Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
38011ab3 by Moritz Mühlenhoff at 2022-01-04T17:16:49+01:00
buster/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -834,6 +834,8 @@ CVE-2021-45961
RESERVED
CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...)
- mruby <unfixed>
+ [bullseye] - mruby <no-dsa> (Minor issue)
+ [buster] - mruby <no-dsa> (Minor issue)
NOTE: https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/
NOTE:
https://github.com/mruby/mruby/commit/28ccc664e5dcd3f9d55173e9afde77c4705a9ab6
CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or
more) pla ...)
@@ -1087,9 +1089,13 @@ CVE-2021-4189 [ftplib should not use the host from the
PASV response]
RESERVED
- python3.10 <not-affected> (Fixed before initial upload to Debian
unstable)
- python3.9 3.9.7-1
+ [bullseye] - python3.9 <no-dsa> (Minor issue)
- python3.7 <removed>
+ [buster] - python3.7 <no-dsa> (Minor issue)
- python3.5 <removed>
- python2.7 <unfixed>
+ [bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by
security support)
+ [buster] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue43285
NOTE:
https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e
(master)
NOTE:
https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335
(v3.9.3)
@@ -4298,6 +4304,8 @@ CVE-2021-45041 (SuiteCRM before 7.12.2 and 8.x before
8.0.1 allows authenticated
NOT-FOR-US: SuiteCRM
CVE-2021-4110 (mruby is vulnerable to NULL Pointer Dereference ...)
- mruby <unfixed> (bug #1001768)
+ [bullseye] - mruby <no-dsa> (Minor issue)
+ [buster] - mruby <no-dsa> (Minor issue)
[stretch] - mruby <postponed> (revisit when/if fix is complete)
NOTE: https://huntr.dev/bounties/4ce5dc47-2512-4c87-8609-453adc8cad20
NOTE:
https://github.com/mruby/mruby/commit/f5e10c5a79a17939af763b1dcf5232ce47e24a34
@@ -4756,6 +4764,8 @@ CVE-2021-44848 (In Cibele Thinfinity VirtualUI before
3.0, /changePassword retur
NOT-FOR-US: Cibele Thinfinity VirtualUI
CVE-2021-44847 (A stack-based buffer overflow in handle_request function in
DHT.c in t ...)
- libtoxcore 0.2.13-1 (bug #1001711)
+ [bullseye] - libtoxcore <no-dsa> (Minor issue)
+ [buster] - libtoxcore <no-dsa> (Minor issue)
NOTE: https://github.com/TokTok/c-toxcore/pull/1718
NOTE:
https://blog.tox.chat/2021/12/stack-based-buffer-overflow-vulnerability-in-udp-packet-handling-in-toxcore-cve-2021-44847/
NOTE: Introduced by:
https://github.com/TokTok/c-toxcore/commit/71260e38e8d12547b0e55916daf6cadd72f52e19
(v0.1.9)
@@ -16602,11 +16612,13 @@ CVE-2021-41497 (Null pointer reference in
CMS_Conservative_increment_obj in RaRe
NOT-FOR-US: RaRe-Technologies bounter
CVE-2021-41496 (Buffer overflow in the array_from_pyobj function of
fortranobject.c in ...)
- numpy <unfixed>
+ [bullseye] - numpy <no-dsa> (Minor issue)
NOTE: https://github.com/numpy/numpy/issues/19000
NOTE: https://github.com/numpy/numpy/pull/20630
NOTE:
https://github.com/numpy/numpy/commit/271010f1037150e95017f803f4214b8861e528f2
CVE-2021-41495 (Null Pointer Dereference vulnerability exists in numpy.sort in
NumPy & ...)
- numpy <unfixed>
+ [bullseye] - numpy <no-dsa> (Minor issue)
NOTE: https://github.com/numpy/numpy/issues/19038
TODO: check for classification/severity
CVE-2021-41494
@@ -26994,6 +27006,8 @@ CVE-2021-37233
RESERVED
CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley
20210124.204813 ...)
- atomicparsley 20210715.151551.e7ad03a-1 (bug #993366)
+ [bullseye] - atomicparsley <no-dsa> (Minor issue)
+ [buster] - atomicparsley <no-dsa> (Minor issue)
[stretch] - atomicparsley <no-dsa> (Minor issue)
- gtkpod <unfixed> (bug #993376)
[bullseye] - gtkpod <ignored> (Minor issue)
@@ -27003,6 +27017,8 @@ CVE-2021-37232 (A stack overflow vulnerability occurs
in Atomicparsley 20210124.
NOTE: https://github.com/wez/atomicparsley/issues/32
CVE-2021-37231 (A stack-buffer-overflow occurs in Atomicparsley
20210124.204813.840499 ...)
- atomicparsley 20210715.151551.e7ad03a-1 (bug #993372)
+ [bullseye] - atomicparsley <no-dsa> (Minor issue)
+ [buster] - atomicparsley <no-dsa> (Minor issue)
[stretch] - atomicparsley <no-dsa> (Minor issue)
- gtkpod <unfixed> (bug #993375)
[bullseye] - gtkpod <ignored> (Minor issue)
@@ -34279,9 +34295,9 @@ CVE-2021-34142
RESERVED
CVE-2021-34141 (Incomplete string comparison in the numpy.core component in
NumPy1.9.x ...)
- numpy <unfixed>
+ [bullseye] - numpy <no-dsa> (Minor issue)
NOTE: https://github.com/numpy/numpy/issues/18993
NOTE:
https://github.com/numpy/numpy/commit/eeef9d4646103c3b1afd3085f1393f2b3f9575b2
(v1.23.0.dev0)
- TODO: check
CVE-2021-34140
RESERVED
CVE-2021-34139
=====================================
data/dsa-needed.txt
=====================================
@@ -33,6 +33,8 @@ linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v4.19.y versions.
--
+lxml
+--
ndpi/oldstable
--
nodejs (jmm)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38011ab3d22176ecbdf1f0b555ada37a5d0dec01
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38011ab3d22176ecbdf1f0b555ada37a5d0dec01
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
