Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b3b7d03f by Moritz Muehlenhoff at 2021-04-20T09:11:57+02:00
buster triage
- - - - -
befcdf44 by Moritz Muehlenhoff at 2021-04-20T09:22:11+02:00
cvelist.el: new defun to add <not-affected>
- - - - -
3 changed files:
- conf/cvelist.el
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
conf/cvelist.el
=====================================
@@ -41,6 +41,16 @@
(beginning-of-line)
(insert (concat "\t[buster] - " srcpkg " <no-dsa> (" reason ")\n" )))
+; TODO: Read supported distros from central config and prompt for applicable
suites
+(defun debian-cvelist-insert-not-affected ()
+ "Insert not-affected comment based on the current source entry."
+ (interactive)
+ (setq reason (read-string "Reason for not-affected: " "Vulnerable code not
present"))
+ (setq srcpkg (thing-at-point 'filename))
+ (next-line)
+ (beginning-of-line)
+ (insert (concat "\t[buster] - " srcpkg " <not-affected> (" reason ")\n" )))
+
; TODO: Parse existing source entries for buffer tab completion
(defun debian-cvelist-insert-srcentry ()
"Insert new source package entry."
@@ -63,6 +73,7 @@
(define-key map (kbd "C-c C-c") 'debian-cvelist-cvesearch)
(define-key map (kbd "C-c C-l") 'debian-cvelist-insert-nodsa)
(define-key map (kbd "C-c C-a") 'debian-cvelist-insert-srcentry)
+ (define-key map (kbd "C-c C-x") 'debian-cvelist-insert-not-affected)
map)
"Keymap for `debian-cvelist-mode'.")
=====================================
data/CVE/list
=====================================
@@ -4828,6 +4828,7 @@ CVE-2021-29339
RESERVED
CVE-2021-29338 (Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to
crash t ...)
- openjpeg2 <unfixed>
+ [buster] - openjpeg2 <no-dsa> (Minor issue)
NOTE: https://github.com/uclouvain/openjpeg/issues/1338
CVE-2021-29337
RESERVED
@@ -9021,6 +9022,7 @@ CVE-2021-27516 (URI.js (aka urijs) before 1.19.6
mishandles certain uses of back
NOT-FOR-US: urijs
CVE-2021-27515 (url-parse before 1.5.0 mishandles certain uses of backslash
such as ht ...)
- node-url-parse 1.5.1-1 (bug #985110)
+ [buster] - node-url-parse <no-dsa> (Minor issue)
[stretch] - node-url-parse <no-dsa> (Minor issue)
NOTE:
https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0
(1.5.0)
NOTE: https://github.com/unshiftio/url-parse/pull/197
@@ -27289,6 +27291,7 @@ CVE-2021-20237 [Memory leaks via metadata messages
processed by PUB sockets]
CVE-2021-20236 [Stack overflow on server running PUB/XPUB socket]
RESERVED
- zeromq3 4.3.3-1
+ [buster] - zeromq3 <no-dsa> (Minor issue)
[stretch] - zeromq3 <ignored> (Minor issue, too intrusive to backport)
NOTE: https://github.com/zeromq/libzmq/pull/3959
NOTE:
https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8
@@ -27296,12 +27299,14 @@ CVE-2021-20236 [Stack overflow on server running
PUB/XPUB socket]
CVE-2021-20235 (There's a flaw in the zeromq server in versions before 4.3.3
in src/de ...)
{DLA-2588-1}
- zeromq3 4.3.3-1
+ [buster] - zeromq3 <no-dsa> (Minor issue)
NOTE: https://github.com/zeromq/libzmq/pull/3902
NOTE:
https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21984
CVE-2021-20234 (An uncontrolled resource consumption (memory leak) flaw was
found in t ...)
{DLA-2588-1}
- zeromq3 4.3.3-1
+ [buster] - zeromq3 <no-dsa> (Minor issue)
NOTE: https://github.com/zeromq/libzmq/pull/3918
NOTE:
https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22037
@@ -46819,6 +46824,7 @@ CVE-2020-24362
CVE-2020-24361 (SNMPTT before 1.4.2 allows attackers to execute shell code via
EXEC, P ...)
{DLA-2393-1}
- snmptt 1.4.2-1
+ [buster] - snmptt <no-dsa> (Minor issue)
NOTE:
https://sourceforge.net/p/snmptt/git/ci/f6aef5223bc9ed8126268a273ac9f5c341af835a
CVE-2020-24360 (An issue with ARP packets in Arista’s EOS affecting the
7800R3, ...)
NOT-FOR-US: Arista
@@ -70853,18 +70859,23 @@ CVE-2020-13579 (An exploitable integer overflow
vulnerability exists in the Plan
NOT-FOR-US: SoftMaker
CVE-2020-13578 (A denial-of-service vulnerability exists in the WS-Security
plugin fun ...)
- gsoap 2.8.104-3 (bug #983596)
+ [buster] - gsoap <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1189
CVE-2020-13577 (A denial-of-service vulnerability exists in the WS-Security
plugin fun ...)
- gsoap 2.8.104-3 (bug #983596)
+ [buster] - gsoap <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1188
CVE-2020-13576 (A code execution vulnerability exists in the WS-Addressing
plugin func ...)
- gsoap 2.8.104-3 (bug #983596)
+ [buster] - gsoap <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1187
CVE-2020-13575 (A denial-of-service vulnerability exists in the WS-Addressing
plugin f ...)
- gsoap 2.8.104-3 (bug #983596)
+ [buster] - gsoap <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1186
CVE-2020-13574 (A denial-of-service vulnerability exists in the WS-Security
plugin fun ...)
- gsoap 2.8.104-3 (bug #983596)
+ [buster] - gsoap <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1185
CVE-2020-13573 (A denial-of-service vulnerability exists in the Ethernet/IP
server fun ...)
NOT-FOR-US: Rockwell Automation RSLinx Classic
@@ -86822,6 +86833,7 @@ CVE-2020-7925 (Incorrect validation of user input in
the role name parser may le
NOTE: Introduced by:
https://github.com/mongodb/mongo/commit/3ca76fd569c94de72c4daf6eef27fbf9bf51233b
(v3.6.18)
CVE-2020-7924 (Usage of specific command line parameter in MongoDB Tools which
was or ...)
- mongo-tools <unfixed>
+ [buster] - mongo-tools <no-dsa> (Minor issue)
NOTE: https://jira.mongodb.org/browse/TOOLS-2587
CVE-2020-7923 (A user authorized to perform database queries may cause denial
of serv ...)
{DLA-2344-1}
=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,8 @@ condor
--
firefox-esr (jmm)
--
+gst-plugins-good1.0 (jmm)
+--
libhibernate3-java
--
linux (carnil)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b3d8311a98788626454edb87a5e5af67ad735ae9...befcdf4422b6adce9a5c4aeaab83782ee37193f0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b3d8311a98788626454edb87a5e5af67ad735ae9...befcdf4422b6adce9a5c4aeaab83782ee37193f0
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
