Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d4722c65 by Moritz Muehlenhoff at 2021-04-21T19:16:11+02:00
buster triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -7500,7 +7500,7 @@ CVE-2021-28158
CVE-2021-28157 (An SQL Injection issue in Devolutions Server before 2021.1 and
Devolut ...)
NOT-FOR-US: Devolutions Server
CVE-2021-28156 (HashiCorp Consul Enterprise version 1.8.0 up to 1.9.4 audit
log can be ...)
- - consul <unfixed>
+ - consul <not-affected> (Only affects Enterprise version)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1950492
NOTE: https://github.com/hashicorp/consul/pull/10030
CVE-2021-28155
@@ -10002,6 +10002,7 @@ CVE-2021-27105
CVE-2021-3407 (A flaw was found in mupdf 1.18.0. Double free of object during
lineari ...)
{DLA-2589-1}
- mupdf 1.17.0+ds1-1.3 (bug #983684)
+ [buster] - mupdf <no-dsa> (Minor issue)
NOTE:
http://git.ghostscript.com/?p=mupdf.git;h=cee7cefc610d42fd383b3c80c12cbc675443176a
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=703366 (not public
yet)
CVE-2021-3406 (A flaw was found in keylime 5.8.1 and older. The issue in the
Keylime ...)
@@ -17032,6 +17033,7 @@ CVE-2021-24116
RESERVED
CVE-2021-24115 (In Botan before 2.17.3, constant-time computations are not
used for ce ...)
- botan 2.17.3+dfsg-1
+ [buster] - botan <no-dsa> (Minor issue)
- botan1.10 <removed>
[stretch] - botan1.10 <not-affected> (Vulnerable code not present)
NOTE: https://github.com/randombit/botan/pull/2549
@@ -24357,6 +24359,7 @@ CVE-2021-21367 (Switchboard Bluetooth Plug for
elementary OS from version 2.3.0
NOT-FOR-US: Switchboard Bluetooth Plug for elementary OS
CVE-2021-21366 (xmldom is a pure JavaScript W3C standard-based (XML DOM Level
2 Core) ...)
- node-xmldom 0.5.0-1
+ [buster] - node-xmldom <no-dsa> (Minor issue)
NOTE:
https://github.com/xmldom/xmldom/security/advisories/GHSA-h6q6-9hqw-rwfv
NOTE:
https://github.com/xmldom/xmldom/commit/d4201b9dfbf760049f457f9f08a3888d48835135
CVE-2021-21365
@@ -34891,6 +34894,7 @@ CVE-2020-28497
RESERVED
CVE-2020-28496 (This affects the package three before 0.125.0. This can happen
when ha ...)
- three.js <unfixed>
+ [buster] - three.js <no-dsa> (Minor issue)
[stretch] - three.js <no-dsa> (can be fixed along in next DLA)
NOTE:
https://github.com/mrdoob/three.js/pull/21143/commits/4a582355216b620176a291ff319d740e619d583e
NOTE: https://github.com/mrdoob/three.js/issues/21132
@@ -43295,6 +43299,7 @@ CVE-2020-25865
RESERVED
CVE-2020-25864 (HashiCorp Consul and Consul Enterprise up to version 1.9.4
key-value ( ...)
- consul <unfixed>
+ [buster] - consul <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1950275
NOTE: https://github.com/hashicorp/consul/pull/10023
CVE-2020-25863 (In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and 2.6.0 to
2.6.20, the ...)
@@ -43698,6 +43703,7 @@ CVE-2020-25711 (A flaw was found in infinispan 10 REST
API, where authorization
CVE-2020-25708 (A divide by zero issue was found to occur in
libvncserver-0.9.12. A ma ...)
{DLA-2451-1}
- libvncserver 0.9.13+dfsg-1
+ [buster] - libvncserver <no-dsa> (Minor issue)
NOTE: https://github.com/LibVNC/libvncserver/issues/409
NOTE:
https://github.com/LibVNC/libvncserver/commit/673c07a75ed844d74676f3ccdcfdc706a7052dba
CVE-2020-25707
@@ -43972,18 +43978,21 @@ CVE-2020-25654 (An ACL bypass flaw was found in
pacemaker. An attacker having a
CVE-2020-25653 (A race condition vulnerability was found in the way the
spice-vdagentd ...)
