Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
972b5182 by Chris Lamb at 2021-06-07T08:29:46+01:00
Triage CVE-2021-33516 in gupnp for stretch LTS.
- - - - -
79b29a8a by Chris Lamb at 2021-06-07T08:29:47+01:00
Triage CVE-2021-31855 in kf5-messagelib for stretch LTS.
- - - - -
12fea034 by Chris Lamb at 2021-06-07T08:29:47+01:00
Triage CVE-2021-33560 in libgcrypt20 for stretch LTS.
- - - - -
b8d1aa07 by Chris Lamb at 2021-06-07T08:33:02+01:00
data/dla-needed.txt: Triage ffmpeg for stretch LTS.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -767,6 +767,7 @@ CVE-2021-33560 [cipher: Fix ElGamal encryption for other
implementations.]
RESERVED
- libgcrypt20 1.8.7-6
[buster] - libgcrypt20 <no-dsa> (Minor issue)
+ [stretch] - libgcrypt20 <no-dsa> (Minor issue)
NOTE: https://dev.gnupg.org/T5328 (not yet public)
NOTE:
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=3462280f2e23e16adf3ed5176e0f2413d8861320
CVE-2021-33559
@@ -863,6 +864,7 @@ CVE-2021-33516 (An issue was discovered in GUPnP before
1.0.7 and 1.1.x and 1.2.
- gupnp <unfixed> (bug #989098)
[bullseye] - gupnp <no-dsa> (Minor issue)
[buster] - gupnp <no-dsa> (Minor issue)
+ [stretch] - gupnp <no-dsa> (Minor issue)
NOTE:
https://discourse.gnome.org/t/security-relevant-releases-for-gupnp-issue-cve-2021-33516/6536
NOTE: https://gitlab.gnome.org/GNOME/gupnp/-/issues/24
CVE-2021-33515
@@ -4757,6 +4759,7 @@ CVE-2021-31856 (A SQL Injection vulnerability in the REST
API in Layer5 Meshery
CVE-2021-31855 (KDE Messagelib through 5.17.0 reveals cleartext of encrypted
messages ...)
- kf5-messagelib <unfixed> (bug #989438)
[buster] - kf5-messagelib <no-dsa> (Minor issue)
+ [stretch] - kf5-messagelib <no-dsa> (Minor issue)
- kdepim4 <removed>
NOTE: https://kde.org/info/security/advisory-20210429-1.txt
NOTE:
https://commits.kde.org/messagelib/3b5b171e91ce78b966c98b1292a1bcbc8d984799
=====================================
data/dla-needed.txt
=====================================
@@ -40,6 +40,16 @@ eterm (Utkarsh)
NOTE: 20210521: src/term.c:process_escape_seq(), probably just disable
vulnerable escape sequence
NOTE: 20210607: proposed a fix. (utkarsh)
--
+ffmpeg
+ NOTE: 20210607: stretch was following the 3.2.x release line, but 3.2.15
+ NOTE: 20210607: (released 2020-07-02) was the last on this branch. There are
+ NOTE: 20210607: now 10+ ~new CVEs that nominally apply to the version in LTS,
+ NOTE: 20210607: so some investigation and insight is required to see which
+ NOTE: 20210607: apply and/or what we do with the version of ffmpeg in LTS
+ NOTE: 20210607: going forward. There is a 3.4.x release branch, for example,
+ NOTE: 20210607: but unclear on the compatibility as well as whether this one
+ NOTE: 20210607: won't just be dropped too, etc. etc. (lamby)
+--
gpac (Thorsten Alteholz)
NOTE: 20210607: WIP
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ceb3f1f6b739d921417b34188da274fc90957cc7...b8d1aa07dba71d47c772c8f7c52c24a70db7d442
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ceb3f1f6b739d921417b34188da274fc90957cc7...b8d1aa07dba71d47c772c8f7c52c24a70db7d442
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
