openexr: stretch postponed

Sylvain Beucler (@beuc) Wed, 04 Aug 2021 12:40:02 -0700


Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
bfa06328 by Sylvain Beucler at 2021-08-04T21:32:19+02:00
CVE-2021-20298/openexr: stretch postponed

- - - - -
4676904f by Sylvain Beucler at 2021-08-04T21:39:11+02:00
Reserve DLA-2732-1 for openexr

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -7499,7 +7499,6 @@ CVE-2021-3605 [Heap buffer overflow in the rleUncompress 
function]
        RESERVED
        - openexr <unfixed> (bug #990899)
        [buster] - openexr <no-dsa> (Minor issue)
-       [stretch] - openexr <postponed> (Minor issue, buffer read overflow, fix 
along next DLA)
        NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1036
        NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/25259a84827234a283f6f9db72978198c7a3f268
 (master)
        NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/3204008c0bd4c8d7599a052b304d1b44c4511283
 (v2.5)
@@ -43643,6 +43642,7 @@ CVE-2021-20298 [Out-of-memory in B44Compressor]
        RESERVED
        - openexr 2.5.4-1
        [buster] - openexr <ignored> (Minor issue)
+       [stretch] - openexr <postponed> (Minor issue, OOM, revisit when there's 
a full fix upstream)
        NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913
        NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97
 (master) (partial fix)
        NOTE: 
https://github.com/AcademySoftwareFoundation/openexr/commit/0c2b46f630a3b5f2f561c2849d047ee39f899179
 (2.5.x) (partial fix)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[04 Aug 2021] DLA-2732-1 openexr - security update
+       {CVE-2021-3605 CVE-2021-20299 CVE-2021-20300 CVE-2021-20302 
CVE-2021-20303}
+       [stretch] - openexr 2.2.0-11+deb9u4
 [04 Aug 2021] DLA-2731-1 wordpress - security update
        [stretch] - wordpress 4.7.21+dfsg-0+deb9u1
 [04 Aug 2021] DLA-2730-1 libpam-tacplus - security update


=====================================
data/dla-needed.txt
=====================================
@@ -67,8 +67,6 @@ nvidia-graphics-drivers
   NOTE: package is in non-free but also in packages-to-support
   NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in 
Stretch, no fix available for CVE-2021-1077
 --
-openexr (Sylvain Beucler)
---
 openjdk-8 (Emilio)
 --
 pillow (codehelp)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e47a6414e5f5eef0223516f31464c196be944ffe...4676904f2953caeaa3e958eb5054de1672dc5f32

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e47a6414e5f5eef0223516f31464c196be944ffe...4676904f2953caeaa3e958eb5054de1672dc5f32
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2021-20298/openexr: stretch postponed

Reply via email to