Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: caf8187f by Moritz Muehlenhoff at 2022-07-11T19:54:35+02:00 libbpf fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -39666,15 +39666,23 @@ CVE-2021-45942 (OpenEXR 3.1.x before 3.1.4 has a heap-based buffer overflow in I NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1209 NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/11cad77da87c4fa2aab7d58dd5339e254db7937e CVE-2021-45941 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8 bytes) in _ ...) - - libbpf <unfixed> + - libbpf 0.7.0-2 + [bullseye] - libbpf <postponed> (No actionable information, revisit when/if more details available) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1576.yaml - TODO: check details on fixing commit upstream, furthermore intorducing commit is only when oss-fuzz started + NOTE: Fixed in 0.7.0 upstream per identified range of commits + NOTE: It's unclear if 0.3 is affected, the introducing commit presented by oss-fuzz is misleading + NOTE: since that refers to the first version when oss-fuzz started to test libbpf. If anyone confirms + NOTE: via bisecting that 0.3.0 is affected, this can be revisited CVE-2021-45940 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (4 bytes) in _ ...) - - libbpf <unfixed> + - libbpf 0.7.0-2 + [bullseye] - libbpf <postponed> (No actionable information, revisit when/if more details available) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1562.yaml - TODO: check details on fixing commit upstream, furthermore intorducing commit is only when oss-fuzz started + NOTE: Fixed in 0.7.0 upstream per identified range of commits + NOTE: It's unclear if 0.3 is affected, the introducing commit presented by oss-fuzz is misleading + NOTE: since that refers to the first version when oss-fuzz started to test libbpf. If anyone confirms + NOTE: via bisecting that 0.3.0 is affected, this can be revisited CVE-2021-45939 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) NOT-FOR-US: uWebSockets CVE-2021-45938 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in MqttClient_De ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf8187f8a7db3d457c1caf4785be7ae0d8bf908 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf8187f8a7db3d457c1caf4785be7ae0d8bf908 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits