Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 0650b366 by Moritz Muehlenhoff at 2022-01-29T11:56:16+01:00 buster/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -736,6 +736,7 @@ CVE-2022-0358 RESERVED - qemu <unfixed> NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2044863 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca CVE-2022-0357 RESERVED CVE-2022-0356 @@ -15904,6 +15905,7 @@ CVE-2021-3929 [nvme: DMA reentrancy issue leads to use-after-free] NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2020298 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/556 NOTE: Proposed patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html + NOTE: No upstream patch as of 2022-01-28 CVE-2021-43400 (An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after- ...) - bluez 5.62-1 (bug #998626) [bullseye] - bluez <no-dsa> (Minor issue; can be fixed in point release) @@ -25675,6 +25677,7 @@ CVE-2021-3750 [hcd-ehci: DMA reentrancy issue leads to use-after-free] NOTE: https://gitlab.com/qemu-project/qemu/-/issues/541 NOTE: Fix for whole class of DMA MMIO reentrancy issues: https://gitlab.com/qemu-project/qemu/-/issues/556 NOTE: Patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-08/msg03692.html + NOTE: No upstream patch as of 2022-01-28 CVE-2021-3749 (axios is vulnerable to Inefficient Regular Expression Complexity ...) - node-axios 0.21.3+dfsg-1 [bullseye] - node-axios 0.21.1+dfsg-1+deb11u1 @@ -26258,6 +26261,7 @@ CVE-2021-3735 [ahci: deadlock issue leads to denial of service] [buster] - qemu <no-dsa> (Minor issue) [stretch] - qemu <postponed> (Fix along with a future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997184 + NOTE: No upstream patch as of 2022-01-28 CVE-2021-40083 (Knot Resolver before 5.3.2 is prone to an assertion failure, triggerab ...) [experimental] - knot-resolver 5.4.1-1 - knot-resolver 5.4.1-2 (bug #991463) @@ -28343,6 +28347,7 @@ CVE-2021-3713 (An out-of-bounds write flaw was found in the UAS (USB Attached SC - qemu 1:6.1+dfsg-2 (bug #992727) [buster] - qemu <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1994640 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/13b250b12ad3c59114a6a17d59caf073ce45b33a CVE-2021-39230 (Butter is a system usability utility. Due to a kernel error the JPNS k ...) NOT-FOR-US: Butter CVE-2021-39229 (Apprise is an open source library which allows you to send a notificat ...) @@ -39035,6 +39040,7 @@ CVE-2021-3608 [pvrdma: uninitialized memory unmap in pvrdma_ring_init()] [buster] - qemu <no-dsa> (Minor issue) [stretch] - qemu <not-affected> (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973383 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=66ae37d8cc313f89272e711174a846a229bcdbd3CVE-2021-3594 CVE-2021-3607 [pvrdma: unchecked malloc size due to integer overflow in init_dev_ring()] RESERVED - qemu 1:5.2+dfsg-11 (bug #990564) @@ -44578,7 +44584,7 @@ CVE-2021-32606 (In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net CVE-2021-3545 (An information disclosure vulnerability was found in the virtio vhost- ...) {DSA-4980-1} - qemu 1:6.1+dfsg-1 (bug #989042) - [buster] - qemu <no-dsa> (Minor issue) + [buster] - qemu <not-affected> (Only minimal support present and not installed in binary packages) [stretch] - qemu <not-affected> (The vulnerable code was introduced later) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01155.html NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01153.html @@ -44586,7 +44592,7 @@ CVE-2021-3545 (An information disclosure vulnerability was found in the virtio v CVE-2021-3544 (Several memory leaks were found in the virtio vhost-user GPU device (v ...) {DSA-4980-1} - qemu 1:6.1+dfsg-1 (bug #989042) - [buster] - qemu <no-dsa> (Minor issue) + [buster] - qemu <not-affected> (Only minimal support present and not installed in binary packages) [stretch] - qemu <not-affected> (The vulnerable code was introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1958935 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01155.html @@ -44825,7 +44831,7 @@ CVE-2021-32563 (An issue was discovered in Thunar before 4.16.7 and 4.17.x befor CVE-2021-3546 (An out-of-bounds write vulnerability was found in the virtio vhost-use ...) {DSA-4980-1} - qemu 1:6.1+dfsg-1 (bug #989042) - [buster] - qemu <no-dsa> (Minor issue) + [buster] - qemu <not-affected> (Only minimal support present and not installed in binary packages) [stretch] - qemu <not-affected> (The vulnerable code was introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1958978 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01155.html @@ -46275,6 +46281,8 @@ CVE-2021-3527 (A flaw was found in the USB redirector device (usb-redir) of QEMU NOTE: Initial patchset: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg00564.html NOTE: Revisited: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01372.html NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-05/msg01373.html + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986 + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c CVE-2021-3526 REJECTED CVE-2021-3525 @@ -47474,6 +47482,7 @@ CVE-2021-3507 (A heap buffer overflow