{DLA-2524-1}
- spice-vdagent 0.20.0-2 (bug #973769)
+ [buster] - spice-vdagent <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/1
NOTE:
https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/51c415df82a52e9ec033225783c77df95f387891
NOTE:
https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/5c50131797e985d0a5654c1fd7000ae945ed29a7
CVE-2020-25652 (A flaw was found in the spice-vdagentd daemon, where it did
not proper ...)
{DLA-2524-1}
- spice-vdagent 0.20.0-2 (bug #973769)
+ [buster] - spice-vdagent <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/1
NOTE:
https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/91caa9223857708475d29df1768208fed1675340
NOTE:
https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/812ca777469a377c84b9861d7d326bfc72563304
CVE-2020-25651 (A flaw was found in the SPICE file transfer protocol. File
data from t ...)
{DLA-2524-1}
- spice-vdagent 0.20.0-2 (bug #973769)
+ [buster] - spice-vdagent <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/1
NOTE:
https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/1a8b93ca6ac0b690339ab7f0afc6fc45d198d332
NOTE:
https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/9d35d8a86fb310fc1f29d428c0a96995948d2357
@@ -43992,6 +44001,7 @@ CVE-2020-25651 (A flaw was found in the SPICE file
transfer protocol. File data
CVE-2020-25650 (A flaw was found in the way the spice-vdagentd daemon handled
file tra ...)
{DLA-2524-1}
- spice-vdagent 0.20.0-2 (bug #973769)
+ [buster] - spice-vdagent <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/11/04/1
NOTE:
https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/1a8b93ca6ac0b690339ab7f0afc6fc45d198d332
NOTE:
https://gitlab.freedesktop.org/spice/linux/vd_agent/-/commit/9d35d8a86fb310fc1f29d428c0a96995948d2357
@@ -81350,8 +81360,11 @@ CVE-2019-20503 (usrsctp before 2019-12-20 has
out-of-bounds reads in sctp_load_a
NOTE:
https://github.com/sctplab/usrsctp/commit/790a7a2555aefb392a5a69923f1e9d17b4968467
CVE-2020-10187 (Doorkeeper version 5.0.0 and later contains an information
disclosure ...)
- ruby-doorkeeper 5.0.3-1 (bug #959903)
+ [buster] - ruby-doorkeeper <not-affected> (Vulnerable code not present)
+ [stretch] - ruby-doorkeeper <not-affected> (Vulnerable code not present)
NOTE:
https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6
NOTE:
https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9
+ NOTE: Introduced in
https://github.com/doorkeeper-gem/doorkeeper/commit/4acc923dc77fa00928268136f54136d5a6a865dc
(v5.0.0.rc1)
CVE-2020-10186
RESERVED
CVE-2020-10185 (The sync endpoint in YubiKey Validation Server before 2.40
allows remo ...)
@@ -129149,6 +129162,7 @@ CVE-2019-12401 (Solr versions 1.3.0 to 1.4.1, 3.1.0
to 3.6.2 and 4.0.0 to 4.10.4
NOTE: when parsing specially crafted XML data.
CVE-2019-12400 (In version 2.0.3 Apache Santuario XML Security for Java, a
caching mec ...)
- libxml-security-java <unfixed> (bug #935548)
+ [buster] - libxml-security-java <no-dsa> (Minor issue)
[stretch] - libxml-security-java <not-affected> (Vulnerable code
introduced in 2.0.3)
[jessie] - libxml-security-java <not-affected> (Vulnerable code
introduced in 2.0.3)
NOTE: http://santuario.apache.org/secadv.data/CVE-2019-12400.asc
=====================================
data/dsa-needed.txt
=====================================
@@ -29,6 +29,8 @@ ndpi
--
jetty9
--
+openjdk-11 (jmm)
+--
python-pysaml2 (jmm)
--
salt
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4722c65f23140063413305dd7e591694879e103
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4722c65f23140063413305dd7e591694879e103
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
