Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
033361dd by Moritz Muehlenhoff at 2021-04-15T19:37:46+02:00
buster triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1424,9 +1424,10 @@ CVE-2021-3497 [gstreamer-plugins-good: Use-after-free in
matroska demuxing]
NOTE:
https://gitlab.freedesktop.org/gstreamer/gst-plugins-good/-/commit/9181191511f9c0be6a89c98b311f49d66bd46dc3?merge_request_iid=903
CVE-2021-3496 [heap-based buffer overflow in Get16u() in exif.c]
RESERVED
- - jhead <unfixed> (bug #986923)
+ - jhead <unfixed> (bug #986923; unimportant)
NOTE: https://github.com/Matthias-Wandel/jhead/issues/33
NOTE: Fixed by:
https://github.com/Matthias-Wandel/jhead/commit/ca2973f4ce79279c15a09cf400648a757c1721b0
+ NOTE: Crash in CLI tool, no security impact
CVE-2021-30641
RESERVED
CVE-2021-30640
@@ -2450,6 +2451,7 @@ CVE-2021-30179
RESERVED
CVE-2020-36314 (fr-archive-libarchive.c in GNOME file-roller through 3.38.0,
as used b ...)
- file-roller 3.38.1-1
+ [buster] - file-roller <no-dsa> (Minor issue)
NOTE:
https://gitlab.gnome.org/GNOME/file-roller/-/commit/e970f4966bf388f6e7c277357c8b186c645683ae
NOTE: https://gitlab.gnome.org/GNOME/file-roller/-/issues/108
CVE-2021-3484
@@ -5198,6 +5200,7 @@ CVE-2021-28965
RESERVED
- ruby2.7 <unfixed> (bug #986807)
- ruby2.5 <removed>
+ [buster] - ruby2.5 <postponed> (Minor issue, can be fixed along with
next update)
- ruby2.3 <removed>
- ruby-rexml <unfixed> (bug #986806)
NOTE:
https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
@@ -6423,6 +6426,7 @@ CVE-2021-28422
RESERVED
CVE-2021-28421 (FluidSynth 2.1.7 contains a use after free vulnerability in
sfloader/f ...)
- fluidsynth <unfixed>
+ [buster] - fluidsynth <no-dsa> (Minor issue)
NOTE: https://github.com/FluidSynth/fluidsynth/issues/808
NOTE: https://github.com/FluidSynth/fluidsynth/pull/810
CVE-2021-28420 (A cross-site scripting (XSS) issue in Seo Panel 4.8.0 allows
remote at ...)
@@ -7161,6 +7165,7 @@ CVE-2021-28109 (TranzWare (POI) FIMI before 4.2.20.4.2
allows login_tw.php refle
CVE-2021-28374 (The Debian courier-authlib package before 0.71.1-2 for Courier
Authent ...)
{DLA-2625-1}
- courier-authlib 0.71.1-2 (bug #984810)
+ [buster] - courier-authlib <no-dsa> (Minor issue)
NOTE: Re-introduction of #378571 while migrating from
debian/permissions to
NOTE: debian/courier-authdaemon.tmpfiles in 0.66.4-2.
CVE-2021-3426 [Running `pydoc -p` allows other local users to extract
arbitrary files. The `/getfile?key=path` URL allows to read arbitrary file on
the filesystem.]
@@ -18309,6 +18314,7 @@ CVE-2021-23338 (This affects all versions of package
qlib. The workflow function
NOT-FOR-US: qlib
CVE-2021-23337 (Lodash versions prior to 4.17.21 are vulnerable to Command
Injection v ...)
- node-lodash 4.17.21+dfsg+~cs8.31.173-1 (bug #985086)
+ [buster] - node-lodash <no-dsa> (Minor issue)
[stretch] - node-lodash <end-of-life> (Nodejs in stretch not covered by
security support)
NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1040724
CVE-2021-23336 (The package python/cpython from 0 and before 3.6.13, from
3.7.0 and be ...)
@@ -26416,8 +26422,8 @@ CVE-2021-20312 [Integer overflow in WriteTHUMBNAILImage
of coders/thumbnail.c]
NOTE:
https://github.com/ImageMagick/ImageMagick6/commit/e53e24b078f7fa586f9cc910491b8910f5bdad2e
CVE-2021-20311 [Division by zero in sRGBTransformImage() in
MagickCore/colorspace.c]
RESERVED
+ - imagemagick <not-affected> (Specific to IM7)
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/70aa86f5d5d8aa605a918ed51f7574f433a18482
- TODO: Check whether specific to IM7
CVE-2021-20310 [Division by zero in ConvertXYZToJzazbz() of
MagickCore/colorspace.c]
RESERVED
NOTE: https://github.com/ImageMagick/ImageMagick/issues/3295
@@ -34191,6 +34197,7 @@ CVE-2020-28501 (This affects the package
es6-crawler-detect before 3.1.3. No lim
NOT-FOR-US: Node es6-crawler-detect
CVE-2020-28500 (Lodash versions prior to 4.17.21 are vulnerable to Regular
Expression ...)
- node-lodash 4.17.21+dfsg+~cs8.31.173-1 (bug #985086)
+ [buster] - node-lodash <no-dsa> (Minor issue)
[stretch] - node-lodash <end-of-life> (Nodejs in stretch not covered by
security support)
NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-1018905
CVE-2020-28499 (All versions of package merge are vulnerable to Prototype
Pollution vi ...)
