Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ad3e151c by Chris Lamb at 2021-10-13T09:10:38+01:00
Triage CVE-2021-41133 in flatpak for stretch LTS.
- - - - -
eb66502e by Chris Lamb at 2021-10-13T09:10:39+01:00
Triage CVE-2021-3671 in heimdal and samba for stretch LTS.
- - - - -
cc20786f by Chris Lamb at 2021-10-13T09:10:40+01:00
Triage CVE-2020-28282 in node-getobject for stretch LTS.
- - - - -
e1550786 by Chris Lamb at 2021-10-13T09:11:24+01:00
data/dla-needed.txt: Triage redmine for stretch LTS (CVE-2021-42326)
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -715,6 +715,7 @@ CVE-2021-41133 (Flatpak is a system for building,
distributing, and running sand
{DSA-4984-1}
- flatpak 1.12.1-1 (bug #995935)
[buster] - flatpak <ignored> (Not exploitable with Debian buster
kernel, intrusive to backport; requires updated libseccomp)
+ [stretch] - flatpak <ignored> (Difficult to exploit)
NOTE:
https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q
NOTE: Sourcewise fixed in 1.12.0-1 already, but 1.12.1-1 adds stricter
dependency
NOTE: to libseccomp 2.5.2 so that CVE-2021-41133 is fully prevented.
@@ -11099,9 +11100,11 @@ CVE-2021-3671 (A null pointer de-reference was found
in the way samba kerberos s
- heimdal <unfixed>
[bullseye] - heimdal <no-dsa> (Minor issue)
[buster] - heimdal <no-dsa> (Minor issue)
+ [stretch] - heimdal <no-dsa> (Minor issue)
- samba <unfixed>
[bullseye] - samba <no-dsa> (Minor issue)
[buster] - samba <no-dsa> (Minor issue)
+ [stretch] - samba <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2013080
NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14770
NOTE: Fixed by:
https://github.com/heimdal/heimdal/commit/04171147948d0a3636bc6374181926f0fb2ec83a
@@ -64934,6 +64937,7 @@ CVE-2020-28282 (Prototype pollution vulnerability in
'getobject' version 0.1.0 a
- node-getobject 1.0.2-1
[bullseye] - node-getobject <no-dsa> (Minor issue)
[buster] - node-getobject <no-dsa> (Minor issue)
+ [stretch] - node-getobject <no-dsa> (Minor issue)
NOTE:
https://github.com/cowboy/node-getobject/commit/84071748fa407caa8f824e0d0b9c1cde9ec56633
(v1.0.0)
CVE-2020-28281 (Prototype pollution vulnerability in 'set-object-value'
versions 0.0.0 ...)
NOT-FOR-US: react-atomic-organism
=====================================
data/dla-needed.txt
=====================================
@@ -88,6 +88,10 @@ redis (Chris Lamb)
NOTE: 20211004: Fixed in sid and experimental. (lamby)
NOTE: 20211006: buster-pu filed in #995825. (lamby)
--
+redmine
+ NOTE: 20211013: Issue appears to be private, so may require comparison of
release
+ NOTE: 20211013: tarballs to find upstream changeset. (lamby)
+--
rustc
NOTE: rust-doc in stretch-lts (and jessie-lts) is not installable
NOTE: https://bugs.debian.org/928422
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/612ec9208554f8640eeef9fee038c15ae020f606...e1550786777f9e7ae53a1b4a7f1635dc4eb9caed
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/612ec9208554f8640eeef9fee038c15ae020f606...e1550786777f9e7ae53a1b4a7f1635dc4eb9caed
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
