[Git][security-tracker-team/security-tracker][master] Reserve DLA-2826-1 for mbedtls

Tue, 23 Nov 2021 05:03:25 -0800 


Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b9cd936f by Emilio Pozuelo Monfort at 2021-11-23T14:02:56+01:00
Reserve DLA-2826-1 for mbedtls

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -52149,7 +52149,6 @@ CVE-2021-24119 (In Trusted Firmware Mbed TLS 2.24.0, a 
side-channel vulnerabilit
        - mbedtls <unfixed>
        [bullseye] - mbedtls <no-dsa> (Minor issue)
        [buster] - mbedtls <no-dsa> (Minor issue)
-       [stretch] - mbedtls <no-dsa> (Minor issue)
        NOTE: Fixed in 2.26.0: 
https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0
 CVE-2021-24118
        RESERVED
@@ -227247,7 +227246,6 @@ CVE-2017-18259 (Dolibarr ERP/CRM is affected by 
stored Cross-Site Scripting (XSS
 CVE-2018-9989 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has 
a buffe ...)
        {DLA-1518-1}
        - mbedtls 2.8.0-1
-       [stretch] - mbedtls <no-dsa> (Minor issue)
        - polarssl <removed>
        [wheezy] - polarssl <no-dsa> (Minor issue)
        NOTE: 
https://github.com/ARMmbed/mbedtls/commit/5224a7544c95552553e2e6be0b4a789956a6464e
@@ -227256,7 +227254,6 @@ CVE-2018-9989 (ARM mbed TLS before 2.1.11, before 
2.7.2, and before 2.8.0 has a
 CVE-2018-9988 (ARM mbed TLS before 2.1.11, before 2.7.2, and before 2.8.0 has 
a buffe ...)
        {DLA-1518-1}
        - mbedtls 2.8.0-1
-       [stretch] - mbedtls <no-dsa> (Minor issue)
        - polarssl <removed>
        [wheezy] - polarssl <no-dsa> (Minor issue)
        NOTE: 
https://github.com/ARMmbed/mbedtls/commit/027f84c69f4ef30c0693832a6c396ef19e563ca1


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[23 Nov 2021] DLA-2826-1 mbedtls - security update
+       {CVE-2018-9988 CVE-2018-9989 CVE-2020-36475 CVE-2020-36476 
CVE-2020-36478 CVE-2021-24119}
+       [stretch] - mbedtls 2.4.2-1+deb9u4
 [22 Nov 2021] DLA-2825-1 libmodbus - security update
        {CVE-2019-14462 CVE-2019-14463}
        [stretch] - libmodbus 3.0.6-2+deb9u1


=====================================
data/dla-needed.txt
=====================================
@@ -69,9 +69,6 @@ linux (Ben Hutchings)
 --
 linux-4.19 (Ben Hutchings)
 --
-mbedtls (Emilio)
-  NOTE: 20211122: CVEs backported, but one of them introduces a test 
regression, investigating (Emilio)
---
 nvidia-graphics-drivers
   NOTE: package is in non-free but also in packages-to-support
   NOTE: only CVE‑2021‑1076 seems to be fixed in the R390 branch used in 
Stretch, no fix available for CVE-2021-1077



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9cd936f441e1f0317169b34eefffb6f72c04480

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b9cd936f441e1f0317169b34eefffb6f72c04480
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to