was found in the floppy disk emulator of Q [buster] - qemu <no-dsa> (Minor issue) [stretch] - qemu <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1951118 + NOTE: No upstream patch as of 2022-01-28 CVE-2021-3506 (An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c ...) {DLA-2690-1} - linux 5.10.38-1 @@ -59979,6 +59988,7 @@ CVE-2021-3392 (A use-after-free flaw was found in the MegaRAID emulator of QEMU. [buster] - qemu <postponed> (Minor issue) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg00488.html NOTE: https://bugs.launchpad.net/qemu/+bug/1914236 + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=3791642c8d60029adf9b00bcb4e34d7d8a1aea4d CVE-2021-26597 (An issue was discovered in Nokia NetAct 18A. A remote user, authentica ...) NOT-FOR-US: Nokia NetAct 18A CVE-2021-26596 (An issue was discovered in Nokia NetAct 18A. A malicious user can chan ...) @@ -76942,6 +76952,7 @@ CVE-2021-20255 (A stack overflow via an infinite recursion vulnerability was fou [buster] - qemu <postponed> (Minor issue) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1 + NOTE: No upstream patch as of 2022-01-28 CVE-2021-20254 (A flaw was found in samba. The Samba smbd file server must map Windows ...) {DLA-2668-1} - samba 2:4.13.5+dfsg-2 (bug #987811) @@ -77709,7 +77720,7 @@ CVE-2020-35506 (A use-after-free vulnerability was found in the am53c974 SCSI ho [experimental] - qemu 1:6.0+dfsg-1~exp0 - qemu 1:6.0+dfsg-3 (bug #984454) [bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream) - [buster] - qemu <postponed> (Fix along in future DSA) + [buster] - qemu <not-affected> (Vulnerable code not present, FIFO support added later) [stretch] - qemu <postponed> (Fix along in future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909996 NOTE: https://bugs.launchpad.net/qemu/+bug/1909247 @@ -77747,6 +77758,7 @@ CVE-2020-35503 (A NULL pointer dereference flaw was found in the megasas-gen2 SC [buster] - qemu <postponed> (Fix along in future DSA) [stretch] - qemu <postponed> (Fix along in future DLA) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910346 + NOTE: No upstream patch as of 2022-01-28 CVE-2020-35502 (A flaw was found in Privoxy in versions before 3.0.29. Memory leaks wh ...) {DLA-2548-1} - privoxy 3.0.29-1 @@ -93533,6 +93545,7 @@ CVE-2020-25743 (hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer der [stretch] - qemu <postponed> (Fix along in future DLA) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01568.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fide_nullptr1 + NOTE: No upstream patch as of 2022-01-28 CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL p ...) - qemu <unfixed> (bug #971390) [bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream) @@ -93540,6 +93553,7 @@ CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a [stretch] - qemu <postponed> (Fix along in future DLA) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05294.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Flsi_nullptr1 + NOTE: No upstream patch as of 2022-01-28 CVE-2020-25741 (fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer d ...) - qemu <unfixed> (bug #970939) [bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream) @@ -93547,6 +93561,7 @@ CVE-2020-25741 (fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL poi [stretch] - qemu <postponed> (Fix along in future DLA) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg07779.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Ffdc_nullptr1 + NOTE: No upstream patch as of 2022-01-28 CVE-2020-25740 RESERVED CVE-2020-25739 (An issue was discovered in the gon gem before gon-6.4.0 for Ruby. Mult ...) @@ -119421,6 +119436,7 @@ CVE-2020-14394 [infinite loop in xhci_ring_chain_length() in hw/usb/hcd-xhci.c] [stretch] - qemu <postponed> (Minor issue, privileged local DoS, low CVSS, no patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1908004 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/646 + NOTE: No upstream patch as of 2022-01-28 CVE-2020-14393 (A buffer overflow was found in perl-DBI < 1.643 in DBI.xs. A local ...) {DLA-2386-1} - libdbi-perl 1.643-1 @@ -181118,6 +181134,7 @@ CVE-2019-12067 (The ahci_commit_buf function in ide/ahci.c in QEMU allows attack NOTE: patch not sanctioned as of 20210202 NOTE: patched function introduced in 2014/2.1.50 but affected code pre-existed NOTE: https://github.com/qemu/qemu/commit/659142ecf71a0da240ab0ff7cf929ee25c32b9bc + NOTE: No upstream patch as of 2022-01-28 CVE-2019-12066 RESERVED CVE-2019-12065 ===================================== data/dsa-needed.txt ===================================== @@ -34,9 +34,7 @@ ndpi/oldstable -- nodejs (jmm) -- -openjdk-17 (jmm) --- -prosody +prosody (jmm) Regression update needed, cf #1004173 -- python-nbxmpp (jmm) @@ -54,6 +52,8 @@ ruby2.7/stable -- runc -- +spip +-- trafficserver (jmm) wait until status for CVE-2021-38161 is clarified (upstream patch got reverted) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0650b36654b88c387d25098c81c5000fdbfe7ca5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0650b36654b88c387d25098c81c5000fdbfe7ca5 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits