Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
aa7970c6 by Moritz Muehlenhoff at 2021-01-22T19:36:44+01:00
buster triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1411,8 +1411,11 @@ CVE-2021-3177 (Python 3.x through 3.9.1 has a buffer
overflow in PyCArg_repr in
- python3.9 3.9.1-3
- python3.8 <unfixed>
- python3.7 <removed>
+ [buster] - python3.7 <no-dsa> (Minor issue)
- python3.5 <removed>
- python2.7 <unfixed>
+ [bullseye] - python2.7 <ignored> (Python 2 not covered by security
support)
+ [buster] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue42938
NOTE: https://github.com/python/cpython/pull/24239
NOTE:
https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html
@@ -10601,15 +10604,18 @@ CVE-2020-35682
CVE-2020-35681 [Potential leakage of session identifiers using legacy
AsgiHandler]
RESERVED
- python-django-channels 3.0.3-1 (bug #979376)
+ [buster] - python-django-channels <no-dsa> (Minor issue)
NOTE: https://channels.readthedocs.io/en/latest/releases/3.0.3.html
NOTE:
https://github.com/django/channels/commit/e85874d9630474986a6937430eac52db79a2a022
(3.0.3)
CVE-2020-35680 (smtpd/lka_filter.c in OpenSMTPD before 6.8.0p1, in certain
configurati ...)
- opensmtpd 6.8.0p2-1 (bug #978039)
+ [buster] - opensmtpd <no-dsa> (Minor issue)
[stretch] - opensmtpd <not-affected> (new filter grammar support added
in ec69ed85b6c)
NOTE:
https://github.com/openbsd/src/commit/6c3220444ed06b5796dedfd53a0f4becd903c0d1
NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html
CVE-2020-35679 (smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain
regfree, whi ...)
- opensmtpd 6.8.0p2-1 (bug #978038)
+ [buster] - opensmtpd <no-dsa> (Minor issue)
[stretch] - opensmtpd <not-affected> (regex table supported added >
6.4.0 according to CHANGES.md)
NOTE:
https://github.com/openbsd/src/commit/79a034b4aed29e965f45a13409268290c9910043
NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html
@@ -20358,10 +20364,12 @@ CVE-2021-1054 (NVIDIA GPU Display Driver for Windows,
all versions, contains a v
NOT-FOR-US: NVIDIA Windows drivers
CVE-2021-1053 (NVIDIA GPU Display Driver for Windows and Linux, all versions,
contain ...)
- nvidia-graphics-drivers 460.32.03-1 (bug #979670)
+ [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-450 <unfixed> (bug #979675)
CVE-2021-1052 (NVIDIA GPU Display Driver for Windows and Linux, all versions,
contain ...)
- nvidia-graphics-drivers 460.32.03-1 (bug #979670)
+ [buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-450 <unfixed> (bug #979675)
CVE-2021-1051 (NVIDIA GPU Display Driver for Windows, all versions, contains a
vulner ...)
@@ -48082,15 +48090,18 @@ CVE-2020-16590 (A double free vulnerability exists in
the Binary File Descriptor
CVE-2020-16589 (A head-based buffer overflow exists in Academy Software
Foundation Ope ...)
{DLA-2491-1}
- openexr 2.5.3-2
+ [buster] - openexr <no-dsa> (Minor issue)
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/6bb36714528a9563dd3b92720c5063a1284b86f8
(v2.4.0-beta.1)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/494
CVE-2020-16588 (A Null Pointer Deference issue exists in Academy Software
Foundation O ...)
{DLA-2491-1}
- openexr 2.5.3-2
+ [buster] - openexr <no-dsa> (Minor issue)
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/74504503cff86e986bac441213c403b0ba28d58f
(v2.4.0-beta.1)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/493
CVE-2020-16587 (A heap-based buffer overflow vulnerability exists in Academy
Software ...)
- openexr 2.5.3-2
+ [buster] - openexr <no-dsa> (Minor issue)
[stretch] - openexr <not-affected> (Vulnerable code not present, part
number range checking added later)
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/8b5370c688a7362673c3a5256d93695617a4cd9a
(v2.4.0-beta.1)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/issues/491
@@ -51651,6 +51662,7 @@ CVE-2020-15217 (In GLPI before version 9.5.2, there is
a leakage of user informa
- glpi <removed>
CVE-2020-15216 (In goxmldsig (XML Digital Signatures implemented in pure Go)
before ve ...)
