Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 38011ab3 by Moritz Mühlenhoff at 2022-01-04T17:16:49+01:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -834,6 +834,8 @@ CVE-2021-45961 RESERVED CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...) - mruby <unfixed> + [bullseye] - mruby <no-dsa> (Minor issue) + [buster] - mruby <no-dsa> (Minor issue) NOTE: https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/ NOTE: https://github.com/mruby/mruby/commit/28ccc664e5dcd3f9d55173e9afde77c4705a9ab6 CVE-2021-45960 (In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) pla ...) @@ -1087,9 +1089,13 @@ CVE-2021-4189 [ftplib should not use the host from the PASV response] RESERVED - python3.10 <not-affected> (Fixed before initial upload to Debian unstable) - python3.9 3.9.7-1 + [bullseye] - python3.9 <no-dsa> (Minor issue) - python3.7 <removed> + [buster] - python3.7 <no-dsa> (Minor issue) - python3.5 <removed> - python2.7 <unfixed> + [bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support) + [buster] - python2.7 <no-dsa> (Minor issue) NOTE: https://bugs.python.org/issue43285 NOTE: https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e (master) NOTE: https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335 (v3.9.3) @@ -4298,6 +4304,8 @@ CVE-2021-45041 (SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated NOT-FOR-US: SuiteCRM CVE-2021-4110 (mruby is vulnerable to NULL Pointer Dereference ...) - mruby <unfixed> (bug #1001768) + [bullseye] - mruby <no-dsa> (Minor issue) + [buster] - mruby <no-dsa> (Minor issue) [stretch] - mruby <postponed> (revisit when/if fix is complete) NOTE: https://huntr.dev/bounties/4ce5dc47-2512-4c87-8609-453adc8cad20 NOTE: https://github.com/mruby/mruby/commit/f5e10c5a79a17939af763b1dcf5232ce47e24a34 @@ -4756,6 +4764,8 @@ CVE-2021-44848 (In Cibele Thinfinity VirtualUI before 3.0, /changePassword retur NOT-FOR-US: Cibele Thinfinity VirtualUI CVE-2021-44847 (A stack-based buffer overflow in handle_request function in DHT.c in t ...) - libtoxcore 0.2.13-1 (bug #1001711) + [bullseye] - libtoxcore <no-dsa> (Minor issue) + [buster] - libtoxcore <no-dsa> (Minor issue) NOTE: https://github.com/TokTok/c-toxcore/pull/1718 NOTE: https://blog.tox.chat/2021/12/stack-based-buffer-overflow-vulnerability-in-udp-packet-handling-in-toxcore-cve-2021-44847/ NOTE: Introduced by: https://github.com/TokTok/c-toxcore/commit/71260e38e8d12547b0e55916daf6cadd72f52e19 (v0.1.9) @@ -16602,11 +16612,13 @@ CVE-2021-41497 (Null pointer reference in CMS_Conservative_increment_obj in RaRe NOT-FOR-US: RaRe-Technologies bounter CVE-2021-41496 (Buffer overflow in the array_from_pyobj function of fortranobject.c in ...) - numpy <unfixed> + [bullseye] - numpy <no-dsa> (Minor issue) NOTE: https://github.com/numpy/numpy/issues/19000 NOTE: https://github.com/numpy/numpy/pull/20630 NOTE: https://github.com/numpy/numpy/commit/271010f1037150e95017f803f4214b8861e528f2 CVE-2021-41495 (Null Pointer Dereference vulnerability exists in numpy.sort in NumPy & ...) - numpy <unfixed> + [bullseye] - numpy <no-dsa> (Minor issue) NOTE: https://github.com/numpy/numpy/issues/19038 TODO: check for classification/severity CVE-2021-41494 @@ -26994,6 +27006,8 @@ CVE-2021-37233 RESERVED CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124.204813 ...) - atomicparsley 20210715.151551.e7ad03a-1 (bug #993366) + [bullseye] - atomicparsley <no-dsa> (Minor issue) + [buster] - atomicparsley <no-dsa> (Minor issue) [stretch] - atomicparsley <no-dsa> (Minor issue) - gtkpod <unfixed> (bug #993376) [bullseye] - gtkpod <ignored> (Minor issue) @@ -27003,6 +27017,8 @@ CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124. NOTE: https://github.com/wez/atomicparsley/issues/32 CVE-2021-37231 (A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499 ...) - atomicparsley 20210715.151551.e7ad03a-1 (bug #993372) + [bullseye] - atomicparsley <no-dsa> (Minor issue) + [buster] - atomicparsley <no-dsa> (Minor issue) [stretch] - atomicparsley <no-dsa> (Minor issue) - gtkpod <unfixed> (bug #993375) [bullseye] - gtkpod <ignored> (Minor issue) @@ -34279,9 +34295,9 @@ CVE-2021-34142 RESERVED CVE-2021-34141 (Incomplete string comparison in the numpy.core component in NumPy1.9.x ...) - numpy <unfixed> + [bullseye] - numpy <no-dsa> (Minor issue) NOTE: https://github.com/numpy/numpy/issues/18993 NOTE: https://github.com/numpy/numpy/commit/eeef9d4646103c3b1afd3085f1393f2b3f9575b2 (v1.23.0.dev0) - TODO: check CVE-2021-34140 RESERVED CVE-2021-34139 ===================================== data/dsa-needed.txt ===================================== @@ -33,6 +33,8 @@ linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. -- +lxml +-- ndpi/oldstable -- nodejs (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38011ab3d22176ecbdf1f0b555ada37a5d0dec01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38011ab3d22176ecbdf1f0b555ada37a5d0dec01 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits