Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 1e1271cf by Moritz Muehlenhoff at 2021-03-04T11:29:46+01:00 final polishing - - - - - 2 changed files: - data/CVE/list - doc/security-team.d.o/triage Changes: ===================================== data/CVE/list ===================================== @@ -11,7 +11,7 @@ CVE-2021-27942 CVE-2021-27941 RESERVED CVE-2021-27940 (resources/public/js/orchestrator.js in openark orchestrator before 3.2 ...) - TODO: check + NOT-FOR-US: openark CVE-2021-27939 RESERVED CVE-2021-27938 @@ -4659,7 +4659,7 @@ CVE-2021-25916 CVE-2021-25915 RESERVED CVE-2021-25914 (Prototype pollution vulnerability in 'object-collider' versions 1.0.0 ...) - TODO: check + NOT-FOR-US: object-collider CVE-2021-25913 (Prototype pollution vulnerability in 'set-or-get' version 1.0.0 throug ...) NOT-FOR-US: Node set-or-get CVE-2021-25912 (Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0. ...) @@ -6327,6 +6327,7 @@ CVE-2021-25290 CVE-2021-25289 RESERVED - pillow 8.1.1-1 + [buster] - pillow <not-affected> (Vulnerable code not present) NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html CVE-2021-25288 RESERVED @@ -10475,7 +10476,7 @@ CVE-2021-23349 CVE-2021-23348 RESERVED CVE-2021-23347 (The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 ...) - TODO: check + NOT-FOR-US: argo-cd CVE-2021-23346 RESERVED CVE-2021-23345 (All versions of package github.com/thecodingmachine/gotenberg are vuln ...) ===================================== doc/security-team.d.o/triage ===================================== @@ -4,10 +4,10 @@ Security updates affecting a released Debian suite can fall under three types: These are getting announced via [debian-security-announce](https://www.debian.org/security/) and also redistributed via other sources (news feeds etc). - Low severity updates can be included in [point releases](https://wiki.debian.org/DebianReleases/PointReleases), which are getting released every 2-3 months (any user using the [proposed-updates mechanism](https://www.debian.org/releases/proposed-updates) can also use them before they get released). This provides a good balance between fixing low impact issues before the next stable - release, which can simply all be installed in one go when a point release happens. + release, which can simply be installed in one go when a point release happens. - Some issues are simply not worth fixing in a stable release (for multiple reasons, e.g. because they are mostly a PR hype, or because they - are mitigated in Debian via a different config or toolchain hardening). + are mitigated in Debian via a different config or toolchain hardening or because the impact is so marginal that it doesn't warrant an update). Every incoming security issue gets triaged. Security issues which are being flagged for the second category are being displayed in the [Debian Package Tracker](https://tracker.debian.org), in fact you might have been redirected from the PTS to this page. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e1271cf01829e9b3571ba2cfcdbfb7ee3eec341 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e1271cf01829e9b3571ba2cfcdbfb7ee3eec341 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits