buster triage

author: Moritz Muehlenhoff <jmm@debian.org> 2021-07-14 19:23:25 +0200
committer: Moritz Muehlenhoff <jmm@debian.org> 2021-07-14 19:23:25 +0200
commit: 4b47fd43da0e093b171ac0d801c1f8cb3e1e2450 (patch)
tree: 3021141dbfba7844c0ec0475f5c93c76942e1bea /data
parent: 2df42859bbe43067e7ab6109472bcc92901c5f3c (diff)
2 files changed, 34 insertions, 22 deletions
diff --git a/data/CVE/list b/data/CVE/list
index 3de962a13f..60efbc94f3 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -745,17 +745,20 @@ CVE-2021-36378
 	RESERVED
 CVE-2021-36377 (Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname ...)
 	- fossil 1:2.15.2-1
+	[buster] - fossil <no-dsa> (Minor issue)
 	NOTE: https://fossil-scm.org/forum/forumpost/8d367e16f53d93c789d70bd3bf2c9587227bbd5c6a7b8e512cccd79007536036
 CVE-2021-36376 (dandavison delta before 0.8.3 on Windows resolves an executable's path ...)
 	NOT-FOR-US: dandavison delta
 CVE-2021-36375
 	RESERVED
 CVE-2021-36374 (When reading a specially crafted ZIP archive, or a derived formats, an ...)
-	- ant <unfixed>
+	- ant <unfixed> (unimportant)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/6
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-36373 (When reading a specially crafted TAR archive an Apache Ant build can b ...)
-	- ant <unfixed>
+	- ant <unfixed> (unimportant)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/5
+	NOTE: Crash in CLI tool, no security impact
 CVE-2021-36372
 	RESERVED
 CVE-2021-36371 (Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allo ...)
@@ -1367,6 +1370,7 @@ CVE-2021-3632
 	NOT-FOR-US: Keycloak
 CVE-2021-36090 (When reading a specially crafted ZIP archive, Compress can be made to  ...)
 	- libcommons-compress-java <unfixed> (bug #991041)
+	[buster] - libcommons-compress-java <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/4
 CVE-2020-36416 (A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 ...)
 	NOT-FOR-US: CMS Made Simple
@@ -2698,12 +2702,15 @@ CVE-2021-35518
 	RESERVED
 CVE-2021-35517 (When reading a specially crafted TAR archive, Compress can be made to  ...)
 	- libcommons-compress-java <unfixed> (bug #991041)
+	[buster] - libcommons-compress-java <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/3
 CVE-2021-35516 (When reading a specially crafted 7Z archive, Compress can be made to a ...)
 	- libcommons-compress-java <unfixed> (bug #991041)
+	[buster] - libcommons-compress-java <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/2
 CVE-2021-35515 (When reading a specially crafted 7Z archive, the construction of the l ...)
 	- libcommons-compress-java <unfixed> (bug #991041)
+	[buster] - libcommons-compress-java <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/1
 CVE-2021-35514 (Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the t ...)
 	NOT-FOR-US: Narou
@@ -3665,6 +3672,7 @@ CVE-2021-35063
 	RESERVED
 	[experimental] - suricata 1:6.0.3-1~exp1
 	- suricata <unfixed> (bug #990835)
+	[buster] - suricata <no-dsa> (Minor issue)
 	NOTE: https://forum.suricata.io/t/suricata-6-0-3-and-5-0-7-released/1489
 CVE-2021-35062
 	RESERVED
@@ -6463,8 +6471,11 @@ CVE-2021-33814
 CVE-2021-33813 (An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to c ...)
 	{DLA-2696-1}
 	- libjdom2-intellij-java <unfixed> (bug #990673)
+	[buster] - libjdom2-intellij-java <no-dsa> (Minor issue)
 	- libjdom2-java <unfixed> (bug #990671)
+	[buster] - libjdom2-java <no-dsa> (Minor issue)
 	- libjdom1-java <unfixed> (bug #990672)
+	[buster] - libjdom1-java <no-dsa> (Minor issue)
 	NOTE: https://github.com/hunterhacker/jdom/pull/188
 	NOTE: https://alephsecurity.com/vulns/aleph-2021003
 	NOTE: Fixed by: https://github.com/hunterhacker/jdom/commit/bd3ab78370098491911d7fe9d7a43b97144a234e
@@ -8969,9 +8980,11 @@ CVE-2021-32748
 	RESERVED
 CVE-2021-32747 (Icinga Web 2 is an open source monitoring web interface, framework, an ...)
 	- icingaweb2 <unfixed>
+	[buster] - icingaweb2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx
 CVE-2021-32746 (Icinga Web 2 is an open source monitoring web interface, framework and ...)
 	- icingaweb2 <unfixed>
+	[buster] - icingaweb2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43
 CVE-2021-32745
 	RESERVED
@@ -15775,6 +15788,7 @@ CVE-2021-30015 (There is a Null Pointer Dereference in function filter_core/filt
 	NOTE: https://github.com/gpac/gpac/issues/1719
 CVE-2021-30014 (There is a integer overflow in media_tools/av_parsers.c in the hevc_pa ...)