@@ -40287,6 +40294,7 @@ CVE-2020-26893 (An issue was discovered in ClamXAV 3
before 3.1.1. A malicious a
NOT-FOR-US: ClamXAV
CVE-2020-26892 (The JWT library in NATS nats-server before 2.1.9 has Incorrect
Access ...)
- golang-github-nats-io-jwt <unfixed>
+ [buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue)
NOTE: https://advisories.nats.io/CVE/CVE-2020-26892.txt
CVE-2020-26891 (AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable
to XSS d ...)
- matrix-synapse 1.21.1-1
@@ -41122,6 +41130,7 @@ CVE-2020-26522 (A cross-site request forgery (CSRF)
vulnerability in mod/user/ac
NOT-FOR-US: Garfield Petshop
CVE-2020-26521 (The JWT library in NATS nats-server before 2.1.9 allows a
denial of se ...)
- golang-github-nats-io-jwt <unfixed>
+ [buster] - golang-github-nats-io-jwt <no-dsa> (Minor issue)
NOTE: https://advisories.nats.io/CVE/CVE-2020-26521.txt
CVE-2020-26520
RESERVED
@@ -65804,6 +65813,7 @@ CVE-2020-15137 (All versions of HoRNDIS are affected by
an integer overflow in t
CVE-2020-15136 (In ectd before versions 3.4.10 and 3.3.23, gateway TLS
authentication ...)
[experimental] - etcd 3.3.25+dfsg-1
- etcd 3.3.25+dfsg-5 (bug #968752)
+ [buster] - etcd <no-dsa> (Minor issue)
NOTE:
https://github.com/etcd-io/etcd/security/advisories/GHSA-wr2v-9rpq-c35q
CVE-2020-15135 (save-server (npm package) before version 1.05 is affected by a
CSRF vu ...)
NOT-FOR-US: Node save-server
@@ -65863,18 +65873,22 @@ CVE-2020-15116
CVE-2020-15115 (etcd before versions 3.3.23 and 3.4.10 does not perform any
password l ...)
[experimental] - etcd 3.3.25+dfsg-1
- etcd 3.3.25+dfsg-5 (bug #968740)
+ [buster] - etcd <no-dsa> (Minor issue)
NOTE:
https://github.com/etcd-io/etcd/security/advisories/GHSA-4993-m7g5-r9hh
CVE-2020-15114 (In etcd before versions 3.3.23 and 3.4.10, the etcd gateway is
a simpl ...)
[experimental] - etcd 3.3.25+dfsg-1
- etcd 3.3.25+dfsg-5 (bug #968740)
+ [buster] - etcd <no-dsa> (Minor issue)
NOTE:
https://github.com/etcd-io/etcd/security/advisories/GHSA-2xhq-gv6c-p224
CVE-2020-15113 (In etcd before versions 3.3.23 and 3.4.10, certain directory
paths are ...)
[experimental] - etcd 3.3.25+dfsg-1
- etcd 3.3.25+dfsg-5 (bug #968740)
+ [buster] - etcd <no-dsa> (Minor issue)
NOTE:
https://github.com/etcd-io/etcd/security/advisories/GHSA-chh6-ppwq-jh92
CVE-2020-15112 (In etcd before versions 3.3.23 and 3.4.10, it is possible to
have an e ...)
[experimental] - etcd 3.3.25+dfsg-1
- etcd 3.3.25+dfsg-5 (bug #968740)
+ [buster] - etcd <no-dsa> (Minor issue)
NOTE:
https://github.com/etcd-io/etcd/security/advisories/GHSA-m332-53r6-2w93
CVE-2020-15111 (In Fiber before version 1.12.6, the filename that is given in
c.Attach ...)
NOT-FOR-US: Fiber
@@ -65893,6 +65907,7 @@ CVE-2020-15107 (In openenclave before 0.10.0, enclaves
that use x87 FPU operatio
CVE-2020-15106 (In etcd before versions 3.3.23 and 3.4.10, a large slice
causes panic ...)
[experimental] - etcd 3.3.25+dfsg-1
- etcd 3.3.25+dfsg-5 (bug #968740)
+ [buster] - etcd <no-dsa> (Minor issue)
NOTE:
https://github.com/etcd-io/etcd/security/advisories/GHSA-p4g4-wgrh-qrg2
CVE-2020-15105 (Django Two-Factor Authentication before 1.12, stores the
user's passwo ...)
NOT-FOR-US: Django Two-Factor Authentication
@@ -69197,6 +69212,7 @@ CVE-2020-13960 (D-Link DSL 2730-U IN_1.10 and IN_1.11
and DIR-600M 3.04 devices
CVE-2020-13959 (The default error page for VelocityView in Apache Velocity
Tools prior ...)
{DLA-2597-1}
- velocity-tools 2.0-8 (bug #985221)
+ [buster] - velocity-tools <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/03/10/2
NOTE: Fixed by:
https://github.com/apache/velocity-tools/commit/e141828a4eb03e4b0224535eed12b5c463a24152
CVE-2020-13958 (A vulnerability in Apache OpenOffice scripting events allows
an attack ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -27,7 +27,9 @@ linux (carnil)
--
ndpi
--
-netty9
+jetty9
+--
+php-pear
--
python-bleach (carnil)
--
@@ -37,6 +39,8 @@ salt
--
webkit2gtk
--
+wpa
+--
xorg-server (carnil)
Wait a bit for the fix beeing exposed in unstable before deciding on further
action
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/033361dd2965e55169db717d7c73cabfd6c169eb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/033361dd2965e55169db717d7c73cabfd6c169eb
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
