diff options
| author | Moritz Muehlenhoff <jmm@debian.org> | 2021-07-05 18:31:32 +0200 |
|---|---|---|
| committer | Moritz Muehlenhoff <jmm@debian.org> | 2021-07-05 18:31:54 +0200 |
| commit | 0539152487f369f60aa45ddc9601aa7ce88b5d86 (patch) | |
| tree | f8a3b089a0c95f9361526b7d392f61497cb9fe26 | |
| parent | f0b084884c0b7fe6d93a327777a08b06104e81f0 (diff) | |
buster triage
| -rw-r--r-- | data/CVE/list | 35 | ||||
| -rw-r--r-- | data/DSA/list | 2 | ||||
| -rw-r--r-- | data/dsa-needed.txt | 6 |
3 files changed, 35 insertions, 8 deletions
diff --git a/data/CVE/list b/data/CVE/list index 5985cade03..7aedf01d89 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -157,21 +157,25 @@ CVE-2021-36088 (Fluent Bit (aka fluent-bit) 1.7.0 through 1.7,4 has a double fre NOT-FOR-US: Fluent Bit CVE-2021-36087 (The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in e ...) - libsepol <unfixed> (bug #990526) + [buster] - libsepol <no-dsa> (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32675 NOTE: https://github.com/SELinuxProject/selinux/commit/bad0a746e9f4cf260dedba5828d9645d50176aac NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-585.yaml CVE-2021-36086 (The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_clas ...) - libsepol <unfixed> (bug #990526) + [buster] - libsepol <no-dsa> (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32177 NOTE: https://github.com/SELinuxProject/selinux/commit/c49a8ea09501ad66e799ea41b8154b6770fec2c8 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-536.yaml CVE-2021-36085 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...) - libsepol <unfixed> (bug #990526) + [buster] - libsepol <no-dsa> (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31124 NOTE: https://github.com/SELinuxProject/selinux/commit/2d35fcc7e9e976a2346b1de20e54f8663e8a6cba NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-421.yaml CVE-2021-36084 (The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_c ...) - libsepol <unfixed> (bug #990526) + [buster] - libsepol <no-dsa> (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31065 NOTE: https://github.com/SELinuxProject/selinux/commit/f34d3d30c8325e4847a6b696fe7a3936a8a361f3 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/selinux/OSV-2021-417.yaml @@ -211,6 +215,7 @@ CVE-2020-36404 (Keystone Engine 0.9.2 has an invalid free in llvm_ks::SmallVecto NOT-FOR-US: keystone engine CVE-2020-36403 (HTSlib 1.10 through 1.10.2 allows out-of-bounds write access in vcf_pa ...) - htslib 1.11-1 + [buster] - htslib <no-dsa> (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24097 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/htslib/OSV-2020-955.yaml NOTE: https://github.com/samtools/htslib/commit/dcd4b7304941a8832fba2d0fc4c1e716e7a4e72c @@ -243,6 +248,7 @@ CVE-2019-25048 (LibreSSL 2.9.1 through 3.2.1 has a heap-based buffer over-read i - libressl <itp> (bug #754513) CVE-2018-25018 (UnRAR 5.6.1.7 through 5.7.4 and 6.0.3 has an out-of-bounds write durin ...) - unrar-nonfree <unfixed> (bug #990541) + [buster] - unrar-nonfree <no-dsa> (Non-free not supported) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9845 NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/unrar/OSV-2018-204.yaml CVE-2018-25017 (RawSpeed (aka librawspeed) 3.1 has a heap-based buffer overflow in Tab ...) @@ -1413,6 +1419,8 @@ CVE-2021-35526 CVE-2021-3624 [buffer-overflow caused by integer-overflow in foveon_load_camf()] RESERVED - dcraw <unfixed> (bug #984761) + [bullseye] - dcraw <no-dsa> (Minor issue) + [buster] - dcraw <no-dsa> (Minor issue) CVE-2021-3623 [out-of-bounds access when trying to resume the state of the vTPM] RESERVED - libtpms <unfixed> (bug #990522) @@ -2905,11 +2913,13 @@ CVE-2021-34827 CVE-2021-3608 [pvrdma: uninitialized memory unmap in pvrdma_ring_init()] RESERVED - qemu <unfixed> (bug #990563) + [buster] - qemu <no-dsa> (Minor issue) [stretch] - qemu <not-affected> (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973383 CVE-2021-3607 [pvrdma: unchecked malloc size due to integer overflow in init_dev_ring()] RESERVED - qemu <unfixed> (bug #990564) + [buster] - qemu <no-dsa> (Minor issue) [stretch] - qemu <not-affected> (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1973349 CVE-2021-3606 (OpenVPN before version 2.5.3 on Windows allows local users to load arb ...) @@ -2918,6 +2928,7 @@ CVE-2021-34826 RESERVED CVE-2021-34825 (Quassel through 0.13.1, when --require-ssl is enabled, launches withou ...) - quassel <unfixed> (bug #990567) + [buster] - quassel <no-dsa> (Minor issue) NOTE: https://github.com/quassel/quassel/pull/581 NOTE: https://bugs.quassel-irc.org/issues/1728 NOTE: '--require-ssl' flag added in https://github.com/quassel/quassel/pull/43 @@ -4944,6 +4955,7 @@ CVE-2021-3587 [nfc: fix NULL ptr dereference in llcp_sock_getname() after failed CVE-2021-3582 [hw/rdma: Fix possible mremap overflow in the pvrdma device] RESERVED - qemu <unfixed> (bug #990565) + [buster] - qemu <no-dsa> (Minor issue) [stretch] - qemu <not-affected> (Vulnerable code introduced later) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2021-06/msg04148.html CVE-2021-33907 @@ -5249,6 +5261,7 @@ CVE-2021-33792 CVE-2021-3572 [Don't split git references on unicode separators #9827] RESERVED - python-pip 20.3.4-2 + [buster] - python-pip <no-dsa> (Minor issue) [stretch] - python-pip <postponed> (Minor issue. Fix along with next DLA) NOTE: https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/1926957 NOTE: https://github.com/pypa/pip/pull/9827 @@ -6583,6 +6596,7 @@ CVE-2021-3556 REJECTED CVE-2021-33204 (In the pg_partman (aka PG Partition Manager) extension before 4.5.1 fo ...) - pg-partman 4.5.1-1 (bug #988917) + [buster] - pg-partman <no-dsa> (Minor issue) [stretch] - pg-partman <no-dsa> (Minor issue) NOTE: https://github.com/pgpartman/pg_partman/commit/0b6565ad378c358f8a6cd1d48ddc482eb7f854d3 CVE-2021-33203 (Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a ...) @@ -6605,45 +6619,52 @@ CVE-2021-33199 RESERVED CVE-2021-33198 RESERVED - - golang-1.16 1.16.5-1 - - golang-1.15 1.15.9-5 - - golang-1.11 <removed> - - golang-1.8 <removed> + - golang-1.16 1.16.5-1 (unimportant) + - golang-1.15 1.15.9-5 (unimportant) + - golang-1.11 <removed> (unimportant) + - golang-1.8 <removed> (unimportant) [stretch] - golang-1.8 <no-dsa> (Limited support in stretch) - - golang-1.7 <removed> + - golang-1.7 <removed> (unimportant) NOTE: https://github.com/golang/go/issues/44910 NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI + NOTE: This appears to only update the documentation/example CVE-2021-33197 RESERVED - golang-1.16 1.16.5-1 - golang-1.15 1.15.9-5 - golang-1.11 <removed> + [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <removed> [stretch] - golang-1.8 <no-dsa> (Limited support in stretch) - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/46313 NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI + NOTE: https://github.com/golang/go/commit/cbd1ca84453fecf3825a6bb9f985823e8bc32b76 (1.15) CVE-2021-33196 [archive/zip: malformed archive may cause panic or memory exhaustion] RESERVED - golang-1.16 1.16.5-1 (bug #989492) - golang-1.15 1.15.9-4 - golang-1.11 <removed> + [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <removed> [stretch] - golang-1.8 <no-dsa> (Limited support in