[Git][security-tracker-team/security-tracker][master] 10 commits: mark CVE-2021-3711 as not-affected for Stretch

Thorsten Alteholz (@alteholz) Thu, 23 Sep 2021 02:55:58 -0700


Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
d20ab257 by Thorsten Alteholz at 2021-09-23T11:05:48+02:00
mark CVE-2021-3711 as not-affected for Stretch

- - - - -
ed422429 by Thorsten Alteholz at 2021-09-23T11:39:38+02:00
mark CVE-2021-38575 as no-dsa for Stretch

- - - - -
ef8b13bb by Thorsten Alteholz at 2021-09-23T11:40:55+02:00
mark CVE-2021-32280 as no-dsa for Stretch

- - - - -
e4dba6cd by Thorsten Alteholz at 2021-09-23T11:42:16+02:00
mark CVE-2021-40812 as no-dsa for Stretch

- - - - -
47cc2611 by Thorsten Alteholz at 2021-09-23T11:44:44+02:00
mark CVE-2021-3805 as no-dsa for Stretch

- - - - -
6aa32b6a by Thorsten Alteholz at 2021-09-23T11:45:29+02:00
mark CVE-2021-23440 as no-dsa for Stretch

- - - - -
7f31d374 by Thorsten Alteholz at 2021-09-23T11:50:12+02:00
mark CVE-2021-3807 as not-affected for Stretch

- - - - -
6e88e4b7 by Thorsten Alteholz at 2021-09-23T11:51:42+02:00
mark CVE-2021-40839 as no-dsa for Stretch

- - - - -
84036693 by Thorsten Alteholz at 2021-09-23T11:53:35+02:00
mark CVE-2021-39214 as no-dsa for Stretch

