[Git][security-tracker-team/security-tracker][master] 2 commits: new rustc issues

Moritz Muehlenhoff Mon, 12 Apr 2021 02:09:12 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
ee0c0dd1 by Moritz Muehlenhoff at 2021-04-12T10:51:04+02:00
new rustc issues
erlang, retroarch n/a

- - - - -
323574b9 by Moritz Muehlenhoff at 2021-04-12T11:08:28+02:00
new nginx issue
ffmpeg n/a

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -43,7 +43,9 @@ CVE-2021-30483
 CVE-2021-30482
        RESERVED
 CVE-2021-30481 (Valve Steam through 2021-04-10, when a Source engine game is 
installed ...)
-       TODO: check
+       NOT-FOR-US: Valve Steam
+       NOTE: Debian ships an installer as src:steam, but it auto-updates 
whenever Steam
+       NOTE: is started, so nothing really to be updated there
 CVE-2021-3492
        RESERVED
 CVE-2021-3491
@@ -765,7 +767,8 @@ CVE-2020-36310 (An issue was discovered in the Linux kernel 
before 5.8. arch/x86
        - linux 5.8.7-1
        NOTE: 
https://git.kernel.org/linus/e72436bc3a5206f95bb384e741154166ddb3202e
 CVE-2020-36309 (ngx_http_lua_module (aka lua-nginx-module) before 0.10.16 in 
OpenResty ...)
-       TODO: check
+       - nginx <unfixed> (bug #986787)
+       NOTE: https://github.com/openresty/lua-nginx-module/pull/1654
 CVE-2020-36308 (Redmine before 4.0.7 and 4.1.x before 4.1.1 allows attackers 
to discov ...)
        - redmine 4.0.7-1
        TODO: check fixing commit, fixed in 4.0.7
@@ -2864,7 +2867,7 @@ CVE-2021-29223
 CVE-2021-29222
        RESERVED
 CVE-2021-29221 (A local privilege escalation vulnerability was discovered in 
Erlang/OT ...)
-       TODO: check
+       - erlang <not-affected> (Windows-specific)
 CVE-2021-29220
        RESERVED
 CVE-2021-29219
@@ -3531,7 +3534,7 @@ CVE-2021-28929
 CVE-2021-28928
        RESERVED
 CVE-2021-28927 (The text-to-speech engine in libretro RetroArch for Windows 
0.11 passe ...)
-       TODO: check
+       - retroarch <not-affected> (Windows-specific)
 CVE-2021-28926
        RESERVED
 CVE-2021-28925 (SQL injection vulnerability in Nagios Network Analyzer before 
2.4.3 vi ...)
@@ -3629,15 +3632,24 @@ CVE-2021-28881
 CVE-2021-28880
        RESERVED
 CVE-2021-28879 (In the standard library in Rust before 1.52.0, the Zip 
implementation  ...)
-       TODO: check
+       - rustc <unfixed>
+       NOTE: https://github.com/rust-lang/rust/issues/82282
+       NOTE: https://github.com/rust-lang/rust/pull/82289
 CVE-2021-28878 (In the standard library in Rust before 1.52.0, the Zip 
implementation  ...)
-       TODO: check
+       - rustc <unfixed>
+       NOTE: https://github.com/rust-lang/rust/issues/82291
+       NOTE: https://github.com/rust-lang/rust/pull/82292
 CVE-2021-28877 (In the standard library in Rust before 1.51.0, the Zip 
implementation  ...)
-       TODO: check
+       - rustc <unfixed>
+       NOTE: https://github.com/rust-lang/rust/pull/80670
 CVE-2021-28876 (In the standard library in Rust before 1.52.0, the Zip 
implementation  ...)
-       TODO: check
+       - rustc <unfixed>
+       NOTE: https://github.com/rust-lang/rust/issues/81740
+       NOTE: https://github.com/rust-lang/rust/pull/81741
 CVE-2021-28875 (In the standard library in Rust before 1.50.0, read_to_end() 
does not  ...)
-       TODO: check
+       - rustc <unfixed>
+       NOTE: https://github.com/rust-lang/rust/issues/80894
+       NOTE: https://github.com/rust-lang/rust/pull/80895
 CVE-2021-28874 (SerenityOS fixed as of 
c9f25bca048443e317f1994ba9b106f2386688c3 contai ...)
        NOT-FOR-US: SerenityOS
 CVE-2021-28873
@@ -42888,14 +42900,14 @@ CVE-2020-24996 (There is an invalid memory access in 
the function TextString::~T
        - xpdf <not-affected> (xpdf in Debian uses poppler, which is fixed)
        NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=42028
 CVE-2020-24995 (Buffer overflow vulnerability in sniff_channel_order function 
in aacde ...)
-       - ffmpeg <undetermined>
+       - ffmpeg <not-affected> (Only affects 4.4 development branches)
        NOTE: https://trac.ffmpeg.org/ticket/8845
        NOTE: https://trac.ffmpeg.org/ticket/8859
        NOTE: https://trac.ffmpeg.org/ticket/8860
        NOTE: Support for 22.2 / channel_config 13 introduced in:
        NOTE: 
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=9c0beaf0d3bb72f6e83b3b155a598a9ec28c8468
        NOTE: Fixed by: 
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=d6f293353c94c7ce200f6e0975ae3de49787f91f
-       TODO: check if issue introduced only when introducign support for 
Support for 22.2 / channel_config 13
+       NOTE: Introduced in 
http://git.videolan.org/?p=ffmpeg.git;a=commitdiff;h=9c0beaf0d3bb72f6e83b3b155a598a9ec28c8468
 CVE-2020-24994 (Stack overflow in the parse_tag function in libass/ass_parse.c 
in liba ...)
        - libass 1:0.15.0-1
        [buster] - libass <no-dsa> (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f798e5170888514f307e1aa314df740f19b3cf3b...323574b9c4ccfbaa47c7284257d42e4383559bb1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f798e5170888514f307e1aa314df740f19b3cf3b...323574b9c4ccfbaa47c7284257d42e4383559bb1
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: new rustc issues

Reply via email to