Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f66a5967 by Markus Koschany at 2021-04-03T19:29:25+02:00
Claim libxstream-java in dla-needed.txt
- - - - -
bd187864 by Markus Koschany at 2021-04-03T19:29:48+02:00
Remove netty from dla-needed.txt
- - - - -
2d129cf0 by Markus Koschany at 2021-04-03T19:32:42+02:00
CVE-2021-21295,CVE-2021-21409,netty: Mark as ignored for Stretch
The fix for both CVE requires a backport of the new HTTP2 API. There have been
major changes between the current version in Stretch 4.1.7 and the most recent
release 4.1.60. Since the logic changed and the API is marked as
"unstable" in
certain places, a backport poses a significant risk to break any project that
still relies on the old logic. In contrast the security risk is low. Hence
these issues are ignored in Stretch.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -20896,6 +20896,7 @@ CVE-2021-21410
RESERVED
CVE-2021-21409 (Netty is an open-source, asynchronous event-driven network
application ...)
- netty 1:4.1.48-4 (bug #986217)
+ [stretch] - netty <ignored> (Minor issue, fix requires major changes of
HTTP2 module)
NOTE: Fixed by:
https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
NOTE:
https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
NOTE: Is a followup to:
https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
@@ -21172,6 +21173,7 @@ CVE-2021-21296 (Fleet is an open source osquery
manager. In Fleet before version
NOT-FOR-US: Fleet
CVE-2021-21295 (Netty is an open-source, asynchronous event-driven network
application ...)
- netty 1:4.1.48-3 (bug #984948)
+ [stretch] - netty <ignored> (Minor issue, fix requires major changes of
HTTP2 module)
NOTE:
https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
NOTE:
https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4
CVE-2021-21294 (Http4s (http4s-blaze-server) is a minimal, idiomatic Scala
interface f ...)
=====================================
data/dla-needed.txt
=====================================
@@ -68,14 +68,12 @@ libebml (Thorsten Alteholz)
NOTE: 20210307: testing package
NOTE: 20210321: preparing buster debdiff as well
--
-libxstream-java
+libxstream-java (Markus Koschany)
--
linux (Ben Hutchings)
--
linux-4.19 (Ben Hutchings)
--
-netty (Markus Koschany)
---
opendmarc
NOTE: 20200719: no patches for remaining CVEs available, everything else is
already done in Stretch (thorsten)
NOTE: 20201217: patch for CVE-2020-12460 has become available (roberto)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4734874bc96bc87d1e2ccee0307e5e8238b276e6...2d129cf084b92bb17a5785e0712cc8cd1880ecc6
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4734874bc96bc87d1e2ccee0307e5e8238b276e6...2d129cf084b92bb17a5785e0712cc8cd1880ecc6
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
