[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff Wed, 07 Apr 2021 10:43:59 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
e96acccb by Moritz Muehlenhoff at 2021-04-07T19:43:28+02:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -410,6 +410,7 @@ CVE-2021-30005
        RESERVED
 CVE-2021-30004 (In wpa_supplicant and hostapd 2.9, forging attacks may occur 
because A ...)
        - wpa <unfixed>
+       [buster] - wpa <no-dsa> (Minor issue)
        NOTE: 
https://w1.fi/cgit/hostap/commit/?id=a0541334a6394f8237a4393b7372693cd7e96f15
 CVE-2021-30003 (An issue was discovered on Nokia G-120W-F 3FE46606AGAB91 
devices. Ther ...)
        NOT-FOR-US: Nokia G-120W-F 3FE46606AGAB91 devices
@@ -1711,6 +1712,7 @@ CVE-2021-29422
        RESERVED
 CVE-2021-29421 (models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 
for Pyth ...)
        - pikepdf <unfixed> (bug #986274)
+       [buster] - pikepdf <no-dsa> (Minor issue)
        NOTE: 
https://github.com/pikepdf/pikepdf/commit/3f38f73218e5e782fe411ccbb3b44a793c0b343a
 (v2.10.0)
 CVE-2021-29420
        RESERVED
@@ -2333,6 +2335,7 @@ CVE-2021-29137
        RESERVED
 CVE-2021-29136 (Open Container Initiative umoci before 0.4.7 allows attackers 
to overw ...)
        - umoci 0.4.7+ds-1
+       [buster] - umoci <no-dsa> (Minor issue)
        NOTE: 
https://github.com/opencontainers/umoci/security/advisories/GHSA-9m95-8hx6-7p9v
        NOTE: 
https://github.com/opencontainers/umoci/commit/d9efc31daf2206f7d3fdb839863cf7a576a2eb57
 (v0.4.7)
 CVE-2021-29135
@@ -2636,6 +2639,7 @@ CVE-2021-28995
        RESERVED
 CVE-2021-28994 (kopano-ical (formerly zarafa-ical) in Kopano Groupware Core 
through 8. ...)
        - kopanocore <unfixed> (bug #986272)
+       [buster] - kopanocore <no-dsa> (Minor issue)
        NOTE: https://www.openwall.com/lists/oss-security/2021/03/19/6
 CVE-2021-28993
        RESERVED
@@ -3383,6 +3387,7 @@ CVE-2021-28658 (In Django 2.2 before 2.2.20, 3.0 before 
3.0.14, and 3.1 before 3
        NOTE: 
https://github.com/django/django/commit/4036d62bda0e9e9f6172943794b744a454ca49c2
 (2.2.20)
 CVE-2021-28657 (A carefully crafted or corrupt file may trigger an infinite 
loop in Ti ...)
        - tika <unfixed>
+       [buster] - tika <no-dsa> (Minor issue)
        NOTE: https://www.openwall.com/lists/oss-security/2021/03/30/3
 CVE-2021-28656
        RESERVED
@@ -9053,10 +9058,12 @@ CVE-2021-3309 (packages/wekan-ldap/server/ldap.js in 
Wekan before 4.87 can proce
        NOT-FOR-US: Wekan
 CVE-2021-26272 (It was possible to execute a ReDoS-type attack inside CKEditor 
4 befor ...)
        - ckeditor 4.16.0+dfsg-1 (bug #982587)
+       [buster] - ckeditor <no-dsa> (Minor issue)
        [stretch] - ckeditor <postponed> (Fix along next DLA)
        NOTE: 
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
 CVE-2021-26271 (It was possible to execute a ReDoS-type attack inside CKEditor 
4 befor ...)
        - ckeditor 4.16.0+dfsg-1 (bug #982587)
+       [buster] - ckeditor <no-dsa> (Minor issue)
        [stretch] - ckeditor <postponed> (Fix along next DLA)
        NOTE: 
https://github.com/ckeditor/ckeditor4/blob/major/CHANGES.md#ckeditor-416
 CVE-2021-26270
@@ -9402,10 +9409,12 @@ CVE-2021-26121
 CVE-2021-26120 (Smarty before 3.1.39 allows code injection via an unexpected 
function  ...)
