[Git][security-tracker-team/security-tracker][master] CVE-2021-2403{1,2}/libzstd assigned

Mon, 01 Mar 2021 23:06:26 -0800 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d476a732 by Salvatore Bonaccorso at 2021-03-02T08:05:18+01:00
CVE-2021-2403{1,2}/libzstd assigned

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2226,15 +2226,11 @@ CVE-2021-26910 (Firejail before 0.9.64.4 allows 
attackers to bypass intended acc
        NOTE: Fix (disabled overlayfs): 
https://github.com/netblue30/firejail/commit/97d8a03cad19501f017587cc4e47d8418273834b
        NOTE: 
https://unparalleled.eu/publications/2021/advisory-unpar-2021-0.txt
        NOTE: 
https://unparalleled.eu/blog/2021/20210208-rigged-race-against-firejail-for-local-root/
-CVE-2021-XXXX [zstd allows for race-opening files being compressed or 
uncompressed]
+CVE-2021-24032 [zstd allows for race-opening files being compressed or 
uncompressed]
        - libzstd 1.4.8+dfsg-2 (bug #982519)
-       [buster] - libzstd 1.3.8+dfsg-3+deb10u2
-       [stretch] - libzstd 1.1.2-1+deb9u1
        NOTE: https://github.com/facebook/zstd/issues/2491
-CVE-2019-XXXX [zstd adds read permissions to files while being compressed or 
uncompressed]
+CVE-2021-24031 [zstd adds read permissions to files while being compressed or 
uncompressed]
        - libzstd 1.4.8+dfsg-1 (bug #981404)
-       [buster] - libzstd 1.3.8+dfsg-3+deb10u1
-       [stretch] - libzstd 1.1.2-1+deb9u1
        NOTE: https://github.com/facebook/zstd/issues/1630
 CVE-2021-26852
        RESERVED
@@ -8765,10 +8761,6 @@ CVE-2021-24034
        RESERVED
 CVE-2021-24033
        RESERVED
-CVE-2021-24032
-       RESERVED
-CVE-2021-24031
-       RESERVED
 CVE-2021-24030
        RESERVED
 CVE-2021-24029


=====================================
data/DLA/list
=====================================
@@ -14,6 +14,7 @@
        {CVE-2021-27212}
        [stretch] - openldap 2.4.44+dfsg-5+deb9u8
 [20 Feb 2021] DLA-2573-1 libzstd - security update
+       {CVE-2021-24031 CVE-2021-24032}
        [stretch] - libzstd 1.1.2-1+deb9u1
 [20 Feb 2021] DLA-2572-1 wpa - security update
        {CVE-2021-0326}


=====================================
data/DSA/list
=====================================
@@ -20,6 +20,7 @@
        {CVE-2021-27212}
        [buster] - openldap 2.4.47+dfsg-3+deb10u6
 [20 Feb 2021] DSA-4859-1 libzstd - security update
+       {CVE-2021-24032}
        [buster] - libzstd 1.3.8+dfsg-3+deb10u2
 [19 Feb 2021] DSA-4858-1 chromium - security update
        {CVE-2021-21148 CVE-2021-21149 CVE-2021-21150 CVE-2021-21151 
CVE-2021-21152 CVE-2021-21153 CVE-2021-21154 CVE-2021-21155 CVE-2021-21156 
CVE-2021-21157}
@@ -45,6 +46,7 @@
        {CVE-2020-17525}
        [buster] - subversion 1.10.4-1+deb10u2
 [10 Feb 2021] DSA-4850-1 libzstd - security update
+       {CVE-2021-24031}
        [buster] - libzstd 1.3.8+dfsg-3+deb10u1
 [09 Feb 2021] DSA-4849-1 firejail - security update
        {CVE-2021-26910}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d476a73235fb12334b2d8fbae0421c31257a61f5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d476a73235fb12334b2d8fbae0421c31257a61f5
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to