stretch) - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/46242 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33912 NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI + NOTE: https://github.com/golang/go/commit/c92adf420a3d9a5510f9aea382d826f0c9216a10 (1.15) CVE-2021-33195 RESERVED - golang-1.16 1.16.5-1 - golang-1.15 1.15.9-5 - golang-1.11 <removed> + [buster] - golang-1.11 <no-dsa> (Minor issue) - golang-1.8 <removed> [stretch] - golang-1.8 <no-dsa> (Limited support in stretch) - golang-1.7 <removed> NOTE: https://github.com/golang/go/issues/46241 NOTE: https://groups.google.com/g/golang-announce/c/RgCMkAEQjSI + NOTE: https://github.com/golang/go/commit/31d60cda1f58b7558fc5725d2b9e4531655d980e (1.15) CVE-2021-33194 (golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows atta ...) - golang-golang-x-net 1:0.0+git20210119.5f4716e+dfsg-4 - golang-golang-x-net-dev <removed> @@ -58162,6 +58183,7 @@ CVE-2020-24588 (The 802.11 standard that underpins Wi-Fi Protected Access (WPA, - linux 5.10.46-1 [buster] - linux 4.19.194-1 - firmware-nonfree <unfixed> + [buster] - firmware-nonfree <no-dsa> (Non-free not supported) NOTE: https://papers.mathyvanhoef.com/usenix2021.pdf NOTE: https://www.fragattacks.com/ NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html @@ -58178,6 +58200,7 @@ CVE-2020-24587 (The 802.11 standard that underpins Wi-Fi Protected Access (WPA, - linux 5.10.46-1 [buster] - linux 4.19.194-1 - firmware-nonfree <unfixed> + [buster] - firmware-nonfree <no-dsa> (Non-free not supported) NOTE: https://papers.mathyvanhoef.com/usenix2021.pdf NOTE: https://www.fragattacks.com/ NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html @@ -58191,6 +58214,7 @@ CVE-2020-24586 (The 802.11 standard that underpins Wi-Fi Protected Access (WPA, - linux 5.10.46-1 [buster] - linux 4.19.194-1 - firmware-nonfree <unfixed> + [buster] - firmware-nonfree <no-dsa> (Non-free not supported) NOTE: https://papers.mathyvanhoef.com/usenix2021.pdf NOTE: https://www.fragattacks.com/ NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html @@ -77512,6 +77536,7 @@ CVE-2020-15523 (In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8 - python2.7 <not-affected> (Python on Windows) CVE-2020-15522 (Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA bef ...) - bouncycastle 1.68-1 + [buster] - bouncycastle <no-dsa> (Minor issue) [stretch] - bouncycastle <no-dsa> (Minor issue) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2020-15522 CVE-2020-15521 (Zoho ManageEngine Applications Manager before 14 build 14730 has no pr ...) diff --git a/data/DSA/list b/data/DSA/list index fcac65c48b..dcf4c239a6 100644 --- a/data/DSA/list +++ b/data/DSA/list @@ -11,7 +11,7 @@ {CVE-2021-0089 CVE-2021-26313 CVE-2021-28690 CVE-2021-28692} [buster] - xen 4.11.4+107-gef32c7afa2-1 [10 Jun 2021] DSA-4930-1 libwebp - security update - {CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332} + {CVE-2018-25009 CVE-2018-25010 CVE-2018-25011 CVE-2018-25012 CVE-2018-25013 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329 CVE-2020-36330 CVE-2020-36331 CVE-2020-36332 } [buster] - libwebp 0.6.1-2+deb10u1 [09 Jun 2021] DSA-4929-1 rails - security update {CVE-2021-22880 CVE-2021-22885 CVE-2021-22904} diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index b98b516f15..d2dea1b0c5 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -12,7 +12,7 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -- -apache2 +apache2 (jmm) Maintainer (yadd) is working on updates -- condor @@ -21,7 +21,9 @@ chromium -- djvulibre -- -libuv1 +icu +-- +libuv1 (jmm) jmm asked maintainers to prepare update, pending -- linux (carnil) |