From 5012e0b3fc4f1216278c1fcfc8099285dd50352d Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Tue, 27 Oct 2020 19:23:10 +0100 Subject: buster triage --- data/CVE/2017.list | 3 ++- data/CVE/2019.list | 2 ++ data/CVE/2020.list | 12 ++++++++++-- data/dsa-needed.txt | 4 ++++ 4 files changed, 18 insertions(+), 3 deletions(-) diff --git a/data/CVE/2017.list b/data/CVE/2017.list index 880744f7ef..6ea9c3d007 100644 --- a/data/CVE/2017.list +++ b/data/CVE/2017.list @@ -1853,7 +1853,8 @@ CVE-2017-18189 (In the startread function in xa.c in Sound eXchange (SoX) throug [stretch] - sox 14.4.1-5+deb9u2 NOTE: https://github.com/mansr/sox/commit/7a8ceb86212b28243bbb6d0de636f0dfbe833e53 CVE-2017-18188 (OpenRC opentmpfiles through 0.1.3, when the fs.protected_hardlinks sys ...) - NOT-FOR-US: opentmpfiles + - opentmpfiles + NOTE: https://github.com/OpenRC/opentmpfiles/issues/3 CVE-2017-18187 (In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through a ...) {DSA-4147-1 DSA-4138-1} - mbedtls 2.7.0-2 diff --git a/data/CVE/2019.list b/data/CVE/2019.list index 1d9674c877..6bd1a8edd9 100644 --- a/data/CVE/2019.list +++ b/data/CVE/2019.list @@ -29,6 +29,7 @@ CVE-2019-20921 (bootstrap-select before 1.13.6 allows Cross-Site Scripting (XSS) NOT-FOR-US: bootstrap-select CVE-2019-20920 (Handlebars before 3.0.8 and 4.x before 4.5.3 is vulnerable to Arbitrar ...) - node-handlebars 3:4.5.3-1 + [buster] - node-handlebars (Minor issue) - libjs-handlebars [stretch] - libjs-handlebars (Only reverse depends was diaspora which not in stretch) NOTE: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478 @@ -52895,6 +52896,7 @@ CVE-2019-0210 (In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go usin [experimental] - thrift 0.13.0-1 - thrift 0.13.0-2 NOTE: https://www.openwall.com/lists/oss-security/2019/10/17/2 + NOTE: https://github.com/apache/thrift/commit/264a3f318ed3e9e51573f67f963c8509786bcec2 CVE-2019-0209 REJECTED CVE-2019-0208 diff --git a/data/CVE/2020.list b/data/CVE/2020.list index 2db63b3089..0585561863 100644 --- a/data/CVE/2020.list +++ b/data/CVE/2020.list @@ -156,6 +156,7 @@ CVE-2020-27662 CVE-2020-27661 [divide by zero in dwc2_handle_packet() in hw/usb/hcd-dwc2.c] RESERVED - qemu (bug #972864) + [buster] - qemu (Fix along in future DSA) [stretch] - qemu (Fix along in future DLA) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-10/msg04263.html NOTE: Fixed by: https://git.qemu.org/?p=qemu.git;a=commit;h=bea2a9e3e00b275dc40cfa09c760c715b8753e03 @@ -1242,6 +1243,7 @@ CVE-2020-27151 CVE-2020-27153 (In BlueZ before 5.55, a double free was found in the gatttool disconne ...) {DLA-2410-1} - bluez 5.55-1 + [buster] - bluez (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1884817 NOTE: https://github.com/bluez/bluez/commit/1cd644db8c23a2f530ddb93cebed7dacc5f5721a CVE-2020-27150 @@ -4503,6 +4505,7 @@ CVE-2020-25627 RESERVED CVE-2020-25626 (A flaw was found in Django REST Framework versions before 3.12.0 and b ...) - djangorestframework 3.12.1-1 (bug #971554) + [buster] - djangorestframework (Minor issue) [stretch] - djangorestframework (Minor issue) NOTE: https://github.com/encode/django-rest-framework/commit/4121b01b912668c049b26194a9a107c27a332429 NOTE: Fixed upstream in 3.12.0 and 3.11.2 @@ -7479,11 +7482,13 @@ CVE-2020-24268 CVE-2020-24267 RESERVED CVE-2020-24266 (An issue was discovered in tcpreplay tcpprep v4.3.3. There is a heap b ...) - - tcpreplay (bug #972889) + - tcpreplay (bug #972889; unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/617 + NOTE: Crash in CLI tool, no security impact CVE-2020-24265 (An issue was discovered in tcpreplay tcpprep v4.3.3. There is a heap b ...) - - tcpreplay (bug #972890) + - tcpreplay (bug #972890; unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/616 + NOTE: Crash in CLI tool, no security impact CVE-2020-24264 RESERVED CVE-2020-24263 @@ -29460,6 +29465,7 @@ CVE-2020-13944 (In Apache Airflow < 1.10.12, the "origin" parameter passed to CVE-2020-13943 (If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7 ...) {DLA-2407-1} - tomcat9 9.0.38-1 + [buster] - tomcat9 (Minor issue) - tomcat8 NOTE: https://github.com/apache/tomcat/commit/55911430df13f8c9998fbdee1f9716994d2db59b (9.0.38) NOTE: https://github.com/apache/tomcat/commit/9d7def063b47407a09a2f9202beed99f4dcb292a (8.5.58) @@ -29662,6 +29668,7 @@ CVE-2020-13872 (Royal TS before 5 has a 0.0.0.0 listener, which makes it easier CVE-2020-13871 (SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c bec ...) {DLA-2340-1} - sqlite3 3.32.2-2 + [buster] - sqlite3 (Vulnerability introduced later) [jessie] - sqlite3 (Vulnerable code not present) NOTE: New fix: https://www.sqlite.org/src/info/44a58d6cb135a104 NOTE: Fixed by: https://www.sqlite.org/src/info/79eff1d0383179c4 @@ -50194,6 +50201,7 @@ CVE-2020-5422 (BOSH System Metrics Server releases prior to 0.1.0 exposed the UA NOT-FOR-US: BOSH System Metrics Server CVE-2020-5421 (In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5. ...) - libspring-java + [buster] - libspring-java (Minor issue) [stretch] - libspring-java (Minor issue) NOTE: https://tanzu.vmware.com/security/cve-2020-5421 CVE-2020-5420 (Cloud Foundry Routing (Gorouter) versions prior to 0.206.0 allow a mal ...) diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index 73a66babf6..5035d75d8e 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -19,6 +19,8 @@ chromium knot-resolver Santiago Ruano Rincón proposed a debdiff for review -- +libproxy +-- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v4.19.y versions. @@ -30,3 +32,5 @@ pdns-recursor xcftools Hugo proposed to work on this update -- +xen +-- -- cgit v1.2.3