- - - - -
f6bebaed by Thorsten Alteholz at 2021-09-23T11:55:10+02:00
mark CVE-2021-32294 as postponed for Stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -575,6 +575,7 @@ CVE-2021-3807 (ansi-regex is vulnerable to Inefficient 
Regular Expression Comple
        - node-ansi-regex 5.0.1-1 (bug #994568)
        [bullseye] - node-ansi-regex <no-dsa> (Minor issue)
        [buster] - node-ansi-regex <no-dsa> (Minor issue)
+       [stretch] - node-ansi-regex <not-affected> (Vulnerable code introduced 
later)
        NOTE: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994
        NOTE: 
https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9
 (v6.0.1)
 CVE-2021-3806 (A path traversal vulnerability on Pardus Software Center's 
"extractArc ...)
@@ -583,6 +584,7 @@ CVE-2021-3805 (object-path is vulnerable to Improperly 
Controlled Modification o
        - node-object-path 0.11.8-1
        [bullseye] - node-object-path <no-dsa> (Minor issue)
        [buster] - node-object-path <no-dsa> (Minor issue)
+       [stretch] - node-object-path <no-dsa> (Minor issue)
        NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053
        NOTE: 
https://github.com/mariocasciaro/object-path/commit/e6bb638ffdd431176701b3e9024f80050d0ef0a6
 CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring 
Boot, a ...)
@@ -1572,6 +1574,7 @@ CVE-2021-40839 (The rencode package through 1.0.6 for 
Python allows an infinite
        - python-rencode 1.0.6-2
        [bullseye] - python-rencode <no-dsa> (Minor issue)
        [buster] - python-rencode <no-dsa> (Minor issue)
+       [stretch] - python-rencode <no-dsa> (Minor issue)
        NOTE: 
https://github.com/aresch/rencode/commit/572ff74586d9b1daab904c6f7f7009ce0143bb75
        NOTE: https://github.com/aresch/rencode/pull/29
 CVE-2021-40838
@@ -1665,6 +1668,7 @@ CVE-2021-40812 (The GD Graphics Library (aka LibGD) 
through 2.3.2 has an out-of-
        - libgd2 <unfixed>
        [bullseye] - libgd2 <no-dsa> (Minor issue)
        [buster] - libgd2 <no-dsa> (Minor issue)
+       [stretch] - libgd2 <no-dsa> (Minor issue)
        NOTE: https://github.com/libgd/libgd/issues/750#issuecomment-914872385
        NOTE: 
https://github.com/libgd/libgd/commit/6f5136821be86e7068fcdf651ae9420b5d42e9a9
 CVE-2021-40811
@@ -5410,6 +5414,7 @@ CVE-2021-39214 (mitmproxy is an interactive, 
SSL/TLS-capable intercepting proxy.
        - mitmproxy <unfixed> (bug #994570)
        [bullseye] - mitmproxy <no-dsa> (Minor issue)
        [buster] - mitmproxy <no-dsa> (Minor issue)
+       [stretch] - mitmproxy <no-dsa> (Minor issue)
        NOTE: 
https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-22gh-3r9q-xf38
 CVE-2021-39213 (GLPI is a free Asset and IT management software package. 
Starting in v ...)
        - glpi <removed> (unimportant)
@@ -6199,6 +6204,7 @@ CVE-2021-3712 (ASN.1 strings are represented internally 
within OpenSSL as an ASN
 CVE-2021-3711 (In order to decrypt SM2 encrypted data an application is 
expected to c ...)
        {DSA-4963-1}
        - openssl 1.1.1l-1
+       [stretch] - openssl <not-affected> (supprt for SM2 decryption added in 
1.1.1-pre3)
        - openssl1.0 <not-affected> (Vulnerability does not affect 1.0.2 series)
        NOTE: https://www.openssl.org/news/secadv/20210824.txt
        NOTE: 
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=59f5e75f3bced8fc0e130d72a3f582cf7b480b46
 (OpenSSL_1_1_1l)
@@ -6820,6 +6826,7 @@ CVE-2021-38575 [edk2: remote buffer overflow in 
IScsiHexToBin function in Networ
        - edk2 2021.08-1
        [bullseye] - edk2 <no-dsa> (Minor issue)
        [buster] - edk2 <no-dsa> (Minor issue)
+       [stretch] - edk2 <no-dsa> (Minor issue)
        NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3356
        NOTE: https://edk2.groups.io/g/devel/message/76198
        NOTE: https://github.com/tianocore/edk2/pull/1698
@@ -21645,6 +21652,7 @@ CVE-2021-32294 (An issue was discovered in libgig 
through 20200507. A heap-buffe
        - libgig <unfixed>
        [bullseye] - libgig <ignored> (Minor issue)
        [buster] - libgig <ignored> (Minor issue)
+       [stretch] - libgig <postponed> (Minor issue, revisit when/if fixed 
upstream)
        NOTE: https://github.com/drbye78/libgig/issues/1
 CVE-2021-32293
        RESERVED
@@ -21678,6 +21686,7 @@ CVE-2021-32281 (An issue was discovered in gravity 
through 0.8.1. A heap-buffer-
 CVE-2021-32280 (An issue was discovered in fig2dev through 20200520. A NULL 
pointer de ...)
        - fig2dev 1:3.2.7b-5 (bug #960736)
        [buster] - fig2dev <no-dsa> (Minor issue)
+       [stretch] - fig2dev <no-dsa> (Minor issue)
        - transfig <removed>
        NOTE: https://sourceforge.net/p/mcj/tickets/107/
        NOTE: 
https://sourceforge.net/p/mcj/fig2dev/ci/f17a3b8a7d54c1bc56ab92512531772a0b3ec991/
@@ -43634,6 +43643,7 @@ CVE-2021-23440 (This affects the package set-value 
before 4.0.1. A type confusio
        - node-set-value 3.0.1-3 (bug #994448)
        [bullseye] - node-set-value <no-dsa> (Minor issue)
        [buster] - node-set-value <no-dsa> (Minor issue)
+       [stretch] - node-set-value <no-dsa> (Minor issue)
        NOTE: 
https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452
 (v4.0.1)
        NOTE: 
https://github.com/jonschlinkert/set-value/pull/33/commits/383b72d47c74a55ae8b6e231da548f9280a4296a
        NOTE: https://github.com/jonschlinkert/set-value/pull/33



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1561d719b09cd8ddc265547a1b892bcf241852c8...f6bebaed5a2110aad777d88e5f110c6f7bce1b44

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1561d719b09cd8ddc265547a1b892bcf241852c8...f6bebaed5a2110aad777d88e5f110c6f7bce1b44
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 10 commits: mark CVE-2021-3711 as not-affected for Stretch

Reply via email to