Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
137fe025 by Moritz Mühlenhoff at 2021-05-24T23:16:44+02:00
bullseye triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -4909,6 +4909,7 @@ CVE-2021-31403 (Non-constant-time comparison of CSRF
tokens in UIDL request hand
NOT-FOR-US: Vaadin
CVE-2021-3502 (A flaw was found in avahi 0.8-5. A reachable assertion is
present in a ...)
- avahi <unfixed> (bug #986018)
+ [bullseye] - avahi <no-dsa> (Minor issue)
[buster] - avahi <not-affected> (Vulnerable code introduced later)
[stretch] - avahi <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/lathiat/avahi/issues/338
@@ -9005,6 +9006,8 @@ CVE-2020-36284 (Union Pay up to 3.4.93.4.9, for android,
contains a CWE-347: Imp
NOT-FOR-US: Union Pay
CVE-2021-3480 (A flaw was found in slapi-nis in versions before 0.56.7. A NULL
pointe ...)
- slapi-nis <unfixed> (bug #988736)
+ [bullseye] - slapi-nis <no-dsa> (Minor issue)
+ [buster] - slapi-nis <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1944640
NOTE:
https://pagure.io/slapi-nis/c/c7417ea2d534712e559b56ed45baa91c5d3d44db?branch=master
CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in
versions bef ...)
@@ -10006,6 +10009,7 @@ CVE-2021-3469
CVE-2021-3468 [Local DoS by event-busy-loop from writing long lines to
/run/avahi-daemon/socket]
RESERVED
- avahi <unfixed> (bug #984938)
+ [bullseye] - avahi <no-dsa> (Minor issue)
[buster] - avahi <no-dsa> (Minor issue)
[stretch] - avahi <postponed> (Minor issue; can be fixed in next DLA)
NOTE: https://github.com/lathiat/avahi/pull/330
@@ -10803,19 +10807,29 @@ CVE-2021-28908
CVE-2021-28907
RESERVED
CVE-2021-28906 (In function read_yin_leaf() in libyang <= v1.0.225, it
doesn't chec ...)
- - libyang <unfixed>
+ - libyang <unfixed> (bug #989060)
+ [bullseye] - libyang <no-dsa> (Minor issue)
+ [buster] - libyang <no-dsa> (Minor issue)
NOTE: https://github.com/CESNET/libyang/issues/1455
CVE-2021-28905 (In function lys_node_free() in libyang <= v1.0.225, it
asserts that ...)
- - libyang <unfixed>
+ - libyang <unfixed> (bug #989060)
+ [bullseye] - libyang <no-dsa> (Minor issue)
+ [buster] - libyang <no-dsa> (Minor issue)
NOTE: https://github.com/CESNET/libyang/issues/1452
CVE-2021-28904 (In function ext_get_plugin() in libyang <= v1.0.225, it
doesn't che ...)
- - libyang <unfixed>
+ - libyang <unfixed> (bug #989060)
+ [bullseye] - libyang <no-dsa> (Minor issue)
+ [buster] - libyang <no-dsa> (Minor issue)
NOTE: https://github.com/CESNET/libyang/issues/1451
CVE-2021-28903 (A stack overflow in libyang <= v1.0.225 can cause a denial
of servi ...)
- - libyang <unfixed>
+ - libyang <unfixed> (bug #989060)
+ [bullseye] - libyang <no-dsa> (Minor issue)
+ [buster] - libyang <no-dsa> (Minor issue)
NOTE: https://github.com/CESNET/libyang/issues/1453
CVE-2021-28902 (In function read_yin_container() in libyang <= v1.0.225, it
doesn't ...)
