buster triage

Moritz Muehlenhoff (@jmm) Thu, 05 Aug 2021 11:58:31 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
15fc3768 by Moritz Muehlenhoff at 2021-08-05T20:57:56+02:00
bullseye/buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5855,6 +5855,8 @@ CVE-2021-35502 
(app/View/Elements/genericElements/IndexTable/Fields/generic_fiel
 CVE-2021-3622
        RESERVED
        - hivex <unfixed> (bug #991860)
+       [bullseye] - hivex <no-dsa> (Minor issue)
+       [buster] - hivex <no-dsa> (Minor issue)
        NOTE: 
https://listman.redhat.com/archives/libguestfs/2021-August/msg00002.html
        NOTE: 
https://github.com/libguestfs/hivex/commit/771728218dac2fbf6997a7e53225e75a4c6b7255
 CVE-2021-35501 (PandoraFMS &lt;=7.54 allows Stored XSS by placing a payload in 
the nam ...)
@@ -7641,6 +7643,7 @@ CVE-2021-3603 (PHPMailer 6.4.1 and earlier contain a 
vulnerability that can resu
 CVE-2021-3602 [Host environment variables leaked in build container when using 
chroot isolation]
        RESERVED
        - golang-github-containers-buildah <unfixed>
+       [bullseye] - golang-github-containers-buildah <no-dsa> (Minor issue)
        NOTE: 
https://github.com/containers/buildah/security/advisories/GHSA-7638-r9r3-rmjj
        NOTE: 
https://github.com/containers/buildah/commit/a468ce0ffd347035d53ee0e26c205ef604097fb0
 (main)
        NOTE: 
https://github.com/containers/buildah/commit/23c478b815fb93c094070baa336bcb6a27c01683
 (release-1.21)
@@ -11765,6 +11768,7 @@ CVE-2021-32926 (When an authenticated password change 
request takes place, this
 CVE-2021-3551
        RESERVED
        - dogtag-pki <unfixed> (bug #991665)
+       [bullseye] - dogtag-pki <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1959971
        NOTE: 
https://github.com/dogtagpki/pki/commit/0c2f3b84499584bb6029f5ba3988ed3cb081e548
        NOTE: 
https://github.com/dogtagpki/pki/commit/b01cd8cc7d3e391e69ed2c8161f7e15fa84553e6
@@ -12386,6 +12390,7 @@ CVE-2021-32678 (Nextcloud Server is a Nextcloud package 
that handles data storag
        - nextcloud-server <itp> (bug #941708)
 CVE-2021-32677 (FastAPI is a web framework for building APIs with Python 3.6+ 
based on ...)
        - fastapi <unfixed> (bug #990582)
+       [bullseye] - fastapi <no-dsa> (Minor issue)
        NOTE: 
https://github.com/tiangolo/fastapi/security/advisories/GHSA-8h2j-cgx8-6xv7
        NOTE: 
https://github.com/tiangolo/fastapi/commit/fa7e3c996edf2d5482fff8f9d890ac2390dede4d
 (0.65.2)
 CVE-2021-32676 (Nextcloud Talk is a fully on-premises audio/video and chat 
communicati ...)
@@ -15948,12 +15953,15 @@ CVE-2021-31293
        RESERVED
 CVE-2021-31292 (An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 
allows att ...)
        - exiv2 <unfixed> (bug #991706)
+       [bullseye] - exiv2 <no-dsa> (Minor issue)
+       [buster] - exiv2 <no-dsa> (Minor issue)
        NOTE: https://github.com/Exiv2/exiv2/issues/1530
-       TODO: check older versions
+       NOTE: 
https://github.com/Exiv2/exiv2/commit/9b7a19f957af53304655ed1efe32253a1b11a8d0
+       NOTE: In older releases affected code is in src/crwimage.cpp
 CVE-2021-31291 (A heap-based buffer overflow vulnerability in jp2image.cpp of 
Exiv2 0. ...)
        - exiv2 <unfixed> (bug #991705)
        NOTE: https://github.com/Exiv2/exiv2/issues/1529
-       TODO: check oder versions
+       NOTE: 
https://github.com/Exiv2/exiv2/commit/0230620e6ea5e2da0911318e07ce6e66d1ebdf22
 CVE-2021-31290
        RESERVED
 CVE-2021-31289
@@ -150254,6 +150262,7 @@ CVE-2019-11099
 CVE-2019-11098 (Insufficient input validation in MdeModulePkg in EDKII may 
allow an un ...)
        [experimental] - edk2 2021.02-1
        - edk2 2020.11-5 (bug #991495)
+       [bullseye] - edk2 <no-dsa> (Minor issue)
        [buster] - edk2 <no-dsa> (Minor issue)
        [stretch] - edk2 <no-dsa> (Minor issue)
        NOTE: 
https://edk2-docs.gitbook.io/security-advisory/bootguard-toctou-vulnerability


=====================================
data/dsa-needed.txt
=====================================
@@ -25,6 +25,8 @@ chromium
 --
 djvulibre
 --
+exiv2 (jmm)
+--
 icu
 --
 linux (carnil)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15fc376855dc8359710d0aa04caca1981feac6f6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15fc376855dc8359710d0aa04caca1981feac6f6
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bullseye/buster triage

Reply via email to