diff options
author | Markus Koschany <apo@debian.org> | 2021-04-03 19:32:42 +0200 |
---|---|---|
committer | Markus Koschany <apo@debian.org> | 2021-04-03 19:32:42 +0200 |
commit | 15d6fc5ac0252009c206ea583e3a2300c6f410b1 (patch) | |
tree | 8e0ab297bd69209d0c449b83f8041d801ef7b89b | |
parent | 5b81dfacdf4fd0b22e6756cd9b3a0771e314cad1 (diff) |
CVE-2021-21295,CVE-2021-21409,netty: Mark as ignored for Stretch
The fix for both CVE requires a backport of the new HTTP2 API. There have been
major changes between the current version in Stretch 4.1.7 and the most recent
release 4.1.60. Since the logic changed and the API is marked as "unstable" in
certain places, a backport poses a significant risk to break any project that
still relies on the old logic. In contrast the security risk is low. Hence
these issues are ignored in Stretch.
-rw-r--r-- | data/CVE/list.2021 | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/data/CVE/list.2021 b/data/CVE/list.2021 index a15f0bf258..79652b1d94 100644 --- a/data/CVE/list.2021 +++ b/data/CVE/list.2021 @@ -19155,6 +19155,7 @@ CVE-2021-21410 RESERVED CVE-2021-21409 (Netty is an open-source, asynchronous event-driven network application ...) - netty 1:4.1.48-4 (bug #986217) + [stretch] - netty <ignored> (Minor issue, fix requires major changes of HTTP2 module) NOTE: Fixed by: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432 NOTE: https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32 NOTE: Is a followup to: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj @@ -19431,6 +19432,7 @@ CVE-2021-21296 (Fleet is an open source osquery manager. In Fleet before version NOT-FOR-US: Fleet CVE-2021-21295 (Netty is an open-source, asynchronous event-driven network application ...) - netty 1:4.1.48-3 (bug #984948) + [stretch] - netty <ignored> (Minor issue, fix requires major changes of HTTP2 module) NOTE: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj NOTE: https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4 CVE-2021-21294 (Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface f ...) |