subject:"\[Git\]\[security\-tracker\-team\/security\-tracker\]\[master\] CVE\-2021\-35515, CVE\-2021\-35516, CVE\-2021\-35517, CVE\-2021\-36090"

[Git][security-tracker-team/security-tracker][master] CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090, libcommons-compress-java

2021-10-02 Thread Markus Koschany (@apo)



Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a7b197cf by Markus Koschany at 2021-10-02T20:24:14+02:00
CVE-2021-35515,CVE-2021-35516,CVE-2021-35517,CVE-2021-36090,libcommons-compress-java

Add fixing commits. I have tried to contact the Apache Commons security team
but I have not received any feedback yet. The information about the security
fixes have been removed from

https://commons.apache.org/proper/commons-compress/security-reports.html

and there is a bug report for it already.

https://issues.apache.org/jira/browse/COMPRESS-586

However using the Wayback Machine I could find the removed information and
use them now as documentation for the security tracker.

https://web.archive.org/web/20210713041119/https://commons.apache.org/proper/commons-compress/security-reports.html

The changes are rather intrusive. A targeted backport would require some
serious effort. Although, we could also backport the new upstream release 1.21.
Apache Commons releases are very stable according to Emmanuel Bourg who is also
a committer for commons-compress. Since the vulnerabilities are of low severity
it is also acceptable to mark them as no-dsa.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13387,6 +13387,8 @@ CVE-2021-36090 (When reading a specially crafted ZIP 
archive, Compress can be ma
[buster] - libcommons-compress-java  (Minor issue)
[stretch] - libcommons-compress-java  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/4
+   NOTE: 
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=ef5d70b625000e38404194aaab311b771c44efda
+   NOTE: 
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=80124dd9fe4b0a0b2e203ca19aacac8cd0afc96f
 CVE-2020-36416 (A stored cross scripting (XSS) vulnerability in CMS Made 
Simple 2.2.14 ...)
NOT-FOR-US: CMS Made Simple
 CVE-2020-36415 (A stored cross scripting (XSS) vulnerability in CMS Made 
Simple 2.2.14 ...)
@@ -14736,18 +14738,29 @@ CVE-2021-35517 (When reading a specially crafted TAR 
archive, Compress can be ma
[buster] - libcommons-compress-java  (Minor issue)
[stretch] - libcommons-compress-java  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/3
+   NOTE: 
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=d0af873e77d16f41edfef7b69da5c8c35c96a650
+   NOTE: 
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=7ce1b0796d6cbe1f41b969583bd49f33ae0efef0
+   NOTE: 
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=80124dd9fe4b0a0b2e203ca19aacac8cd0afc96f
 CVE-2021-35516 (When reading a specially crafted 7Z archive, Compress can be 
made to a ...)
- libcommons-compress-java 1.21-1 (bug #991041)
[bullseye] - libcommons-compress-java  (Minor issue)
[buster] - libcommons-compress-java  (Minor issue)
[stretch] - libcommons-compress-java  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/2
+   NOTE: 
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=26924e96c7730db014c310757e11c9359db07f3e
+   NOTE: 
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=c51de6cfaec75b21566374158f25e1734c3a94cb
+   NOTE: 
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=0aba8b8fd8053ae323f15d736d1762b2161c76a6
+   NOTE: 
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=60d551a748236d7f4651a4ae88d5a351f7c5754b
+   NOTE: 
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=bf5a5346ae04b9d2a5b0356ca75f11dcc8d94789
+   NOTE: 
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=5761493cbaf7a7d608a3b68f4d61aaa822dbeb4f
+   NOTE: 
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=ae2b27cc011f47f0289cb24a11f2d4f1db711f8a
 CVE-2021-35515 (When reading a specially crafted 7Z archive, the construction 
of the l ...)
- libcommons-compress-java 1.21-1 (bug #991041)
[bullseye] - libcommons-compress-java  (Minor issue)
[buster] - libcommons-compress-java  (Minor issue)
[stretch] - libcommons-compress-java  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/1
+   NOTE: Fixed by 
https://gitbox.apache.org/repos/asf?p=commons-compress.git;a=commit;h=3fe6b42110dc56d0d6fe0aaf80cfecb8feea5321
 CVE-2021-35514 (Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection 
via the t ...)
NOT-FOR-US: Narou
 CVE-2021-35513 (Mermaid before 8.11.0 allows XSS when the antiscript feature 
is used. ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7b197cfe7c6f5e331a9aec3e9d44f163ce54734

-- 
View it on GitLab:

[Git][security-tracker-team/security-tracker][master] CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090

2021-07-13 Thread Henri Salo (@hsalo-guest)



Henri Salo pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8015d59e by Henri Salo at 2021-07-13T10:46:51+03:00
CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1310,6 +1310,8 @@ CVE-2021-3632
NOT-FOR-US: Keycloak
 CVE-2021-36090
RESERVED
+   - libcommons-compress-java 
+   NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/4
 CVE-2020-36416 (A stored cross scripting (XSS) vulnerability in CMS Made 
Simple 2.2.14 ...)
NOT-FOR-US: CMS Made Simple
 CVE-2020-36415 (A stored cross scripting (XSS) vulnerability in CMS Made 
Simple 2.2.14 ...)
@@ -2640,10 +2642,16 @@ CVE-2021-35518
RESERVED
 CVE-2021-35517
RESERVED
+   - libcommons-compress-java 
+   NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/3
 CVE-2021-35516
RESERVED
+   - libcommons-compress-java 
+   NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/2
 CVE-2021-35515
RESERVED
+   - libcommons-compress-java 
+   NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/1
 CVE-2021-35514 (Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection 
via the t ...)
NOT-FOR-US: Narou
 CVE-2021-35513 (Mermaid before 8.11.0 allows XSS when the antiscript feature 
is used. ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8015d59e114d9e9e59677fa98c3dddfe65b00ed2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8015d59e114d9e9e59677fa98c3dddfe65b00ed2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090, libcommons-compress-java

[Git][security-tracker-team/security-tracker][master] CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090

2 matches

Site Navigation

Mail list logo

Footer information