Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
432e5017 by Markus Koschany at 2022-12-12T00:50:31+01:00
Reserve DLA-3236-1 for openexr
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -74108,7 +74108,6 @@ CVE-2021-45942 (OpenEXR 3.1.x before 3.1.4 has a
heap-based buffer overflow in I
{DSA-5299-1}
[experimental] - openexr 3.1.4-1
- openexr 3.1.5-2 (bug #1014828)
- [buster] - openexr <no-dsa> (Minor issue)
[stretch] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41416
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1209
@@ -108269,7 +108268,6 @@ CVE-2021-34696 (A vulnerability in the access control
list (ACL) programming of
CVE-2021-3605 (There's a flaw in OpenEXR's rleUncompress functionality in
versions pr ...)
{DSA-5299-1 DLA-2732-1}
- openexr 2.5.7-1 (bug #990899)
- [buster] - openexr <no-dsa> (Minor issue)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1036
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/25259a84827234a283f6f9db72978198c7a3f268
(master)
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/3204008c0bd4c8d7599a052b304d1b44c4511283
(v2.5)
@@ -108348,7 +108346,6 @@ CVE-2021-34675 (Basix NEX-Forms through 7.8.7 allows
authentication bypass for s
CVE-2021-3598 (There's a flaw in OpenEXR's ImfDeepScanLineInputFile
functionality in ...)
{DSA-5299-1 DLA-2701-1}
- openexr 2.5.7-1 (bug #990450)
- [buster] - openexr <no-dsa> (Minor issue)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/1033
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1037
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/566f5241edd87445373885d5f7a904dc81e866c1
(master)
@@ -116543,7 +116540,6 @@ CVE-2021-26945 (An integer overflow leading to a
heap-buffer overflow was found
CVE-2021-26260 (An integer overflow leading to a heap-buffer overflow was
found in the ...)
{DSA-5299-1 DLA-2701-1}
- openexr 2.5.7-1 (bug #992703)
- [buster] - openexr <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947582
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29423
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/894
@@ -116552,7 +116548,6 @@ CVE-2021-26260 (An integer overflow leading to a
heap-buffer overflow was found
CVE-2021-23215 (An integer overflow leading to a heap-buffer overflow was
found in the ...)
{DSA-5299-1 DLA-2701-1}
- openexr 2.5.7-1
- [buster] - openexr <ignored> (Minor issue, might change ABI)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1947586
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29653
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/901
@@ -121634,14 +121629,12 @@ CVE-2021-3480 (A flaw was found in slapi-nis in
versions before 0.56.7. A NULL p
CVE-2021-3479 (There's a flaw in OpenEXR's Scanline API functionality in
versions bef ...)
{DLA-2701-1}
- openexr 2.5.4-1 (bug #986796)
- [buster] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25370
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/d80f11f4f55100d007ae80a162bf257ec291612c
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/830
CVE-2021-3478 (There's a flaw in OpenEXR's scanline input file functionality
in versi ...)
{DLA-2701-1}
- openexr 2.5.4-1 (bug #986796)
- [buster] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27409
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939160
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/bc88cdb6c97fbf5bc5d11ad8ca55306da931283a
(master)
@@ -121650,7 +121643,6 @@ CVE-2021-3478 (There's a flaw in OpenEXR's scanline
input file functionality in
CVE-2021-3477 (There's a flaw in OpenEXR's deep tile sample size calculations
in vers ...)
{DLA-2701-1}
- openexr 2.5.4-1 (bug #986796)
- [buster] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=26956
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939159
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/467be80b75642efbbe6bdace558079f68c16acb1
@@ -122248,19 +122240,16 @@ CVE-2021-29425 (In Apache Commons IO before 2.7,
When invoking the method FileNa
CVE-2021-3476 (A flaw was found in OpenEXR's B44 uncompression functionality
in versi ...)
{DLA-2701-1}
- openexr 2.5.4-1 (bug #986796)
- [buster] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24787
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/eec0dba242bedd2778c973ae4af112107b33d9c9
CVE-2021-3475 (There is a flaw in OpenEXR in versions before 3.0.0-beta. An
attacker ...)
{DLA-2701-1}
- openexr 2.5.4-1 (bug #986796)
- [buster] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25297
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/2a18ed424a854598c2a20b5dd7e782b436a1e753
CVE-2021-3474 (There's a flaw in OpenEXR in versions before 3.0.0-beta. A
crafted inp ...)
