diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2021-07-14 19:23:25 +0200 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2021-07-14 19:23:25 +0200 |
commit | 4b47fd43da0e093b171ac0d801c1f8cb3e1e2450 (patch) | |
tree | 3021141dbfba7844c0ec0475f5c93c76942e1bea /data | |
parent | 2df42859bbe43067e7ab6109472bcc92901c5f3c (diff) |
buster triage
Diffstat (limited to 'data')
-rw-r--r-- | data/CVE/list | 54 | ||||
-rw-r--r-- | data/dsa-needed.txt | 2 |
2 files changed, 34 insertions, 22 deletions
diff --git a/data/CVE/list b/data/CVE/list index 3de962a13f..60efbc94f3 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -745,17 +745,20 @@ CVE-2021-36378 RESERVED CVE-2021-36377 (Fossil before 2.14.2 and 2.15.x before 2.15.2 often skips the hostname ...) - fossil 1:2.15.2-1 + [buster] - fossil <no-dsa> (Minor issue) NOTE: https://fossil-scm.org/forum/forumpost/8d367e16f53d93c789d70bd3bf2c9587227bbd5c6a7b8e512cccd79007536036 CVE-2021-36376 (dandavison delta before 0.8.3 on Windows resolves an executable's path ...) NOT-FOR-US: dandavison delta CVE-2021-36375 RESERVED CVE-2021-36374 (When reading a specially crafted ZIP archive, or a derived formats, an ...) - - ant <unfixed> + - ant <unfixed> (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/6 + NOTE: Crash in CLI tool, no security impact CVE-2021-36373 (When reading a specially crafted TAR archive an Apache Ant build can b ...) - - ant <unfixed> + - ant <unfixed> (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/5 + NOTE: Crash in CLI tool, no security impact CVE-2021-36372 RESERVED CVE-2021-36371 (Emissary-Ingress (formerly Ambassador API Gateway) through 1.13.9 allo ...) @@ -1367,6 +1370,7 @@ CVE-2021-3632 NOT-FOR-US: Keycloak CVE-2021-36090 (When reading a specially crafted ZIP archive, Compress can be made to ...) - libcommons-compress-java <unfixed> (bug #991041) + [buster] - libcommons-compress-java <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/4 CVE-2020-36416 (A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 ...) NOT-FOR-US: CMS Made Simple @@ -2698,12 +2702,15 @@ CVE-2021-35518 RESERVED CVE-2021-35517 (When reading a specially crafted TAR archive, Compress can be made to ...) - libcommons-compress-java <unfixed> (bug #991041) + [buster] - libcommons-compress-java <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/3 CVE-2021-35516 (When reading a specially crafted 7Z archive, Compress can be made to a ...) - libcommons-compress-java <unfixed> (bug #991041) + [buster] - libcommons-compress-java <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/2 CVE-2021-35515 (When reading a specially crafted 7Z archive, the construction of the l ...) - libcommons-compress-java <unfixed> (bug #991041) + [buster] - libcommons-compress-java <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2021/07/13/1 CVE-2021-35514 (Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the t ...) NOT-FOR-US: Narou @@ -3665,6 +3672,7 @@ CVE-2021-35063 RESERVED [experimental] - suricata 1:6.0.3-1~exp1 - suricata <unfixed> (bug #990835) + [buster] - suricata <no-dsa> (Minor issue) NOTE: https://forum.suricata.io/t/suricata-6-0-3-and-5-0-7-released/1489 CVE-2021-35062 RESERVED @@ -6463,8 +6471,11 @@ CVE-2021-33814 CVE-2021-33813 (An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to c ...) {DLA-2696-1} - libjdom2-intellij-java <unfixed> (bug #990673) + [buster] - libjdom2-intellij-java <no-dsa> (Minor issue) - libjdom2-java <unfixed> (bug #990671) + [buster] - libjdom2-java <no-dsa> (Minor issue) - libjdom1-java <unfixed> (bug #990672) + [buster] - libjdom1-java <no-dsa> (Minor issue) NOTE: https://github.com/hunterhacker/jdom/pull/188 NOTE: https://alephsecurity.com/vulns/aleph-2021003 NOTE: Fixed by: https://github.com/hunterhacker/jdom/commit/bd3ab78370098491911d7fe9d7a43b97144a234e @@ -8969,9 +8980,11 @@ CVE-2021-32748 RESERVED CVE-2021-32747 (Icinga Web 2 is an open source monitoring web interface, framework, an ...) - icingaweb2 <unfixed> + [buster] - icingaweb2 <no-dsa> (Minor issue) NOTE: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-2xv9-886q-p7xx CVE-2021-32746 (Icinga Web 2 is an open source monitoring web interface, framework and ...) - icingaweb2 <unfixed> + [buster] - icingaweb2 <no-dsa> (Minor issue) NOTE: https://github.com/Icinga/icingaweb2/security/advisories/GHSA-cmgc-h4cx-3v43 CVE-2021-32745 RESERVED @@ -15775,6 +15788,7 @@ CVE-2021-30015 (There is a Null Pointer Dereference in function