[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff Fri, 23 Apr 2021 10:23:17 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
38a9e4b4 by Moritz Muehlenhoff at 2021-04-23T19:22:26+02:00
buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -41,6 +41,7 @@ CVE-2021-31598
        RESERVED
 CVE-2021-31597 (The xmlhttprequest-ssl package before 1.6.1 for Node.js 
disables SSL c ...)
        - node-xmlhttprequest-ssl <unfixed>
+       [buster] - node-xmlhttprequest-ssl <ignored> (Minor issue, should 
possibly be removed from stable as well)
        NOTE: 
https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2
        NOTE: 
https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt
 CVE-2021-31596
@@ -180,6 +181,7 @@ CVE-2021-23215
 CVE-2021-23169 [Heap-buffer-overflow in Imf_2_5::copyIntoFrameBuffer]
        RESERVED
        - openexr <unfixed>
+       [buster] - openexr <not-affected> (Vulnerable code not present)
        NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28051
        NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/ae6d203892cc9311917a7f4f05354ef792b3e58e
 CVE-2020-36324 (Wikimedia Quarry analytics-quarry-web before 2020-12-15 allows 
Reflect ...)
@@ -3247,6 +3249,7 @@ CVE-2021-30147 (DMA Softlab Radius Manager 4.4.0 allows 
CSRF with impacts such a
        NOT-FOR-US: DMA Softlab Radius Manager
 CVE-2021-30146 (Seafile 7.0.5 (2019) allows Persistent XSS via the "share of 
library f ...)
        - seafile-client <unfixed> (bug #987282)
+       [buster] - seafile-client <no-dsa> (Minor issue)
        NOTE: https://github.com/Security-AVS/CVE-2021-30146
 CVE-2021-30145
        RESERVED
@@ -4854,10 +4857,12 @@ CVE-2021-29430 (Sydent is a reference Matrix identity 
server. Sydent does not li
        NOT-FOR-US: Matrix Sydent
 CVE-2021-29429 (In Gradle before version 7.0, files created with open 
permissions in t ...)
        - gradle <unfixed> (bug #987284)
+       [buster] - gradle <no-dsa> (Minor issue)
        [stretch] - gradle <no-dsa> (Minor issue)
        NOTE: 
https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8
 CVE-2021-29428 (In Gradle before version 7.0, on Unix-like systems, the system 
tempora ...)
        - gradle <unfixed> (bug #987284)
+       [buster] - gradle <no-dsa> (Minor issue)
        [stretch] - gradle <no-dsa> (Minor issue; sticky bit on /tmp is set by 
default)
        NOTE: 
https://github.com/gradle/gradle/security/advisories/GHSA-89qm-pxvm-p336
 CVE-2021-29427 (In Gradle from version 5.1 and before version 7.0 there is a 
vulnerabi ...)
@@ -8462,8 +8467,8 @@ CVE-2021-27906 (A carefully crafted PDF file can trigger 
an OutOfMemory-Exceptio
        NOTE: https://issues.apache.org/jira/browse/PDFBOX-5112
 CVE-2021-27905 (The ReplicationHandler (normally registered at "/replication" 
under a  ...)
        - lucene-solr <unfixed>
+       [buster] - lucene-solr <ignored> (Minor issue)
        NOTE: 
https://lists.apache.org/thread.html/r0ddc3a82bd7523b1453cb7a5e09eb5559517145425074a42eb326b10%40%3Cannounce.apache.org%3E
-       TODO: check details
 CVE-2021-27904 (An issue was discovered in app/Model/SharingGroupServer.php in 
MISP 2. ...)
        NOT-FOR-US: MISP
 CVE-2021-27903
@@ -27743,6 +27748,7 @@ CVE-2021-20209
        NOTE: 
https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=c62254a686dcd40e3b6e5753d0c7c0308209a7b6
 (3.0.29)
 CVE-2021-20208 (A flaw was found in cifs-utils in versions before 6.13. A user 
when mo ...)
        - cifs-utils <unfixed> (bug #987308)
+       [buster] - cifs-utils <no-dsa> (Minor issue)
        NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14651
        NOTE: 
https://lists.samba.org/archive/samba-technical/2021-April/136467.html
        NOTE: 
https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=e461afd8cfa6d0781ae0c5c10e89b6ef1ca6da32
@@ -31097,6 +31103,7 @@ CVE-2020-29600 (In AWStats through 7.7, 
cgi-bin/awstats.pl?config= accepts an ab
 CVE-2020-29599 (ImageMagick before 6.9.11-40 and 7.x before 7.0.10-40 
mishandles the - ...)
        {DLA-2523-1}
        - imagemagick 8:6.9.11.57+dfsg-1 (bug #977205)
+       [buster] - imagemagick <no-dsa> (Minor issue, 
200-disable-ghostscript-formats.patch addresses this)
        NOTE: https://github.com/ImageMagick/ImageMagick/discussions/2851
        NOTE: 
https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
        NOTE: ImageMagick: 
https://github.com/ImageMagick/ImageMagick/commit/a9e63436aa04c805fe3f9e2ed242dfa4621df823
