Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7e85cbf2 by Moritz Muehlenhoff at 2021-12-06T12:52:16+01:00
buster/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1125,6 +1125,7 @@ CVE-2021-4024 [podman: podman machine spawns gvproxy with
port binded to all IPs
NOTE: Fixed by:
https://github.com/containers/podman/commit/295d87bb0b028e57dc2739791dee4820fe5fcc48
CVE-2021-44227 (In GNU Mailman before 2.1.38, a list member or moderator can
get a CSR ...)
- mailman <removed>
+ [buster] - mailman <no-dsa> (Minor issue)
[stretch] - mailman <no-dsa> (Minor issue; can be fixed with the next
DLA)
NOTE: https://bugs.launchpad.net/mailman/+bug/1952384
NOTE: Patch: https://launchpadlibrarian.net/570827498/patch.txt
@@ -9086,6 +9087,8 @@ CVE-2021-42261 (Revisor Video Management System (VMS)
before 2.0.0 has a directo
NOT-FOR-US: Revisor Video Management System (VMS)
CVE-2021-42260 (TinyXML through 2.6.2 has an infinite loop in
TiXmlParsingData::Stamp ...)
- tinyxml <unfixed>
+ [bullseye] - tinyxml <no-dsa> (Minor issue)
+ [buster] - tinyxml <no-dsa> (Minor issue)
[stretch] - tinyxml <no-dsa> (Minor issue; can be fixed with the next
DLA)
NOTE: https://sourceforge.net/p/tinyxml/bugs/141/
NOTE: https://sourceforge.net/p/tinyxml/git/merge-requests/1/
@@ -10306,6 +10309,7 @@ CVE-2021-41771 (ImportedSymbols in debug/macho (for
Open or OpenFat) in Go befor
- golang-1.15 <unfixed>
[bullseye] - golang-1.15 <no-dsa> (Minor issue; will be fixed via point
release)
- golang-1.11 <removed>
+ [buster] - golang-1.11 <no-dsa> (Minor issue)
- golang-1.8 <removed>
- golang-1.7 <removed>
[stretch] - golang-1.7 <no-dsa> (Minor issue; can be fixed with the
next DLA)
@@ -13730,6 +13734,8 @@ CVE-2021-40331
RESERVED
CVE-2021-3756 (libmysofa is vulnerable to Heap-based Buffer Overflow ...)
- libmysofa 1.2.1~dfsg0-1
+ [bullseye] - libmysofa <no-dsa> (Minor issue)
+ [buster] - libmysofa <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/7ca8d9ea-e2a6-4294-af28-70260bb53bc1/
NOTE:
https://github.com/hoene/libmysofa/commit/890400ebd092c574707d0c132124f8ff047e20e1
(v1.2.1)
CVE-2021-3755
@@ -42499,7 +42505,6 @@ CVE-2021-28703
NOTE:
https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=c65ea16dbcafbe4fe21693b18f8c2a3c5d14600e
(4.14.0-rc1)
CVE-2021-28702 (PCI devices with RMRRs not deassigned correctly Certain PCI
devices in ...)
- xen 4.14.3+32-g9de3671772-1
- [bullseye] - xen <postponed> (Minor issue, fix along with next DSA)
[buster] - xen <not-affected> (Vulnerable code introduced later)
[stretch] - xen <not-affected> (Vulnerable code introduced later)
NOTE: https://xenbits.xen.org/xsa/advisory-386.html
@@ -56328,6 +56333,7 @@ CVE-2021-22943 (A vulnerability found in UniFi Protect
application V1.18.1 and e
CVE-2021-22942 (A possible open redirect vulnerability in the Host
Authorization middl ...)
[experimental] - rails 2:6.1.4.1+dfsg-1
- rails <unfixed> (bug #992586)
+ [bullseye] - rails <no-dsa> (Minor issue)
[buster] - rails <not-affected> (Vulnerable code not present)
[stretch] - rails <not-affected> (Vulnerable code not present)
NOTE: https://www.openwall.com/lists/oss-security/2021/08/20/1
@@ -61686,6 +61692,7 @@ CVE-2021-21306 (Marked is an open-source markdown
parser and compiler (npm packa
NOTE:
https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd
CVE-2021-21305 (CarrierWave is an open-source RubyGem which provides a simple
and flex ...)
- ruby-carrierwave <unfixed> (bug #982551)
+ [buster] - ruby-carrierwave <no-dsa> (Minor issue)
[stretch] - ruby-carrierwave <ignored> (No reverse dependencies)
NOTE:
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4
NOTE:
https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7
@@ -61741,6 +61748,7 @@ CVE-2021-21289 (Mechanize is an open-source ruby
library that makes automated we
NOTE: Test warnings fixup:
https://github.com/sparklemotion/mechanize/commit/5b30aed33cbac9825e8978f8e36dd221cbd4c093
(v2.7.7)
CVE-2021-21288 (CarrierWave is an open-source RubyGem which provides a simple
and flex ...)
- ruby-carrierwave 1.3.2-1 (bug #982552)
+ [buster] - ruby-carrierwave <no-dsa> (Minor issue)
[stretch] - ruby-carrierwave <ignored> (No reverse dependencies)
NOTE:
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5
NOTE:
https://github.com/carrierwaveuploader/carrierwave/commit/012702eb3ba1663452aa025831caa304d1a665c0
=====================================
data/dsa-needed.txt
=====================================
@@ -17,16 +17,15 @@ asterisk/oldstable
condor
--
chromium
+ inactive, removal from stable likely
--
djvulibre
--
faad2/oldstable (jmm)
--
-firefox-esr
+firefox-esr (jmm)
Rust toolchain updates needed
--
-gpac (jmm)
---
linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v4.19.y versions.
@@ -43,6 +42,8 @@ openjdk-11/oldstable (jmm)
--
puppetdb (jmm)
--
+python-babel/oldstable (jmm)
+--
python-pysaml2 (jmm)
--
rabbitmq-server
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e85cbf2c82599c4ffcee262d85cf8345000131c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e85cbf2c82599c4ffcee262d85cf8345000131c
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