{DLA-2701-1}
- openexr 2.5.4-1 (bug #986796)
- [buster] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24831
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/c3ed4a1db1f39bf4524a644cb2af81dc8cfab33f
NOTE: Introduced by
https://github.com/AcademySoftwareFoundation/openexr/commit/7f0c9e256f34cac5a31e9d9cce00ccc898f49f3b
(v2.2.0)
@@ -146021,7 +146010,6 @@ CVE-2021-20303 (A flaw found in function
dataWindowForTile() of IlmImf/ImfTiledM
CVE-2021-20302 (A flaw was found in OpenEXR's TiledInputFile functionality.
This flaw ...)
{DLA-2732-1}
- openexr 2.5.4-1
- [buster] - openexr <ignored> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25894
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/842
CVE-2021-20301
@@ -146040,7 +146028,6 @@ CVE-2021-20299 (A flaw was found in OpenEXR's
Multipart input file functionality
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/25e9515b06a6bc293d871622b8cafaee7af84e0f
CVE-2021-20298 (A flaw was found in OpenEXR's B44Compressor. This flaw allows
an attac ...)
- openexr 2.5.4-1
- [buster] - openexr <ignored> (Minor issue)
[stretch] - openexr <postponed> (Minor issue, OOM, revisit when there's
a full fix upstream)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25913
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/85fd638ae0d5fa132434f4cbf32590261c1dba97
(master) (partial fix)
@@ -146055,7 +146042,6 @@ CVE-2021-20297 (A flaw was found in NetworkManager in
versions before 1.30.0. Se
CVE-2021-20296 (A flaw was found in OpenEXR in versions before 3.0.0-beta. A
crafted i ...)
{DLA-2701-1}
- openexr 2.5.4-1 (bug #986796)
- [buster] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24854
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/b0c63c0b96eb9b0d3998f603e12f9f414fb0d44a
CVE-2021-20295 (It was discovered that the update for the virt:rhel module in
the RHSA ...)
@@ -183138,19 +183124,16 @@ CVE-2020-16590 (A double free vulnerability exists
in the Binary File Descriptor
CVE-2020-16589 (A head-based buffer overflow exists in Academy Software
Foundation Ope ...)
{DLA-2491-1}
- openexr 2.5.3-2
- [buster] - openexr <no-dsa> (Minor issue)
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/6bb36714528a9563dd3b92720c5063a1284b86f8
(v2.4.0-beta.1)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/494
CVE-2020-16588 (A Null Pointer Deference issue exists in Academy Software
Foundation O ...)
{DLA-2491-1}
- openexr 2.5.3-2
- [buster] - openexr <no-dsa> (Minor issue)
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/74504503cff86e986bac441213c403b0ba28d58f
(v2.4.0-beta.1)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/493
CVE-2020-16587 (A heap-based buffer overflow vulnerability exists in Academy
Software ...)
{DLA-2701-1}
- openexr 2.5.3-2
- [buster] - openexr <no-dsa> (Minor issue)
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/8b5370c688a7362673c3a5256d93695617a4cd9a
(v2.4.0-beta.1)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/491
CVE-2020-16586
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[12 Dec 2022] DLA-3236-1 openexr - security update
+ {CVE-2020-16587 CVE-2020-16588 CVE-2020-16589 CVE-2021-3474
CVE-2021-3475 CVE-2021-3476 CVE-2021-3477 CVE-2021-3478 CVE-2021-3479
CVE-2021-3598 CVE-2021-3605 CVE-2021-3933 CVE-2021-3941 CVE-2021-20296
CVE-2021-20298 CVE-2021-20299 CVE-2021-20300 CVE-2021-20302 CVE-2021-20303
CVE-2021-23215 CVE-2021-26260 CVE-2021-45942}
+ [buster] - openexr 2.2.1-4.1+deb10u2
[11 Dec 2022] DLA-3235-1 node-eventsource - security update
{CVE-2022-1650}
[buster] - node-eventsource 0.2.1-1+deb10u1
=====================================
data/dla-needed.txt
=====================================
@@ -213,11 +213,6 @@ nodejs
NOTE: 20221105: Source code not checked. It may be so that the vulnerability
is not present in buster.
NOTE: 20221209: Testsuite:
https://lts-team.pages.debian.net/wiki/TestSuites/nodejs.html
--
-openexr (Markus Koschany)
- NOTE: 20220904: Programming language: C++.
- NOTE: 20220904: Should be synced with Stretch. (apo)
- NOTE: 20221209: Testsuite:
https://lts-team.pages.debian.net/wiki/TestSuites/openexr.html
---
php-cas
NOTE: 20221105: Programming language: PHP.
NOTE: 20221105: The fix is not backwards compatible. Should be investigated
further whether this issue should be solved or ignored.. (ola)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/432e5017235bb67b8bd5ec117e3ffacd02e3d5e5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/432e5017235bb67b8bd5ec117e3ffacd02e3d5e5
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
