Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 7e85cbf2 by Moritz Muehlenhoff at 2021-12-06T12:52:16+01:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -1125,6 +1125,7 @@ CVE-2021-4024 [podman: podman machine spawns gvproxy with port binded to all IPs NOTE: Fixed by: https://github.com/containers/podman/commit/295d87bb0b028e57dc2739791dee4820fe5fcc48 CVE-2021-44227 (In GNU Mailman before 2.1.38, a list member or moderator can get a CSR ...) - mailman <removed> + [buster] - mailman <no-dsa> (Minor issue) [stretch] - mailman <no-dsa> (Minor issue; can be fixed with the next DLA) NOTE: https://bugs.launchpad.net/mailman/+bug/1952384 NOTE: Patch: https://launchpadlibrarian.net/570827498/patch.txt @@ -9086,6 +9087,8 @@ CVE-2021-42261 (Revisor Video Management System (VMS) before 2.0.0 has a directo NOT-FOR-US: Revisor Video Management System (VMS) CVE-2021-42260 (TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp ...) - tinyxml <unfixed> + [bullseye] - tinyxml <no-dsa> (Minor issue) + [buster] - tinyxml <no-dsa> (Minor issue) [stretch] - tinyxml <no-dsa> (Minor issue; can be fixed with the next DLA) NOTE: https://sourceforge.net/p/tinyxml/bugs/141/ NOTE: https://sourceforge.net/p/tinyxml/git/merge-requests/1/ @@ -10306,6 +10309,7 @@ CVE-2021-41771 (ImportedSymbols in debug/macho (for Open or OpenFat) in Go befor - golang-1.15 <unfixed> [bullseye] - golang-1.15 <no-dsa> (Minor issue; will be fixed via point release) - golang-1.11 <removed> + [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <removed> - golang-1.7 <removed> [stretch] - golang-1.7 <no-dsa> (Minor issue; can be fixed with the next DLA) @@ -13730,6 +13734,8 @@ CVE-2021-40331 RESERVED CVE-2021-3756 (libmysofa is vulnerable to Heap-based Buffer Overflow ...) - libmysofa 1.2.1~dfsg0-1 + [bullseye] - libmysofa <no-dsa> (Minor issue) + [buster] - libmysofa <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/7ca8d9ea-e2a6-4294-af28-70260bb53bc1/ NOTE: https://github.com/hoene/libmysofa/commit/890400ebd092c574707d0c132124f8ff047e20e1 (v1.2.1) CVE-2021-3755 @@ -42499,7 +42505,6 @@ CVE-2021-28703 NOTE: https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=c65ea16dbcafbe4fe21693b18f8c2a3c5d14600e (4.14.0-rc1) CVE-2021-28702 (PCI devices with RMRRs not deassigned correctly Certain PCI devices in ...) - xen 4.14.3+32-g9de3671772-1 - [bullseye] - xen <postponed> (Minor issue, fix along with next DSA) [buster] - xen <not-affected> (Vulnerable code introduced later) [stretch] - xen <not-affected> (Vulnerable code introduced later) NOTE: https://xenbits.xen.org/xsa/advisory-386.html @@ -56328,6 +56333,7 @@ CVE-2021-22943 (A vulnerability found in UniFi Protect application V1.18.1 and e CVE-2021-22942 (A possible open redirect vulnerability in the Host Authorization middl ...) [experimental] - rails 2:6.1.4.1+dfsg-1 - rails <unfixed> (bug #992586) + [bullseye] - rails <no-dsa> (Minor issue) [buster] - rails <not-affected> (Vulnerable code not present) [stretch] - rails <not-affected> (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2021/08/20/1 @@ -61686,6 +61692,7 @@ CVE-2021-21306 (Marked is an open-source markdown parser and compiler (npm packa NOTE: https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd CVE-2021-21305 (CarrierWave is an open-source RubyGem which provides a simple and flex ...) - ruby-carrierwave <unfixed> (bug #982551) + [buster] - ruby-carrierwave <no-dsa> (Minor issue) [stretch] - ruby-carrierwave <ignored> (No reverse dependencies) NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4 NOTE: https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7 @@ -61741,6 +61748,7 @@ CVE-2021-21289 (Mechanize is an open-source ruby library that makes automated we NOTE: Test warnings fixup: https://github.com/sparklemotion/mechanize/commit/5b30aed33cbac9825e8978f8e36dd221cbd4c093 (v2.7.7) CVE-2021-21288 (CarrierWave is an open-source RubyGem which provides a simple and flex ...) - ruby-carrierwave 1.3.2-1 (bug #982552) + [buster] - ruby-carrierwave <no-dsa> (Minor issue) [stretch] - ruby-carrierwave <ignored> (No reverse dependencies) NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5 NOTE: https://github.com/carrierwaveuploader/carrierwave/commit/012702eb3ba1663452aa025831caa304d1a665c0 ===================================== data/dsa-needed.txt ===================================== @@ -17,16 +17,15 @@ asterisk/oldstable condor -- chromium + inactive, removal from stable likely -- djvulibre -- faad2/oldstable (jmm) -- -firefox-esr +firefox-esr (jmm) Rust toolchain updates needed -- -gpac (jmm) --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. @@ -43,6 +42,8 @@ openjdk-11/oldstable (jmm) -- puppetdb (jmm) -- +python-babel/oldstable (jmm) +-- python-pysaml2 (jmm) -- rabbitmq-server View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e85cbf2c82599c4ffcee262d85cf8345000131c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e85cbf2c82599c4ffcee262d85cf8345000131c You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits