Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: aa7970c6 by Moritz Muehlenhoff at 2021-01-22T19:36:44+01:00 buster triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -1411,8 +1411,11 @@ CVE-2021-3177 (Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in - python3.9 3.9.1-3 - python3.8 <unfixed> - python3.7 <removed> + [buster] - python3.7 <no-dsa> (Minor issue) - python3.5 <removed> - python2.7 <unfixed> + [bullseye] - python2.7 <ignored> (Python 2 not covered by security support) + [buster] - python2.7 <no-dsa> (Minor issue) NOTE: https://bugs.python.org/issue42938 NOTE: https://github.com/python/cpython/pull/24239 NOTE: https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html @@ -10601,15 +10604,18 @@ CVE-2020-35682 CVE-2020-35681 [Potential leakage of session identifiers using legacy AsgiHandler] RESERVED - python-django-channels 3.0.3-1 (bug #979376) + [buster] - python-django-channels <no-dsa> (Minor issue) NOTE: https://channels.readthedocs.io/en/latest/releases/3.0.3.html NOTE: https://github.com/django/channels/commit/e85874d9630474986a6937430eac52db79a2a022 (3.0.3) CVE-2020-35680 (smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain configurati ...) - opensmtpd 6.8.0p2-1 (bug #978039) + [buster] - opensmtpd <no-dsa> (Minor issue) [stretch] - opensmtpd <not-affected> (new filter grammar support added in ec69ed85b6c) NOTE: https://github.com/openbsd/src/commit/6c3220444ed06b5796dedfd53a0f4becd903c0d1 NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html CVE-2020-35679 (smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain regfree, whi ...) - opensmtpd 6.8.0p2-1 (bug #978038) + [buster] - opensmtpd <no-dsa> (Minor issue) [stretch] - opensmtpd <not-affected> (regex table supported added > 6.4.0 according to CHANGES.md) NOTE: https://github.com/openbsd/src/commit/79a034b4aed29e965f45a13409268290c9910043 NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html @@ -20358,10 +20364,12 @@ CVE-2021-1054 (NVIDIA GPU Display Driver for Windows, all versions, contains a v NOT-FOR-US: NVIDIA Windows drivers CVE-2021-1053 (NVIDIA GPU Display Driver for Windows and Linux, all versions, contain ...) - nvidia-graphics-drivers 460.32.03-1 (bug #979670) + [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) [stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-tesla-450 <unfixed> (bug #979675) CVE-2021-1052 (NVIDIA GPU Display Driver for Windows and Linux, all versions, contain ...) - nvidia-graphics-drivers 460.32.03-1 (bug #979670) + [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) [stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported) - nvidia-graphics-drivers-tesla-450 <unfixed> (bug #979675) CVE-2021-1051 (NVIDIA GPU Display Driver for Windows, all versions, contains a vulner ...) @@ -48082,15 +48090,18 @@ CVE-2020-16590 (A double free vulnerability exists in the Binary File Descriptor CVE-2020-16589 (A head-based buffer overflow exists in Academy Software Foundation Ope ...) {DLA-2491-1} - openexr 2.5.3-2 + [buster] - openexr <no-dsa> (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/6bb36714528a9563dd3b92720c5063a1284b86f8 (v2.4.0-beta.1) NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/494 CVE-2020-16588 (A Null Pointer Deference issue exists in Academy Software Foundation O ...) {DLA-2491-1} - openexr 2.5.3-2 + [buster] - openexr <no-dsa> (Minor issue) NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/74504503cff86e986bac441213c403b0ba28d58f (v2.4.0-beta.1) NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/493 CVE-2020-16587 (A heap-based buffer overflow vulnerability exists in Academy Software ...) - openexr 2.5.3-2 + [buster] - openexr <no-dsa> (Minor issue) [stretch] - openexr <not-affected> (Vulnerable code not present, part number range checking added later) NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/8b5370c688a7362673c3a5256d93695617a4cd9a (v2.4.0-beta.1) NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/491 @@ -51651,6 +51662,7 @@ CVE-2020-15217 (In GLPI before version 9.5.2, there is a leakage of user informa - glpi <removed> CVE-2020-15216 (In goxmldsig (XML Digital Signatures implemented in pure Go) before ve ...) - golang-github-russellhaering-goxmldsig 1.1.0-1 (bug #971615) + [buster] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue) NOTE: https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7 NOTE: https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64 CVE-2020-15215 (Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2 is vuln ...) @@ -55267,7 +55279,6 @@ CVE-2020-13944 (In Apache Airflow < 1.10.12, the "origin" parameter passed to CVE-2020-13943 (If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7 ...) {DLA-2407-1} - tomcat9 9.0.38-1 - [buster] - tomcat9 <no-dsa> (Minor issue) - tomcat8 <removed> NOTE: https://github.com/apache/tomcat/commit/55911430df13f8c9998fbdee1f9716994d2db59b (9.0.38) NOTE: https://github.com/apache/tomcat/commit/9d7def063b47407a09a2f9202beed99f4dcb292a (8.5.58) @@ -71721,6 +71732,7 @@ CVE-2020-8112 (opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 th - openjpeg2 <unfixed> (bug #950184) [buster] - openjpeg2 <no-dsa> (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1231 + NOTE: https://github.com/rouault/openjpeg/commit/05f9b91e60debda0e83977e5e63b2e66486f7074 CVE-2020-8111 RESERVED CVE-2020-8110 (A vulnerability has been discovered in the ceva_emu.cvd module that re ...) @@ -72607,6 +72619,7 @@ CVE-2020-7794 (This affects all versions of package buns. The injection point is TODO: check CVE-2020-7793 (The package ua-parser-js before 0.7.23 are vulnerable to Regular Expre ...) - node-ua-parser-js 0.7.23+ds-1 + [buster] - node-ua-parser-js <no-dsa> (Minor issue) NOTE: https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599 NOTE: https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18 (0.7.23) CVE-2020-7792 (This affects all versions of package mout. The deepFillIn function can ...) @@ -166727,6 +166740,7 @@ CVE-2018-12984 (Hycus CMS 1.0.4 allows Authentication Bypass via "'=' 'OR'" cred NOT-FOR-US: Hycus CMS CVE-2018-12983 (A stack-based buffer over-read in the PdfEncryptMD5Base::ComputeEncryp ...) - libpodofo <unfixed> (low; bug #916580) + [bullseye] - libpodofo <no-dsa> (Minor issue) [buster] - libpodofo <no-dsa> (Minor issue) [stretch] - libpodofo <no-dsa> (Minor issue) [jessie] - libpodofo <no-dsa> (Minor issue) @@ -181983,6 +181997,7 @@ CVE-2018-1000098 (Teluu PJSIP version 2.7.1 and earlier contains a Integer Overf NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, STUN and TURN) CVE-2018-1000101 (Mingw-w64 version 5.0.3 and earlier contains an Improper Null Terminat ...) - mingw-w64 <unfixed> (low; bug #897196) + [bullseye] - mingw-w64 <ignored> (Minor issue) [buster] - mingw-w64 <ignored> (Minor issue) [stretch] - mingw-w64 <ignored> (Minor issue) [jessie] - mingw-w64 <ignored> (Minor issue) ===================================== data/dsa-needed.txt ===================================== @@ -35,6 +35,8 @@ netty -- openvswitch (jmm) -- +python-pysaml2 +-- salt (carnil) -- slurm-llnl (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa7970c64a0024432d58f725d9d63f2792a79193 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa7970c64a0024432d58f725d9d63f2792a79193 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits