Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
caf8187f by Moritz Muehlenhoff at 2022-07-11T19:54:35+02:00
libbpf fixed in sid
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -39666,15 +39666,23 @@ CVE-2021-45942 (OpenEXR 3.1.x before 3.1.4 has a
heap-based buffer overflow in I
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/1209
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/11cad77da87c4fa2aab7d58dd5339e254db7937e
CVE-2021-45941 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (8
bytes) in _ ...)
- - libbpf <unfixed>
+ - libbpf 0.7.0-2
+ [bullseye] - libbpf <postponed> (No actionable information, revisit
when/if more details available)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
NOTE:
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1576.yaml
- TODO: check details on fixing commit upstream, furthermore intorducing
commit is only when oss-fuzz started
+ NOTE: Fixed in 0.7.0 upstream per identified range of commits
+ NOTE: It's unclear if 0.3 is affected, the introducing commit presented
by oss-fuzz is misleading
+ NOTE: since that refers to the first version when oss-fuzz started to
test libbpf. If anyone confirms
+ NOTE: via bisecting that 0.3.0 is affected, this can be revisited
CVE-2021-45940 (libbpf 0.6.0 and 0.6.1 has a heap-based buffer overflow (4
bytes) in _ ...)
- - libbpf <unfixed>
+ - libbpf 0.7.0-2
+ [bullseye] - libbpf <postponed> (No actionable information, revisit
when/if more details available)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868
NOTE:
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/libbpf/OSV-2021-1562.yaml
- TODO: check details on fixing commit upstream, furthermore intorducing
commit is only when oss-fuzz started
+ NOTE: Fixed in 0.7.0 upstream per identified range of commits
+ NOTE: It's unclear if 0.3 is affected, the introducing commit presented
by oss-fuzz is misleading
+ NOTE: since that refers to the first version when oss-fuzz started to
test libbpf. If anyone confirms
+ NOTE: via bisecting that 0.3.0 is affected, this can be revisited
CVE-2021-45939 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in
MqttClient_De ...)
NOT-FOR-US: uWebSockets
CVE-2021-45938 (wolfSSL wolfMQTT 1.9 has a heap-based buffer overflow in
MqttClient_De ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf8187f8a7db3d457c1caf4785be7ae0d8bf908
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/caf8187f8a7db3d457c1caf4785be7ae0d8bf908
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
