Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e5cbee38 by Moritz Muehlenhoff at 2021-10-11T23:21:08+02:00
buster/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/DSA/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3889,6 +3889,8 @@ CVE-2021-40531 (Sketch before 75 mishandles external
library feeds. ...)
NOTE: sketch.com, not the sketch package in Debian.
CVE-2021-40530 (The ElGamal implementation in Crypto++ through 8.5 allows
plaintext re ...)
- libcrypto++ 8.6.0-1 (bug #993841)
+ [bullseye] - libcrypto++ <no-dsa> (Minor issue)
+ [buster] - libcrypto++ <no-dsa> (Minor issue)
NOTE: https://eprint.iacr.org/2021/923
NOTE: https://github.com/weidai11/cryptopp/issues/1059
NOTE:
https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
@@ -4851,6 +4853,7 @@ CVE-2021-3737 [client can enter an infinite loop on a 100
Continue response from
- python3.9 3.9.7-1
[bullseye] - python3.9 <no-dsa> (Minor issue)
- python3.7 <removed>
+ [buster] - python3.7 <no-dsa> (Minor issue)
- python3.5 <removed>
- python3.4 <removed>
NOTE: https://bugs.python.org/issue44022
@@ -7073,6 +7076,8 @@ CVE-2021-39213 (GLPI is a free Asset and IT management
software package. Startin
NOTE: Only supported behind an authenticated HTTP zone
CVE-2021-39212 (ImageMagick is free software delivered as a ready-to-run
binary distri ...)
- imagemagick <unfixed>
+ [bullseye] - imagemagick <no-dsa> (Minor issue)
+ [buster] - imagemagick <no-dsa> (Minor issue)
[stretch] - imagemagick <no-dsa> (Minor issue)
NOTE:
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68
@@ -24014,6 +24019,7 @@ CVE-2021-32066 (An issue was discovered in Ruby through
2.6.7, 2.7.x through 2.7
- ruby2.7 2.7.4-1 (bug #990815)
- ruby2.5 <removed>
- ruby2.3 <removed>
+ [buster] - ruby2.3 <no-dsa> (Minor issue)
- jruby <unfixed>
[buster] - jruby <no-dsa> (Minor issue)
[stretch] - jruby <no-dsa> (Minor issue)
@@ -24927,6 +24933,7 @@ CVE-2021-31810 (An issue was discovered in Ruby through
2.6.7, 2.7.x through 2.7
{DLA-2780-1}
- ruby2.7 2.7.4-1 (bug #990815)
- ruby2.5 <removed>
+ [buster] - ruby2.5 <no-dsa> (Minor issue)
- ruby2.3 <removed>
- jruby <unfixed>
[buster] - jruby <no-dsa> (Minor issue)
@@ -24988,6 +24995,7 @@ CVE-2021-31799 (In RDoc 3.11 through 6.x before 6.3.1,
as distributed with Ruby
{DLA-2780-1}
- ruby2.7 2.7.4-1 (bug #990815)
- ruby2.5 <removed>
+ [buster] - ruby2.5 <no-dsa> (Minor issue)
- ruby2.3 <removed>
NOTE: Introduced in (rdoc):
https://github.com/ruby/rdoc/commit/4a8b7bed7cd5647db92c620bc6f33e4c309d2212
(v3.11)
NOTE: Fixed in (rdoc):
https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7
(v6.3.1)
@@ -46567,15 +46575,20 @@ CVE-2021-22948 (Vulnerability in the generation of
session IDs in revive-adserve
CVE-2021-22947 (When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or
POP3 se ...)
{DLA-2773-1}
- curl <unfixed>
+ [bullseye] - curl <no-dsa> (Minor issue)
+ [buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2021-22947.html
NOTE: Fixed by:
https://github.com/curl/curl/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68
(curl-7_79_0)
CVE-2021-22946 (A user can tell curl >= 7.20.0 and <= 7.78.0 to require
a succes ...)
{DLA-2773-1}
- curl <unfixed>
+ [bullseye] - curl <no-dsa> (Minor issue)
+ [buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2021-22946.html
NOTE: Fixed by:
https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca
(curl-7_79_0)
CVE-2021-22945 (When sending data to an MQTT server, libcurl <= 7.73.0 and
7.78.0 c ...)
- curl <unfixed>
+ [bullseye] - curl <no-dsa> (Minor issue)
[buster] - curl <not-affected> (Vulnerable code introduced later)
[stretch] - curl <not-affected> (Vulnerable code introduced later)
NOTE: https://curl.se/docs/CVE-2021-22945.html
@@ -46648,6 +46661,8 @@ CVE-2021-22925 (curl supports the `-t` command line
option, known as `CURLOPT_TE
CVE-2021-22924 (libcurl keeps previously used connections in a connection pool
for sub ...)
{DLA-2734-1}
- curl <unfixed> (bug #991492)
+ [bullseye] - curl <no-dsa> (Minor issue)
+ [buster] - curl <no-dsa> (Minor issue)
NOTE: https://curl.se/docs/CVE-2021-22924.html
NOTE: Introduced by:
https://github.com/curl/curl/commit/89721ff04af70f527baae1368f3b992777bf6526
(curl-7_10_4)
NOTE: Fixed by:
https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161
(curl-7_78_0)
@@ -73787,7 +73802,6 @@ CVE-2020-24743
RESERVED
CVE-2020-24742 (An issue has been fixed in Qt versions 5.14.0 where
QPluginLoader atte ...)
- qtbase-opensource-src 5.12.5+dfsg-8
- [stretch] - qtbase-opensource-src 5.7.1+dfsg-3+deb9u2
- qtbase-opensource-src-gles 5.14.2+dfsg-3
- qt4-x11 <not-affected> (Vulnerable code introduced later)
NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/280730
=====================================
data/DSA/list
=====================================
@@ -1187,7 +1187,7 @@
[stretch] - libexif 0.6.21-2+deb9u1
[buster] - libexif 0.6.21-5.1+deb10u1
[03 Feb 2020] DSA-4617-1 qtbase-opensource-src - security update
- {CVE-2020-0569}
+ {CVE-2020-0569 CVE-2020-24742}
[stretch] - qtbase-opensource-src 5.7.1+dfsg-3+deb9u2
[buster] - qtbase-opensource-src 5.11.3+dfsg1-1+deb10u3
[02 Feb 2020] DSA-4616-1 qemu - security update
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5cbee38497235432974a7edfabe14d801d4a62b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5cbee38497235432974a7edfabe14d801d4a62b
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
