Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7155dbe5 by Moritz Muehlenhoff at 2022-01-17T17:26:32+01:00
buster/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -6570,12 +6570,16 @@ CVE-2021-45105 (Apache Log4j2 versions 2.0-alpha1
through 2.16.0 (excluding 2.12
CVE-2021-31566 [symbolic links incorrectly followed when changing modes,
times, ACL and flags of a file while extracting an archive]
RESERVED
- libarchive 3.5.2-1 (bug #1001990)
+ [bullseye] - libarchive <no-dsa> (Minor issue)
+ [buster] - libarchive <no-dsa> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/issues/1566
NOTE:
https://github.com/libarchive/libarchive/commit/b41daecb5ccb4c8e3b2c53fd6147109fc12c3043
(v3.5.2)
NOTE:
https://github.com/libarchive/libarchive/commit/e2ad1a2c3064fa9eba6274b3641c4c1beed25c0b
(v3.5.2)
CVE-2021-23177 [extracting a symlink with ACLs modifies ACLs of target]
RESERVED
- libarchive 3.5.2-1 (bug #1001986)
+ [bullseye] - libarchive <no-dsa> (Minor issue)
+ [buster] - libarchive <no-dsa> (Minor issue)
NOTE: https://github.com/libarchive/libarchive/issues/1565
NOTE:
https://github.com/libarchive/libarchive/commit/fba4f123cc456d2b2538f811bb831483bf336bad
(v3.5.2)
CVE-2022-21943
@@ -7964,6 +7968,7 @@ CVE-2021-44717 (Go before 1.16.12 and 1.17.x before
1.17.5 on UNIX allows write
- golang-1.15 1.15.15-5
[bullseye] - golang-1.15 1.15.15-1~deb11u2
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
- golang-1.7 <removed>
NOTE: https://github.com/golang/go/issues/50057
@@ -9803,10 +9808,14 @@ CVE-2021-4000 (showdoc is vulnerable to URL Redirection
to Untrusted Site ...)
CVE-2021-3999 [Off-by-one buffer overflow/underflow in getcwd()]
RESERVED
- glibc <unfixed>
+ [bullseye] - glibc <no-dsa> (Minor issue)
+ [buster] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28769
CVE-2021-3998 [Unexpected return value from realpath() for too long results]
RESERVED
- glibc <unfixed>
+ [bullseye] - glibc <no-dsa> (Minor issue)
+ [buster] - glibc <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28770
NOTE:
https://patchwork.sourceware.org/project/glibc/patch/[email protected]/
CVE-2021-3997 [Uncontrolled recursion in systemd's systemd-tmpfiles]
@@ -9941,6 +9950,7 @@ CVE-2021-44039
RESERVED
CVE-2021-44038 (An issue was discovered in Quagga through 1.2.4. Unsafe
chown/chmod op ...)
- quagga <removed>
+ [buster] - quagga <no-dsa> (Minor issue)
[stretch] - quagga <postponed> (revisit when/if fixed upstream)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1191890
NOTE: Debian installed systemd unit files install the problematic
redhat/*.service
@@ -39086,6 +39096,7 @@ CVE-2021-33431
RESERVED
CVE-2021-33430 (A Buffer Overflow vulnerability exists in NumPy 1.9.x in the
PyArray_N ...)
- numpy 1:1.21.4-2
+ [bullseye] - numpy <no-dsa> (Minor issue)
NOTE: https://github.com/numpy/numpy/issues/18939
NOTE: https://github.com/numpy/numpy/pull/18989
NOTE:
https://github.com/numpy/numpy/commit/16f7824b4d935b6aee98298ca4123d57174a6f2e
(v1.22.0.dev0)
=====================================
data/dsa-needed.txt
=====================================
@@ -29,12 +29,17 @@ linux (carnil)
--
ndpi/oldstable
--
+nss
+--
nodejs (jmm)
--
pillow (jmm)
--
python-pysaml2 (jmm)
--
+rpki-client/stable
+ new 7.6 release required libretls, which isn't in Bullseye
+--
ruby2.5/oldstable
Maintainer is preparing updates
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7155dbe5fe85c561f31a848b8f13a75fef301c81
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7155dbe5fe85c561f31a848b8f13a75fef301c81
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