filter_core/filt NOTE: https://github.com/gpac/gpac/issues/1719 CVE-2021-30014 (There is a integer overflow in media_tools/av_parsers.c in the hevc_pa ...) - gpac 1.0.1+dfsg1-4 (bug #987323) + [buster] - gpac <no-dsa> (Minor issue) NOTE: https://github.com/gpac/gpac/commit/51cdb67ff7c5f1242ac58c5aa603ceaf1793b788 NOTE: https://github.com/gpac/gpac/issues/1721 CVE-2021-30013 @@ -35255,6 +35269,7 @@ CVE-2021-21780 RESERVED CVE-2021-21779 (A use-after-free vulnerability exists in the way Webkit’s Graphi ...) - webkit2gtk <unfixed> + [buster] - webkit2gtk <postponed> (Fix along with next update round) [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) - wpewebkit <unfixed> NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1238 @@ -35266,6 +35281,7 @@ CVE-2021-21776 (An out-of-bounds write vulnerability exists in the SGI Format Bu NOT-FOR-US: ImageGear CVE-2021-21775 (A use-after-free vulnerability exists in the way certain events are pr ...) - webkit2gtk <unfixed> + [buster] - webkit2gtk <postponed> (Fix along with next update round) [stretch] - webkit2gtk <ignored> (Not covered by security support in stretch) - wpewebkit <unfixed> NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2021-1229 @@ -103709,41 +103725,35 @@ CVE-2020-6624 (jhead through 3.04 has a heap-based buffer over-read in process_D NOTE: https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1858744 NOTE: Crash in CLI tool, no security impact CVE-2020-6623 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff ...) - - libstb <unfixed> (low; bug #949560) - [bullseye] - libstb <no-dsa> (Minor issue) - [buster] - libstb <no-dsa> (Minor issue) + - libstb <unfixed> (unimportant; bug #949560) NOTE: https://github.com/nothings/stb/issues/865 - NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa, godot, dart + NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files CVE-2020-6622 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...) - - libstb <unfixed> (low; bug #949559) - [bullseye] - libstb <no-dsa> (Minor issue) - [buster] - libstb <no-dsa> (Minor issue) + - libstb <unfixed> (unimportant; bug #949559) NOTE: https://github.com/nothings/stb/issues/869 + NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files CVE-2020-6621 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in t ...) - - libstb <unfixed> (low; bug #949558) - [bullseye] - libstb <no-dsa> (Minor issue) - [buster] - libstb <no-dsa> (Minor issue) + - libstb <unfixed> (unimportant; bug #949558) NOTE: https://github.com/nothings/stb/issues/867 + NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files CVE-2020-6620 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...) - - libstb <unfixed> (low; bug #949557) - [bullseye] - libstb <no-dsa> (Minor issue) - [buster] - libstb <no-dsa> (Minor issue) + - libstb <unfixed> (unimportant; bug #949557) NOTE: https://github.com/nothings/stb/issues/868 + NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files CVE-2020-6619 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__buf ...) - - libstb <unfixed> (low; bug #949556) - [bullseye] - libstb <no-dsa> (Minor issue) - [buster] - libstb <no-dsa> (Minor issue) + - libstb <unfixed> (unimportant; bug #949556) NOTE: https://github.com/nothings/stb/issues/863 + NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files CVE-2020-6618 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...) - - libstb <unfixed> (low; bug #949555) + - libstb <unfixed> (unimportant; bug #949555) [bullseye] - libstb <no-dsa> (Minor issue) [buster] - libstb <no-dsa> (Minor issue) NOTE: https://github.com/nothings/stb/issues/866 + NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files CVE-2020-6617 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff ...) - - libstb <unfixed> (low; bug #949554) - [bullseye] - libstb <no-dsa> (Minor issue) - [buster] - libstb <no-dsa> (Minor issue) + - libstb <unfixed> (unimportant; bug #949554) NOTE: https://github.com/nothings/stb/issues/867 + NOTE: stb_truetype.h explicitly marked as unsuitable for untrusted files CVE-2020-6616 (Some Broadcom chips mishandle Bluetooth random-number generation becau ...) NOT-FOR-US: Broadcom CVE-2020-6615 (GNU LibreDWG 0.9.3.2564 has an invalid pointer dereference in dwg_dyna ...) diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index b57b8c2620..119b8b446c 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -44,3 +44,5 @@ thunderbird (jmm) -- trafficserver (jmm) -- +varnish +-- |