diff options
| author | Moritz Muehlenhoff <jmm@debian.org> | 2020-09-22 20:02:29 +0200 |
|---|---|---|
| committer | Moritz Muehlenhoff <jmm@debian.org> | 2020-09-22 20:02:29 +0200 |
| commit | 4c7ffafe1f6ac0a64bb2d498068a05fd78f3cf71 (patch) | |
| tree | 721ec8a5fddcbe1f2cb9e12e116edb1625e4fe9c | |
| parent | 99cf1e994382aaef385c4a759cc20c558cb99bd1 (diff) | |
buster triage
older ntp issue also fixed in sid
| -rw-r--r-- | data/CVE/list | 20 | ||||
| -rw-r--r-- | data/dsa-needed.txt | 12 |
2 files changed, 24 insertions, 8 deletions
diff --git a/data/CVE/list b/data/CVE/list index d3c0f0dedf..4b3420afe4 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -2640,6 +2640,7 @@ CVE-2020-24585 (An issue was discovered in the DTLS handshake implementation in NOTE: https://github.com/wolfSSL/wolfssl/commit/3be7f3ea3a56d178acf0f7f84ee4ae8cbfee8915 (v4.5.0-stable) CVE-2020-24584 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10 ...) - python-django 2:2.2.16-1 (bug #969367) + [buster] - python-django <postponed> (Fix along in future DSA) [stretch] - python-django <not-affected> (Requires Python 3.7+) NOTE: https://github.com/django/django/commit/1853724acaf17ed7414d54c7d2b5563a25025a71 (master) NOTE: https://github.com/django/django/commit/2b099caa5923afa8cfb5f1e8c0d56b6e0e81915b (3.1.1) @@ -2647,6 +2648,7 @@ CVE-2020-24584 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 before NOTE: https://github.com/django/django/commit/a3aebfdc8153dc230686b6d2454ccd32ed4c9e6f (2.2.16) CVE-2020-24583 (An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10 ...) - python-django 2:2.2.16-1 (bug #969367) + [buster] - python-django <postponed> (Fix along in future DSA) [stretch] - python-django <not-affected> (Requires Python 3.7+) NOTE: https://github.com/django/django/commit/8d7271578d7b153435b40fe40236ebec43cbf1b9 (master) NOTE: https://github.com/django/django/commit/934430d22aa5d90c2ba33495ff69a6a1d997d584 (3.1.1) @@ -3201,23 +3203,23 @@ CVE-2020-24334 CVE-2020-24333 RESERVED CVE-2020-24332 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...) - - trousers <unfixed> - [stretch] - trousers <ignored> (tss service gets started as non-root user via init script) + - trousers <unfixed> (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472 NOTE: https://sourceforge.net/p/trousers/mailman/message/37015817/ NOTE: https://www.openwall.com/lists/oss-security/2020/08/14/1 + NOTE: In Debian, tcsd gets started under the tss user CVE-2020-24331 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...) - - trousers <unfixed> - [stretch] - trousers <ignored> (tss service gets started as non-root user via init script) + - trousers <unfixed> (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472 NOTE: https://sourceforge.net/p/trousers/mailman/message/37015817/ NOTE: https://www.openwall.com/lists/oss-security/2020/08/14/1 + NOTE: In Debian, tcsd gets started under the tss user CVE-2020-24330 (An issue was discovered in TrouSerS through 0.3.14. If the tcsd daemon ...) - - trousers <unfixed> - [stretch] - trousers <ignored> (tss service gets started as non-root user via init script) + - trousers <unfixed> (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1164472 NOTE: https://sourceforge.net/p/trousers/mailman/message/37015817/ NOTE: https://www.openwall.com/lists/oss-security/2020/08/14/1 + NOTE: In Debian, tcsd gets started under the tss user CVE-2020-24329 RESERVED CVE-2020-24328 @@ -19731,6 +19733,7 @@ CVE-2020-16151 RESERVED CVE-2020-16150 (A Lucky 13 timing side channel in mbedtls_ssl_decrypt_buf in library/s ...) - mbedtls <unfixed> + [buster] - mbedtls <no-dsa> (Minor issue) NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-09-1 CVE-2020-16149 REJECTED @@ -42775,6 +42778,7 @@ CVE-2020-7712 (This affects the package json before 10.0.0. It is possible to in NOT-FOR-US: Node json CVE-2020-7711 (This affects all versions of package github.com/russellhaering/goxmlds ...) - golang-github-russellhaering-goxmldsig <unfixed> (bug #968928) + [buster] - golang-github-russellhaering-goxmldsig <no-dsa> (Minor issue) NOTE: https://github.com/russellhaering/goxmldsig/issues/48 CVE-2020-7710 (This affects all versions of package safe-eval. It is possible for an ...) NOT-FOR-US: Node safe-eval @@ -147592,8 +147596,8 @@ CVE-2018-8958 CVE-2018-8957 (CoverCMS v1.1.6 has XSS via the fourth input box to index.php, related ...) NOT-FOR-US: CoverCMS CVE-2018-8956 (ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote att ...) - - ntp <unfixed> (low) - [buster] - ntp <no-dsa> (Minor issue) + - ntp 1:4.2.8p14+dfsg-1 (low) + [buster] - ntp <ignored> (Minor issue) [stretch] - ntp <no-dsa> (Minor issue) [jessie] - ntp <postponed> (Minor issue, requires being part of same broadcast network, no patch) - ntpsec <not-affected> (Broadcast mode not present, see #961748) diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index 80d8748e6b..3de3b1a9f8 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -12,21 +12,33 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -- +ansible +-- chromium -- curl (ghedo) -- +firefox-esr (jmm) +-- knot-resolver Santiago Ruano Rincón proposed a debdiff for review -- linux (carnil) Wait until more issues have piled up -- +netty +-- python-flask-cors -- rails (jmm) Sylvain Beucler proposed to help for the update, remaining CVEs to be done -- +samba +-- +thunderbird (jmm) +-- xcftools Hugo proposed to work on this update -- +xen (jmm) +-- |