 	- gpac 1.0.1+dfsg1-4 (bug #987323)
+	[buster] - gpac <no-dsa> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/commit/51cdb67ff7c5f1242ac58c5aa603ceaf1793b788
 	NOTE: https://github.com/gpac/gpac/issues/1721
 CVE-2021-30013
@@ -35255,6 +35269,7 @@ CVE-2021-21780
 	RESERVED
 CVE-2021-21779 (A use-after-free vulnerability exists in the way Webkit&#8217;s Graphi ...)
 	- webkit2gtk <unfixed>
+	[buster] - webkit2gtk <postponed> (Fix along with next update round)
 	[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
 	- wpewebkit <unfixed>
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1238
@@ -35266,6 +35281,7 @@ CVE-2021-21776 (An out-of-bounds write vulnerability exists in the SGI Format Bu
 	NOT-FOR-US: ImageGear
 CVE-2021-21775 (A use-after-free vulnerability exists in the way certain events are pr ...)
 	- webkit2gtk <unfixed>
+	[buster] - webkit2gtk <postponed> (Fix along with next update round)
 	[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
 	- wpewebkit <unfixed>
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1229
@@ -103709,41 +103725,35 @@ CVE-2020-6624 (jhead through 3.04 has a heap-based buffer over-read in process_D
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858744
 	NOTE: Crash in CLI tool, no security impact
 CVE-2020-6623 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff ...)
-	- libstb <unfixed> (low; bug #949560)
-	[bullseye] - libstb <no-dsa> (Minor issue)
-	[buster] - libstb <no-dsa> (Minor issue)
+	- libstb <unfixed> (unimportant; bug #949560)
 	NOTE: https://github.com/nothings/stb/issues/865
-	NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa, godot, dart
+	NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files
 CVE-2020-6622 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...)
-	- libstb <unfixed> (low; bug #949559)
-	[bullseye] - libstb <no-dsa> (Minor issue)
-	[buster] - libstb <no-dsa> (Minor issue)
+	- libstb <unfixed> (unimportant; bug #949559)
 	NOTE: https://github.com/nothings/stb/issues/869
+	NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files
 CVE-2020-6621 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in t ...)
-	- libstb <unfixed> (low; bug #949558)
-	[bullseye] - libstb <no-dsa> (Minor issue)
-	[buster] - libstb <no-dsa> (Minor issue)
+	- libstb <unfixed> (unimportant; bug #949558)
 	NOTE: https://github.com/nothings/stb/issues/867
+	NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files
 CVE-2020-6620 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...)
-	- libstb <unfixed> (low; bug #949557)
-	[bullseye] - libstb <no-dsa> (Minor issue)
-	[buster] - libstb <no-dsa> (Minor issue)
+	- libstb <unfixed> (unimportant; bug #949557)
 	NOTE: https://github.com/nothings/stb/issues/868
+	NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files
 CVE-2020-6619 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__buf ...)
-	- libstb <unfixed> (low; bug #949556)
-	[bullseye] - libstb <no-dsa> (Minor issue)
-	[buster] - libstb <no-dsa> (Minor issue)
+	- libstb <unfixed> (unimportant; bug #949556)
 	NOTE: https://github.com/nothings/stb/issues/863
+	NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files
 CVE-2020-6618 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...)
-	- libstb <unfixed> (low; bug #949555)
+	- libstb <unfixed> (unimportant; bug #949555)
 	[bullseye] - libstb <no-dsa> (Minor issue)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/866
+	NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files
 CVE-2020-6617 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff ...)
-	- libstb <unfixed> (low; bug #949554)
-	[bullseye] - libstb <no-dsa> (Minor issue)
-	[buster] - libstb <no-dsa> (Minor issue)
+	- libstb <unfixed> (unimportant; bug #949554)
 	NOTE: https://github.com/nothings/stb/issues/867
+	NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files
 CVE-2020-6616 (Some Broadcom chips mishandle Bluetooth random-number generation becau ...)
 	NOT-FOR-US: Broadcom
 CVE-2020-6615 (GNU LibreDWG 0.9.3.2564 has an invalid pointer dereference in dwg_dyna ...)
diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt
index b57b8c2620..119b8b446c 100644
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -44,3 +44,5 @@ thunderbird (jmm)
 --
 trafficserver (jmm)
 --
+varnish
+--
author	Moritz Muehlenhoff <jmm@debian.org>	2021-07-14 19:23:25 +0200
committer	Moritz Muehlenhoff <jmm@debian.org>	2021-07-14 19:23:25 +0200
commit	4b47fd43da0e093b171ac0d801c1f8cb3e1e2450 (patch)
tree	3021141dbfba7844c0ec0475f5c93c76942e1bea /data
parent	2df42859bbe43067e7ab6109472bcc92901c5f3c (diff)