- - libyang <unfixed>
+ - libyang <unfixed> (bug #989060)
+ [bullseye] - libyang <no-dsa> (Minor issue)
+ [buster] - libyang <no-dsa> (Minor issue)
NOTE: https://github.com/CESNET/libyang/issues/1454
CVE-2021-28901
RESERVED
@@ -11309,7 +11323,7 @@ CVE-2021-28679
CVE-2021-28678
RESERVED
[experimental] - pillow 8.2.0-1
- - pillow <unfixed>
+ - pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE:
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28678-fix-blp-dos
@@ -11317,7 +11331,7 @@ CVE-2021-28678
CVE-2021-28677
RESERVED
[experimental] - pillow 8.2.0-1
- - pillow <unfixed>
+ - pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE:
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28677-fix-eps-dos-on-open
@@ -11325,7 +11339,7 @@ CVE-2021-28677
CVE-2021-28676
RESERVED
[experimental] - pillow 8.2.0-1
- - pillow <unfixed>
+ - pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE:
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28676-fix-fli-dos
@@ -11333,7 +11347,7 @@ CVE-2021-28676
CVE-2021-28675
RESERVED
[experimental] - pillow 8.2.0-1
- - pillow <unfixed>
+ - pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE:
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-28675-fix-dos-in-psdimageplugin
@@ -11383,6 +11397,7 @@ CVE-2021-3449 (An OpenSSL TLS server may crash if sent
a maliciously crafted ren
CVE-2021-28687 [HVM soft-reset crashes toolstack]
RESERVED
- xen <unfixed>
+ [bullseye] - xen <postponed> (Fix along with next round of updates)
[buster] - xen <not-affected> (Vulnerable code introduced later)
[stretch] - xen <not-affected> (Vulnerable code introduced later)
NOTE: https://xenbits.xen.org/xsa/advisory-368.html
@@ -19635,7 +19650,7 @@ CVE-2021-25289 (An issue was discovered in Pillow
before 8.1.1. TiffDecode has a
CVE-2021-25288
RESERVED
[experimental] - pillow 8.2.0-1
- - pillow <unfixed>
+ - pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE:
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode
@@ -19643,10 +19658,11 @@ CVE-2021-25288
CVE-2021-25287
RESERVED
[experimental] - pillow 8.2.0-1
- - pillow <unfixed>
+ - pillow <unfixed> (bug #989062)
[buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <no-dsa> (Minor issue)
NOTE:
https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#cve-2021-25287-cve-2021-25288-fix-oob-read-in-jpeg2kdecode
+ NOTE:
https://github.com/python-pillow/Pillow/commit/3bf5eddb89afdf690eceaa52bc4d3546ba9a5f87
CVE-2021-3185 (A flaw was found in the gstreamer h264 component of
gst-plugins-bad be ...)
{DSA-4833-1 DLA-2528-1}
- gst-plugins-bad1.0 1.18.1-1
@@ -37759,26 +37775,31 @@ CVE-2020-26235 (In Rust time crate from version 0.2.7
and before version 0.2.23,
NOTE: Deprecated in:
https://github.com/time-rs/time/commit/f153a1ca5fdfec979f16c49619e6034cc67e186d
(v0.2.23)
CVE-2020-35914 (An issue was discovered in the lock_api crate before 0.4.2 for
Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [bullseye] - rust-lock-api <no-dsa> (Minor issue)
[buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
CVE-2020-35913 (An issue was discovered in the lock_api crate before 0.4.2 for
Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [bullseye] - rust-lock-api <no-dsa> (Minor issue)
[buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
CVE-2020-35912 (An issue was discovered in the lock_api crate before 0.4.2 for
Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [bullseye] - rust-lock-api <no-dsa> (Minor issue)
[buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
CVE-2020-35911 (An issue was discovered in the lock_api crate before 0.4.2 for
Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [bullseye] - rust-lock-api <no-dsa> (Minor issue)
[buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
CVE-2020-35910 (An issue was discovered in the lock_api crate before 0.4.2 for
Rust. A ...)
- rust-lock-api <unfixed> (bug #975319)
+ [bullseye] - rust-lock-api <no-dsa> (Minor issue)
[buster] - rust-lock-api <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
@@ -48707,26 +48728,32 @@ CVE-2020-25781 (An issue was discovered in
file_download.php in MantisBT before
- mantis <removed>
CVE-2020-25796 (An issue was discovered in the sized-chunks crate through
0.6.2 for Ru ...)
- rust-sized-chunks <unfixed> (bug #970586)
+ [bullseye] - rust-sized-chunks <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html
NOTE: https://github.com/bodil/sized-chunks/issues/11
CVE-2020-25795 (An issue was discovered in the sized-chunks crate through
0.6.2 for Ru ...)
- rust-sized-chunks <unfixed> (bug #970586)
+ [bullseye] - rust-sized-chunks <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html
NOTE: https://github.com/bodil/sized-chunks/issues/11
CVE-2020-25794 (An issue was discovered in the sized-chunks crate through
0.6.2 for Ru ...)
- rust-sized-chunks <unfixed> (bug #970586)
+ [bullseye] - rust-sized-chunks <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html
NOTE: https://github.com/bodil/sized-chunks/issues/11
CVE-2020-25793 (An issue was discovered in the sized-chunks crate through
0.6.2 for Ru ...)
- rust-sized-chunks <unfixed> (bug #970586)
+ [bullseye] - rust-sized-chunks <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html
NOTE: https://github.com/bodil/sized-chunks/issues/11
CVE-2020-25792 (An issue was discovered in the sized-chunks crate through
0.6.2 for Ru ...)
- rust-sized-chunks <unfixed> (bug #970586)
+ [bullseye] - rust-sized-chunks <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html
NOTE: https://github.com/bodil/sized-chunks/issues/11
CVE-2020-25791 (An issue was discovered in the sized-chunks crate through
0.6.2 for Ru ...)