        {DLA-2618-1}
        - smarty3 3.1.39-1
+       [buster] - smarty3 <no-dsa> (Minor issue)
        NOTE: 
https://github.com/smarty-php/smarty/commit/4f634c0097ab4a8b2adc2a97caacd1676e88f9c8
 CVE-2021-26119 (Smarty before 3.1.39 allows a Sandbox Escape because 
$smarty.template_ ...)
        {DLA-2618-1}
        - smarty3 3.1.39-1
+       [buster] - smarty3 <no-dsa> (Minor issue)
        NOTE: 
https://github.com/smarty-php/smarty/commit/c9272058d972045dda9c99c64a82acb21c93c6ad
 CVE-2021-26118 (While investigating ARTEMIS-2964 it was found that the 
creation of adv ...)
        NOT-FOR-US: Apache ActiveMQ Artemis
@@ -23969,6 +23978,7 @@ CVE-2021-20270 (An infinite loop in SMLLexer in 
Pygments versions 1.5 to 2.7.3 m
 CVE-2021-20269 [incorrect permissions on kdump dmesg file]
        RESERVED
        - kexec-tools <unfixed> (bug #985105)
+       [buster] - kexec-tools <no-dsa> (Minor issue)
        [stretch] - kexec-tools <no-dsa> (Minor issue)
        NOTE: https://www.openwall.com/lists/oss-security/2021/03/11/2
 CVE-2021-20268 (An out-of-bounds access flaw was found in the Linux kernel's 
implement ...)
@@ -39107,6 +39117,7 @@ CVE-2020-26216 (TYPO3 Fluid before versions 2.0.8, 
2.1.7, 2.2.4, 2.3.7, 2.4.4, 2
 CVE-2020-26215 (Jupyter Notebook before version 6.1.5 has an Open redirect 
vulnerabili ...)
        {DLA-2477-1}
        - jupyter-notebook 6.1.5-1
+       [buster] - jupyter-notebook <no-dsa> (Minor issue)
        NOTE: 
https://github.com/jupyter/notebook/security/advisories/GHSA-c7vm-f5p4-8fqh
        NOTE: 
https://github.com/jupyter/notebook/commit/2e1c56b0c4a903606d4a2eb13e32409296b9799d
 CVE-2020-26214 (In Alerta before version 8.1.0, users may be able to bypass 
LDAP authe ...)
@@ -43345,6 +43356,7 @@ CVE-2020-24456 (Incorrect default permissions in the 
Intel(R) Board ID Tool vers
        NOT-FOR-US: Intel
 CVE-2020-24455 (Missing initialization of a variable in the TPM2 source may 
allow a pr ...)
        - tpm2-tss 3.0.1-1
+       [buster] - tpm2-tss <no-dsa> (Minor issue)
        NOTE: 
https://github.com/tpm2-software/tpm2-tss/commit/0cc5f0e12694f3780a8512fc37a7dbc542ea4330
 (master)
        NOTE: 
https://github.com/tpm2-software/tpm2-tss/commit/9536b79cd5a13884a7e4de7a571f72530180c20b
 (3.0.1)
        NOTE: 
https://github.com/tpm2-software/tpm2-tss/commit/bf24b0ef0fa8de9300a323f70a097a1afd818439
 (2.4.5)
@@ -205699,6 +205711,7 @@ CVE-2017-17743 (Improper input sanitization within 
the restricted administration
 CVE-2017-17742 (Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 
2.5.x befo ...)
        {DSA-4259-1 DLA-2330-1 DLA-2027-1 DLA-1421-1 DLA-1359-1 DLA-1358-1}
        - jruby <unfixed> (bug #972230)
+       [buster] - jruby <no-dsa> (Minor issue)
        - ruby2.5 2.5.1-1
        - ruby2.3 <removed>
        - ruby2.1 <removed>


=====================================
data/dsa-needed.txt
=====================================
@@ -25,6 +25,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v4.19.y versions.
 --
+ndpi
+--
 netty9
 --
 python-bleach



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e96acccbaf4a4fbd0610fe9a8335f67da9d962ce

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e96acccbaf4a4fbd0610fe9a8335f67da9d962ce
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] buster triage

Reply via email to