Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: b3b7d03f by Moritz Muehlenhoff at 2021-04-20T09:11:57+02:00 buster triage - - - - - befcdf44 by Moritz Muehlenhoff at 2021-04-20T09:22:11+02:00 cvelist.el: new defun to add <not-affected> - - - - - 3 changed files: - conf/cvelist.el - data/CVE/list - data/dsa-needed.txt Changes: ===================================== conf/cvelist.el ===================================== @@ -41,6 +41,16 @@ (beginning-of-line) (insert (concat "\t[buster] - " srcpkg " <no-dsa> (" reason ")\n" ))) +; TODO: Read supported distros from central config and prompt for applicable suites +(defun debian-cvelist-insert-not-affected () + "Insert not-affected comment based on the current source entry." + (interactive) + (setq reason (read-string "Reason for not-affected: " "Vulnerable code not present")) + (setq srcpkg (thing-at-point 'filename)) + (next-line) + (beginning-of-line) + (insert (concat "\t[buster] - " srcpkg " <not-affected> (" reason ")\n" ))) + ; TODO: Parse existing source entries for buffer tab completion (defun debian-cvelist-insert-srcentry () "Insert new source package entry." @@ -63,6 +73,7 @@ (define-key map (kbd "C-c C-c") 'debian-cvelist-cvesearch) (define-key map (kbd "C-c C-l") 'debian-cvelist-insert-nodsa) (define-key map (kbd "C-c C-a") 'debian-cvelist-insert-srcentry) + (define-key map (kbd "C-c C-x") 'debian-cvelist-insert-not-affected) map) "Keymap for `debian-cvelist-mode'.") ===================================== data/CVE/list ===================================== @@ -4828,6 +4828,7 @@ CVE-2021-29339 RESERVED CVE-2021-29338 (Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash t ...) - openjpeg2 <unfixed> + [buster] - openjpeg2 <no-dsa> (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/issues/1338 CVE-2021-29337 RESERVED @@ -9021,6 +9022,7 @@ CVE-2021-27516 (URI.js (aka urijs) before 1.19.6 mishandles certain uses of back NOT-FOR-US: urijs CVE-2021-27515 (url-parse before 1.5.0 mishandles certain uses of backslash such as ht ...) - node-url-parse 1.5.1-1 (bug #985110) + [buster] - node-url-parse <no-dsa> (Minor issue) [stretch] - node-url-parse <no-dsa> (Minor issue) NOTE: https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0 (1.5.0) NOTE: https://github.com/unshiftio/url-parse/pull/197 @@ -27289,6 +27291,7 @@ CVE-2021-20237 [Memory leaks via metadata messages processed by PUB sockets] CVE-2021-20236 [Stack overflow on server running PUB/XPUB socket] RESERVED - zeromq3 4.3.3-1 + [buster] - zeromq3 <no-dsa> (Minor issue) [stretch] - zeromq3 <ignored> (Minor issue, too intrusive to backport) NOTE: https://github.com/zeromq/libzmq/pull/3959 NOTE: https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8 @@ -27296,12 +27299,14 @@ CVE-2021-20236 [Stack overflow on server running PUB/XPUB socket] CVE-2021-20235 (There's a flaw in the zeromq server in versions before 4.3.3 in src/de ...) {DLA-2588-1} - zeromq3 4.3.3-1 + [buster] - zeromq3 <no-dsa> (Minor issue) NOTE: https://github.com/zeromq/libzmq/pull/3902 NOTE: https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21984 CVE-2021-20234 (An uncontrolled resource consumption (memory leak) flaw was found in t ...) {DLA-2588-1} - zeromq3 4.3.3-1 + [buster] - zeromq3 <no-dsa> (Minor issue) NOTE: https://github.com/zeromq/libzmq/pull/3918 NOTE: https://github.com/zeromq/libzmq/security/advisories/GHSA-wfr2-29gj-5w87 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22037 @@ -46819,6 +46824,7 @@ CVE-2020-24362 CVE-2020-24361 (SNMPTT before 1.4.2 allows attackers to execute shell code via EXEC, P ...) {DLA-2393-1} - snmptt 1.4.2-1 + [buster] - snmptt <no-dsa> (Minor issue) NOTE: https://sourceforge.net/p/snmptt/git/ci/f6aef5223bc9ed8126268a273ac9f5c341af835a CVE-2020-24360 (An issue with ARP packets in Arista’s EOS affecting the 7800R3, ...) NOT-FOR-US: Arista @@ -70853,18 +70859,23 @@ CVE-2020-13579 (An exploitable integer overflow vulnerability exists in the Plan NOT-FOR-US: SoftMaker CVE-2020-13578 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...) - gsoap 2.8.104-3 (bug #983596) + [buster] - gsoap <no-dsa> (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1189 CVE-2020-13577 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...) - gsoap 2.8.104-3 (bug #983596) + [buster] - gsoap <no-dsa> (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1188 CVE-2020-13576 (A code execution vulnerability exists in the WS-Addressing plugin func ...) - gsoap 2.8.104-3 (bug #983596) + [buster] - gsoap <no-dsa> (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1187 CVE-2020-13575 (A denial-of-service vulnerability exists in the WS-Addressing plugin f ...) - gsoap 2.8.104-3 (bug #983596) + [buster] - gsoap <no-dsa> (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1186 CVE-2020-13574 (A denial-of-service vulnerability exists in the WS-Security plugin fun ...) - gsoap 2.8.104-3 (bug #983596) + [buster] - gsoap <no-dsa> (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2020-1185 CVE-2020-13573 (A denial-of-service vulnerability exists in the Ethernet/IP server fun ...) NOT-FOR-US: Rockwell Automation RSLinx Classic @@ -86822,6 +86833,7 @@ CVE-2020-7925 (Incorrect validation of user input in the role name parser may le NOTE: Introduced by: https://github.com/mongodb/mongo/commit/3ca76fd569c94de72c4daf6eef27fbf9bf51233b (v3.6.18) CVE-2020-7924 (Usage of specific command line parameter in MongoDB Tools which was or ...) - mongo-tools <unfixed> + [buster] - mongo-tools <no-dsa> (Minor issue) NOTE: https://jira.mongodb.org/browse/TOOLS-2587 CVE-2020-7923 (A user authorized to perform database queries may cause denial of serv ...) {DLA-2344-1} ===================================== data/dsa-needed.txt ===================================== @@ -18,6 +18,8 @@ condor -- firefox-esr (jmm) -- +gst-plugins-good1.0 (jmm) +-- libhibernate3-java -- linux (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b3d8311a98788626454edb87a5e5af67ad735ae9...befcdf4422b6adce9a5c4aeaab83782ee37193f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b3d8311a98788626454edb87a5e5af67ad735ae9...befcdf4422b6adce9a5c4aeaab83782ee37193f0 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits