ NOTE: 20210218: If you have any idea why this is called the "skippy peanut
butter" issue, I would be mildly interested. (lamby)
+--
guacamole-server
NOTE: 20210217: Note may affect guacamole-client too (see note on security
tracker). (lamby)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcab3ed706d9ba08fb117030875ebaa66d96b75b...482a467cfdb36d7202a5ea84539352a203cefba7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcab3ed706d9ba08fb117030875ebaa66d96b75b...482a467cfdb36d7202a5ea84539352a203cefba7
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
