Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1e1271cf by Moritz Muehlenhoff at 2021-03-04T11:29:46+01:00
final polishing
- - - - -
2 changed files:
- data/CVE/list
- doc/security-team.d.o/triage
Changes:
=====================================
data/CVE/list
=====================================
@@ -11,7 +11,7 @@ CVE-2021-27942
CVE-2021-27941
RESERVED
CVE-2021-27940 (resources/public/js/orchestrator.js in openark orchestrator
before 3.2 ...)
- TODO: check
+ NOT-FOR-US: openark
CVE-2021-27939
RESERVED
CVE-2021-27938
@@ -4659,7 +4659,7 @@ CVE-2021-25916
CVE-2021-25915
RESERVED
CVE-2021-25914 (Prototype pollution vulnerability in 'object-collider'
versions 1.0.0 ...)
- TODO: check
+ NOT-FOR-US: object-collider
CVE-2021-25913 (Prototype pollution vulnerability in 'set-or-get' version
1.0.0 throug ...)
NOT-FOR-US: Node set-or-get
CVE-2021-25912 (Prototype pollution vulnerability in 'dotty' versions 0.0.1
through 0. ...)
@@ -6327,6 +6327,7 @@ CVE-2021-25290
CVE-2021-25289
RESERVED
- pillow 8.1.1-1
+ [buster] - pillow <not-affected> (Vulnerable code not present)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
CVE-2021-25288
RESERVED
@@ -10475,7 +10476,7 @@ CVE-2021-23349
CVE-2021-23348
RESERVED
CVE-2021-23347 (The package github.com/argoproj/argo-cd/cmd before 1.7.13,
from 1.8.0 ...)
- TODO: check
+ NOT-FOR-US: argo-cd
CVE-2021-23346
RESERVED
CVE-2021-23345 (All versions of package github.com/thecodingmachine/gotenberg
are vuln ...)
=====================================
doc/security-team.d.o/triage
=====================================
@@ -4,10 +4,10 @@ Security updates affecting a released Debian suite can fall
under three types:
These are getting announced via
[debian-security-announce](https://www.debian.org/security/) and also
redistributed via other sources (news feeds etc).
- Low severity updates can be included in [point
releases](https://wiki.debian.org/DebianReleases/PointReleases), which are
getting released every 2-3 months (any user using the [proposed-updates
mechanism](https://www.debian.org/releases/proposed-updates) can also use them
before they get released). This provides a good balance between fixing low
impact issues before the next stable
- release, which can simply all be installed in one go when a point release
happens.
+ release, which can simply be installed in one go when a point release
happens.
- Some issues are simply not worth fixing in a stable release (for multiple
reasons, e.g. because they are mostly a PR hype, or because they
- are mitigated in Debian via a different config or toolchain hardening).
+ are mitigated in Debian via a different config or toolchain hardening or
because the impact is so marginal that it doesn't warrant an update).
Every incoming security issue gets triaged. Security issues which are being
flagged for the second category are being displayed in the [Debian Package
Tracker](https://tracker.debian.org), in fact you might have been redirected
from the PTS to this page.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e1271cf01829e9b3571ba2cfcdbfb7ee3eec341
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e1271cf01829e9b3571ba2cfcdbfb7ee3eec341
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