- rust-sized-chunks <unfixed> (bug #970586)
+ [bullseye] - rust-sized-chunks <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0041.html
NOTE: https://github.com/bodil/sized-chunks/issues/11
CVE-2020-25780 (In CommCell in Commvault before 14.68, 15.x before 15.58, 16.x
before ...)
@@ -52178,6 +52205,7 @@ CVE-2020-24370 (ldebug.c in Lua 5.4.0 allows a negation
overflow and segmentatio
{DLA-2381-1}
- lua5.4 5.4.1-1 (bug #971613)
- lua5.3 <unfixed> (bug #988734)
+ [bullseye] - lua5.3 <no-dsa> (Minor issue)
[buster] - lua5.3 <no-dsa> (Minor issue)
NOTE: http://lua-users.org/lists/lua-l/2020-07/msg00324.html
NOTE: (lua5.4)
https://github.com/lua/lua/commit/a585eae6e7ada1ca9271607a4f48dfb17868ab7b
@@ -52250,6 +52278,7 @@ CVE-2020-24345 (** DISPUTED ** JerryScript through
2.3.0 allows stack consumptio
NOTE: Disputed JerryScript issue
CVE-2020-24344 (JerryScript through 2.3.0 has a (function({a=arguments}){const
argumen ...)
- iotjs <unfixed> (bug #988213)
+ [bullseye] - iotjs <no-dsa> (Minor issue)
[buster] - iotjs <no-dsa> (Minor issue)
NOTE: https://github.com/jerryscript-project/jerryscript/issues/3976
NOTE:
https://github.com/jerryscript-project/jerryscript/commit/841d536fce1ce29267cdf0ea12be4026e1c35d3a
@@ -75203,6 +75232,8 @@ CVE-2020-13950
RESERVED
CVE-2020-13949 (In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could
send sho ...)
- thrift <unfixed> (bug #988949)
+ [bullseye] - thrift <no-dsa> (Minor issue)
+ [buster] - thrift <no-dsa> (Minor issue)
NOTE: https://seclists.org/oss-sec/2021/q1/140
CVE-2020-13948 (While investigating a bug report on Apache Superset, it was
determined ...)
NOT-FOR-US: Apache Superset
@@ -85423,6 +85454,7 @@ CVE-2020-10694
RESERVED
CVE-2020-10693 (A flaw was found in Hibernate Validator version 6.1.2.Final. A
bug in ...)
- libhibernate-validator-java <unfixed> (bug #988946)
+ [bullseye] - libhibernate-validator-java <no-dsa> (Minor issue)
[buster] - libhibernate-validator-java <not-affected> (EL support added
in 5.x)
[stretch] - libhibernate-validator-java <not-affected> (EL support
added in 5.x)
[jessie] - libhibernate-validator-java <not-affected> (EL support added
in 5.x)
@@ -89991,6 +90023,7 @@ CVE-2018-21034 (In Argo versions prior to v1.5.0-rc1,
it was possible for authen
NOT-FOR-US: Argo
CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext
HTTP, a ...)
- lxc-templates <unfixed> (bug #988730)
+ [bullseye] - lxc-templates <ignored> (Minor issue)
[buster] - lxc-templates <ignored> (Minor issue)
- lxc 1:3.0.3-1 (low)
[stretch] - lxc <no-dsa> (Minor issue)
@@ -140505,6 +140538,7 @@ CVE-2019-10220 (Linux kernel CIFS implementation,
version 4.9.0 is vulnerable to
[stretch] - linux 4.9.210-1
CVE-2019-10219 (A vulnerability was found in Hibernate-Validator. The SafeHtml
validat ...)
- libhibernate-validator-java <unfixed> (bug #948235)
+ [bullseye] - libhibernate-validator-java <no-dsa> (Minor issue)
[buster] - libhibernate-validator-java <not-affected> (Vulnerable code
was introduced later)
[stretch] - libhibernate-validator-java <not-affected> (Vulnerable code
was introduced later)
[jessie] - libhibernate-validator-java <not-affected> (Vulnerable code
was introduced later)
@@ -248294,6 +248328,7 @@ CVE-2017-9272 (The Bi-directional driver in IDM 4.5
before 4.0.3.0 could be susc
NOT-FOR-US: IDM
CVE-2017-9271 (The commandline package update tool zypper writes HTTP proxy
credentia ...)
- zypper <unfixed> (low; bug #988152)
+ [bullseye] - zypper <ignored> (Minor issue)
[buster] - zypper <ignored> (Minor issue)
[jessie] - zypper <ignored> (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1050625
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/137fe02558c704211ce59a92a2f5ad2843a764de
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/137fe02558c704211ce59a92a2f5ad2843a764de
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