@@ -35041,6 +35048,7 @@ CVE-2020-28502 (This affects the package xmlhttprequest 
before 1.7.0; all versio
        - node-xmlhttprequest 1.8.0-1
        [stretch] - node-xmlhttprequest <end-of-life> (Nodejs in stretch not 
covered by security support)
        - node-xmlhttprequest-ssl <unfixed>
+       [buster] - node-xmlhttprequest-ssl <ignored> (Minor issue, should 
possibly be removed from stable as well)
        [stretch] - node-xmlhttprequest-ssl <end-of-life> (Nodejs in stretch 
not covered by security support)
        NOTE: https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935
        NOTE: https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936
@@ -38334,9 +38342,11 @@ CVE-2020-27830 [Linux kernel NULL-ptr deref bug in 
spk_ttyio_receive_buf2]
        NOTE: 
https://git.kernel.org/linus/f0992098cadb4c9c6a00703b66cafe604e178fea
 CVE-2020-27829 (A heap based buffer overflow in coders/tiff.c may result in 
program cr ...)
        - imagemagick 8:6.9.11.57+dfsg-1
+       [buster] - imagemagick <not-affected> (Vulnerable code not present)
        [stretch] - imagemagick <not-affected> (vulnerable code was introduced 
later)
        NOTE: 
https://github.com/ImageMagick/ImageMagick/commit/6ee5059cd3ac8d82714a1ab1321399b88539abf0
        NOTE: 
https://github.com/ImageMagick/ImageMagick6/commit/e30be60bd97313b80e2701239728a3f47c570817
+       NOTE: Introduced in 
https://github.com/ImageMagick/ImageMagick6/commit/b874d50070557eb98bdc6a3095ef4769af583dd2
 CVE-2020-27828 (There's a flaw in jasper's jpc encoder in versions prior to 
2.0.23. Cr ...)
        - jasper <removed>
        NOTE: https://github.com/jasper-software/jasper/issues/252
@@ -38683,6 +38693,7 @@ CVE-2020-27753 (There are several memory leaks in the 
MIFF coder in /coders/miff
        NOTE: ImageMagick6: 
https://github.com/ImageMagick/ImageMagick6/commit/6f5d3d2cd94eb8361e07546c4bf72cb60681b984
 CVE-2020-27752 (A flaw was found in ImageMagick in 
MagickCore/quantum-private.h. An at ...)
        - imagemagick 8:6.9.11.24+dfsg-1
+       [buster] - imagemagick <ignored> (Minor issue)
        [stretch] - imagemagick <ignored> (Minor issue)
        NOTE: https://github.com/ImageMagick/ImageMagick/issues/1752
        NOTE: ImageMagick: 
https://github.com/ImageMagick/ImageMagick/commit/a9d563d3d73874312080d30dc4ba07cecad56192
@@ -43970,6 +43981,7 @@ CVE-2020-25675 (In the CropImage() and 
CropImageToTiles() routines of MagickCore
 CVE-2020-25674 (WriteOnePNGImage() from coders/png.c (the PNG coder) has a for 
loop wi ...)
        {DLA-2523-1}
        - imagemagick 8:6.9.11.24+dfsg-1
+       [buster] - imagemagick <no-dsa> (Minor issue)
        NOTE: https://github.com/ImageMagick/ImageMagick/issues/1715
        NOTE: ImageMagick: 
https://github.com/ImageMagick/ImageMagick/commit/67b871032183a29d3ca0553db6ce1ae80fddb9aa
        NOTE: ImageMagick6: 
https://github.com/ImageMagick/ImageMagick6/commit/2fdff8e040cd4401498d89f3c3d1f89cffd118b0
@@ -48036,6 +48048,7 @@ CVE-2020-23923
        RESERVED
 CVE-2020-23922 (An issue was discovered in giflib through 5.1.4. 
DumpScreen2RGB in gif ...)
        - giflib <unfixed>
+       [buster] - giflib <no-dsa> (Minor issue)
        [stretch] - giflib <no-dsa> (Minor issue)
        NOTE: https://sourceforge.net/p/giflib/bugs/151/
 CVE-2020-23921 (An issue was discovered in fast_ber through v0.4. yy::yylex() 
in asn_c ...)
@@ -66802,6 +66815,7 @@ CVE-2020-15079 (In PrestaShop from version 1.5.0.0 and 
before version 1.7.6.6, t
 CVE-2020-15078
        RESERVED
        - openvpn <unfixed> (bug #987380)
+       [buster] - openvpn <no-dsa> (Minor issue)
        NOTE: 
https://github.com/OpenVPN/openvpn/commit/f7b3bf067ffce72e7de49a4174fd17a3a83f0573
 (v2.5.2)
        NOTE: 
https://github.com/OpenVPN/openvpn/commit/3d18e308c4e7e6f7ab7c2826c70d2d07b031c18a
 (v2.5.2)
        NOTE: 
https://github.com/OpenVPN/openvpn/commit/3aca477a1b58714754fea3a26d0892fffc51db6b
 (v2.5.2)


=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,14 @@ condor
 --
 gst-plugins-good1.0 (jmm)
 --
+gst-libav1.0 (jmm)
+--
+gst-plugins-bad1.0 (jmm)
+--
+gst-plugins-base1.0 (jmm)
+--
+gst-plugins-ugly1.0 (jmm)
+--
 libhibernate3-java
   Markus Koschany proposed debdiff for review: 
<[email protected]>
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38a9e4b41bbf3d245b9b0c99d5b11cb7b4686822

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38a9e4b41bbf3d245b9b0c99d5b11cb7b4686822
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] buster triage

Reply via email to