- golang-github-russellhaering-goxmldsig 1.1.0-1 (bug #971615)
+ [buster] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue)
NOTE:
https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-q547-gmf8-8jr7
NOTE:
https://github.com/russellhaering/goxmldsig/commit/f6188febf0c29d7ffe26a0436212b19cb9615e64
CVE-2020-15215 (Electron before versions 11.0.0-beta.6, 10.1.2, 9.3.1 or 8.5.2
is vuln ...)
@@ -55267,7 +55279,6 @@ CVE-2020-13944 (In Apache Airflow < 1.10.12, the
"origin" parameter passed to
CVE-2020-13943 (If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to
10.0.0-M7 ...)
{DLA-2407-1}
- tomcat9 9.0.38-1
- [buster] - tomcat9 <no-dsa> (Minor issue)
- tomcat8 <removed>
NOTE:
https://github.com/apache/tomcat/commit/55911430df13f8c9998fbdee1f9716994d2db59b
(9.0.38)
NOTE:
https://github.com/apache/tomcat/commit/9d7def063b47407a09a2f9202beed99f4dcb292a
(8.5.58)
@@ -71721,6 +71732,7 @@ CVE-2020-8112 (opj_t1_clbl_decode_processor in
openjp2/t1.c in OpenJPEG 2.3.1 th
- openjpeg2 <unfixed> (bug #950184)
[buster] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1231
+ NOTE:
https://github.com/rouault/openjpeg/commit/05f9b91e60debda0e83977e5e63b2e66486f7074
CVE-2020-8111
RESERVED
CVE-2020-8110 (A vulnerability has been discovered in the ceva_emu.cvd module
that re ...)
@@ -72607,6 +72619,7 @@ CVE-2020-7794 (This affects all versions of package
buns. The injection point is
TODO: check
CVE-2020-7793 (The package ua-parser-js before 0.7.23 are vulnerable to
Regular Expre ...)
- node-ua-parser-js 0.7.23+ds-1
+ [buster] - node-ua-parser-js <no-dsa> (Minor issue)
NOTE: https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599
NOTE:
https://github.com/faisalman/ua-parser-js/commit/6d1f26df051ba681463ef109d36c9cf0f7e32b18
(0.7.23)
CVE-2020-7792 (This affects all versions of package mout. The deepFillIn
function can ...)
@@ -166727,6 +166740,7 @@ CVE-2018-12984 (Hycus CMS 1.0.4 allows Authentication
Bypass via "'=' 'OR'" cred
NOT-FOR-US: Hycus CMS
CVE-2018-12983 (A stack-based buffer over-read in the
PdfEncryptMD5Base::ComputeEncryp ...)
- libpodofo <unfixed> (low; bug #916580)
+ [bullseye] - libpodofo <no-dsa> (Minor issue)
[buster] - libpodofo <no-dsa> (Minor issue)
[stretch] - libpodofo <no-dsa> (Minor issue)
[jessie] - libpodofo <no-dsa> (Minor issue)
@@ -181983,6 +181997,7 @@ CVE-2018-1000098 (Teluu PJSIP version 2.7.1 and
earlier contains a Integer Overf
NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE,
STUN and TURN)
CVE-2018-1000101 (Mingw-w64 version 5.0.3 and earlier contains an Improper
Null Terminat ...)
- mingw-w64 <unfixed> (low; bug #897196)
+ [bullseye] - mingw-w64 <ignored> (Minor issue)
[buster] - mingw-w64 <ignored> (Minor issue)
[stretch] - mingw-w64 <ignored> (Minor issue)
[jessie] - mingw-w64 <ignored> (Minor issue)
=====================================
data/dsa-needed.txt
=====================================
@@ -35,6 +35,8 @@ netty
--
openvswitch (jmm)
--
+python-pysaml2
+--
salt (carnil)
--
slurm-llnl (jmm)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa7970c64a0024432d58f725d9d63f2792a79193
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa7970c64a0024432d58f725d9d63f2792a79193
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
