diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2021-10-11 19:05:22 +0200 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2021-10-11 23:21:08 +0200 |
commit | e5cbee38497235432974a7edfabe14d801d4a62b (patch) | |
tree | 2b9a5a344fcb43740f90ece4d5ffc47124c754a2 | |
parent | e87d3a1ef4c8c70d928384330f14276ab0790328 (diff) |
buster/bullseye triage
-rw-r--r-- | data/CVE/list | 16 | ||||
-rw-r--r-- | data/DSA/list | 2 |
2 files changed, 16 insertions, 2 deletions
diff --git a/data/CVE/list b/data/CVE/list index 695e039323..af1b7601a8 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -3889,6 +3889,8 @@ CVE-2021-40531 (Sketch before 75 mishandles external library feeds. ...) NOTE: sketch.com, not the sketch package in Debian. CVE-2021-40530 (The ElGamal implementation in Crypto++ through 8.5 allows plaintext re ...) - libcrypto++ 8.6.0-1 (bug #993841) + [bullseye] - libcrypto++ <no-dsa> (Minor issue) + [buster] - libcrypto++ <no-dsa> (Minor issue) NOTE: https://eprint.iacr.org/2021/923 NOTE: https://github.com/weidai11/cryptopp/issues/1059 NOTE: https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1 @@ -4851,6 +4853,7 @@ CVE-2021-3737 [client can enter an infinite loop on a 100 Continue response from - python3.9 3.9.7-1 [bullseye] - python3.9 <no-dsa> (Minor issue) - python3.7 <removed> + [buster] - python3.7 <no-dsa> (Minor issue) - python3.5 <removed> - python3.4 <removed> NOTE: https://bugs.python.org/issue44022 @@ -7073,6 +7076,8 @@ CVE-2021-39213 (GLPI is a free Asset and IT management software package. Startin NOTE: Only supported behind an authenticated HTTP zone CVE-2021-39212 (ImageMagick is free software delivered as a ready-to-run binary distri ...) - imagemagick <unfixed> + [bullseye] - imagemagick <no-dsa> (Minor issue) + [buster] - imagemagick <no-dsa> (Minor issue) [stretch] - imagemagick <no-dsa> (Minor issue) NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-qvhr-jj4p-j2qr NOTE: https://github.com/ImageMagick/ImageMagick/commit/01faddbe2711a4156180c4a92837e2f23683cc68 @@ -24014,6 +24019,7 @@ CVE-2021-32066 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7 - ruby2.7 2.7.4-1 (bug #990815) - ruby2.5 <removed> - ruby2.3 <removed> + [buster] - ruby2.3 <no-dsa> (Minor issue) - jruby <unfixed> [buster] - jruby <no-dsa> (Minor issue) [stretch] - jruby <no-dsa> (Minor issue) @@ -24927,6 +24933,7 @@ CVE-2021-31810 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7 {DLA-2780-1} - ruby2.7 2.7.4-1 (bug #990815) - ruby2.5 <removed> + [buster] - ruby2.5 <no-dsa> (Minor issue) - ruby2.3 <removed> - jruby <unfixed> [buster] - jruby <no-dsa> (Minor issue) @@ -24988,6 +24995,7 @@ CVE-2021-31799 (In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby {DLA-2780-1} - ruby2.7 2.7.4-1 (bug #990815) - ruby2.5 <removed> + [buster] - ruby2.5 <no-dsa> (Minor issue) - ruby2.3 <removed> NOTE: Introduced in (rdoc): https://github.com/ruby/rdoc/commit/4a8b7bed7cd5647db92c620bc6f33e4c309d2212 (v3.11) NOTE: Fixed in (rdoc): https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7 (v6.3.1) @@ -46567,15 +46575,20 @@ CVE-2021-22948 (Vulnerability in the generation of session IDs in revive-adserve CVE-2021-22947 (When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 se ...) {DLA-2773-1} - curl <unfixed> + [bullseye] - curl <no-dsa> (Minor issue) + [buster] - curl <no-dsa> (Minor issue) NOTE: https://curl.se/docs/CVE-2021-22947.html NOTE: Fixed by: https://github.com/curl/curl/commit/8ef147c43646e91fdaad5d0e7b60351f842e5c68 (curl-7_79_0) CVE-2021-22946 (A user can tell curl >= 7.20.0 and <= 7.78.0 to require a succes ...) {DLA-2773-1} - curl <unfixed> + [bullseye] - curl <no-dsa> (Minor issue) + [buster] - curl <no-dsa> (Minor issue) NOTE: https://curl.se/docs/CVE-2021-22946.html NOTE: Fixed by: https://github.com/curl/curl/commit/364f174724ef115c63d5e5dc1d3342c8a43b1cca (curl-7_79_0) CVE-2021-22945 (When sending data to an MQTT server, libcurl <= 7.73.0 and 7.78.0 c ...) - curl <unfixed> + [bullseye] - curl <no-dsa> (Minor issue) [buster] - curl <not-affected> (Vulnerable code introduced later) [stretch] - curl <not-affected> (Vulnerable code introduced later) NOTE: https://curl.se/docs/CVE-2021-22945.html @@ -46648,6 +46661,8 @@ CVE-2021-22925 (curl supports the `-t` command line option, known as `CURLOPT_TE CVE-2021-22924 (libcurl keeps previously used connections in a connection pool for sub ...) {DLA-2734-1} - curl <unfixed> (bug #991492) + [bullseye] - curl <no-dsa> (Minor issue) + [buster] - curl <no-dsa> (Minor issue) NOTE: https://curl.se/docs/CVE-2021-22924.html NOTE: Introduced by: https://github.com/curl/curl/commit/89721ff04af70f527baae1368f3b992777bf6526 (curl-7_10_4) NOTE: Fixed by: https://github.com/curl/curl/commit/5ea3145850ebff1dc2b13d17440300a01ca38161 (curl-7_78_0) @@ -73787,7 +73802,6 @@ CVE-2020-24743 RESERVED CVE-2020-24742 (An issue has been fixed in Qt versions 5.14.0 where QPluginLoader atte ...) - qtbase-opensource-src 5.12.5+dfsg-8 - [stretch] - qtbase-opensource-src 5.7.1+dfsg-3+deb9u2 - qtbase-opensource-src-gles 5.14.2+dfsg-3 - qt4-x11 <not-affected> (Vulnerable code introduced later) NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/280730 diff --git a/data/DSA/list b/data/DSA/list index 7c1cbb1bd3..e3c2902ac7 100644 --- a/data/DSA/list +++ b/data/DSA/list @@ -1187,7 +1187,7 @@ [stretch] - libexif 0.6.21-2+deb9u1 [buster] - libexif 0.6.21-5.1+deb10u1 [03 Feb 2020] DSA-4617-1 qtbase-opensource-src - security update - {CVE-2020-0569} + {CVE-2020-0569 CVE-2020-24742} [stretch] - qtbase-opensource-src 5.7.1+dfsg-3+deb9u2 [buster] - qtbase-opensource-src 5.11.3+dfsg1-1+deb10u3 [02 Feb 2020] DSA-4616-1 qemu - security update |