Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
253d29da by Moritz Muehlenhoff at 2021-10-11T16:47:05+02:00
pillow fixed in sid
buster/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -3011,6 +3011,7 @@ CVE-2021-40823 (A logic error in the room key sharing
functionality of matrix-js
- element-web <itp> (bug #866502)
- node-matrix-js-sdk <unfixed> (bug #994213)
[bullseye] - node-matrix-js-sdk <no-dsa> (Minor issue)
+ [buster] - node-matrix-js-sdk <no-dsa> (Minor issue)
NOTE:
https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing/
NOTE:
https://github.com/matrix-org/matrix-js-sdk/commit/894c24880da0e1cc81818f51c0db80e3c9fb2be9
(v12.4.1)
CVE-2021-40822
@@ -4798,6 +4799,8 @@ CVE-2021-3739
CVE-2021-3735 [ahci: deadlock issue leads to denial of service]
RESERVED
- qemu <unfixed>
+ [bullseye] - qemu <no-dsa> (Minor issue)
+ [buster] - qemu <no-dsa> (Minor issue)
[stretch] - qemu <postponed> (Fix along with a future DLA)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997184
CVE-2021-40083 (Knot Resolver before 5.3.2 is prone to an assertion failure,
triggerab ...)
@@ -10137,9 +10140,11 @@ CVE-2021-37846
CVE-2021-37845
RESERVED
- citadel <unfixed>
+ [buster] - citadel <ignored> (Minor issue)
[stretch] - citadel <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://uncensored.citadel.org/readfwd?go=Citadel
Security?view=0?start_reading_at=2099264259#2099264259
NOTE: https://nostarttls.secvuln.info/
+ NOTE: CVE-2020-29547 and CVE-2021-37845 seem like dupes
CVE-2021-37844
RESERVED
CVE-2021-3677 [Memory disclosure in certain queries]
@@ -32597,6 +32602,7 @@ CVE-2021-28703
RESERVED
CVE-2021-28702 (PCI devices with RMRRs not deassigned correctly Certain PCI
devices in ...)
- xen <unfixed>
+ [bullseye] - xen <postponed> (Minor issue, fix along with next DSA)
[buster] - xen <not-affected> (Vulnerable code introduced later)
[stretch] - xen <not-affected> (Vulnerable code introduced later)
NOTE: https://xenbits.xen.org/xsa/advisory-386.html
@@ -45284,7 +45290,9 @@ CVE-2021-23439 (This affects the package
file-upload-with-preview before 4.2.0.
CVE-2021-23438 (This affects the package mpath before 0.8.4. A type confusion
vulnerab ...)
NOT-FOR-US: Node mpath
CVE-2021-23437 (The package pillow 5.2.0 and before 8.3.2 are vulnerable to
Regular Ex ...)
- - pillow <unfixed>
+ - pillow 8.3.2-1
+ [bullseye] - pillow <no-dsa> (Minor issue)
+ [buster] - pillow <no-dsa> (Minor issue)
[stretch] - pillow <postponed> (Minor issue, can be fixed in the next
DLA)
NOTE:
https://github.com/python-pillow/Pillow/commit/9e08eb8f78fdfd2f476e1b20b7cf38683754866b
NOTE: https://snyk.io/vuln/SNYK-PYTHON-PILLOW-1319443
@@ -58284,9 +58292,11 @@ CVE-2020-29548 (An issue was discovered in
SmarterTools SmarterMail through 100.
CVE-2020-29547
RESERVED
- citadel <unfixed>
+ [buster] - citadel <ignored> (Minor issue)
[stretch] - citadel <postponed> (Minor issue, revisit when fixed
upstream)
NOTE: https://uncensored.citadel.org/readfwd?go=Citadel
Security?view=0?start_reading_at=2099264259#2099264259
NOTE: https://nostarttls.secvuln.info/
+ NOTE: CVE-2020-29547 and CVE-2021-37845 seem like dupes
CVE-2020-29546
RESERVED
CVE-2020-29545
@@ -78132,6 +78142,7 @@ CVE-2020-22618
RESERVED
CVE-2020-22617 (Ardour v5.12 contains a use-after-free vulnerability in the
component ...)
- ardour 1:6.0.0~ds0-1
+ [buster] - ardour <no-dsa> (Minor issue)
NOTE: https://tracker.ardour.org/view.php?id=7926
NOTE:
https://github.com/Ardour/ardour/commit/96daa4036a425ff3f23a7dfcba57bfb0f942bec6
(6.0-pre1)
CVE-2020-22616
@@ -81884,8 +81895,7 @@ CVE-2020-20900
CVE-2020-20899
REJECTED
CVE-2020-20898 (Integer Overflow vulnerability in function filter16_prewitt in
libavfi ...)
- - ffmpeg 7:4.3-2
- [buster] - ffmpeg <ignored> (Minor issue)
+ - ffmpeg 7:4.3-2 (unimportant)
NOTE:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/99f8d32129dd233d4eb2efa44678a0bc44869f23
(4.3)
NOTE: https://trac.ffmpeg.org/ticket/8263
CVE-2020-20897
=====================================
data/dsa-needed.txt
=====================================
@@ -28,11 +28,13 @@ ffmpeg/oldstable (jmm)
--
icu
--
+libreoffice (jmm)
+--
linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v4.19.y versions.
--
-ndpi
+ndpi/oldstable
--
nodejs (jmm)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/253d29dadf194cffb9422ef59150c1730f668667
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/253d29dadf194cffb9422ef59150c1730f668667
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
