bullseye triage

5 files changed, 17 insertions, 0 deletions

diff --git a/data/CVE/list.2016 b/data/CVE/list.2016
index fa9ce1f522..0891c59421 100644
--- a/data/CVE/list.2016
+++ b/data/CVE/list.2016
@@ -26804,6 +26804,7 @@ CVE-2016-2142 (Red Hat OpenShift Enterprise 3.1 uses world-readable permissions
 	NOT-FOR-US: OpenShift
 CVE-2016-2141 (JGroups before 4.0 does not require the proper headers for the ENCRYPT ...)
 	- libjgroups-java <unfixed> (low; bug #867493)
+	[bullseye] - libjgroups-java <ignored> (Minor issue, only used as build dep)
 	[buster] - libjgroups-java <ignored> (Minor issue, only used as build dep)
 	[stretch] - libjgroups-java <ignored> (Minor issue, only used as build dep)
 	[jessie] - libjgroups-java <no-dsa> (Minor issue)
diff --git a/data/CVE/list.2018 b/data/CVE/list.2018
index e48479e750..e2fde151cc 100644
--- a/data/CVE/list.2018
+++ b/data/CVE/list.2018
@@ -21914,6 +21914,7 @@ CVE-2018-12929 (ntfs_read_locked_inode in the ntfs.ko filesystem driver in the L
 	[jessie] - linux <ignored> (ntfs is not supportable)
 CVE-2018-12928 (In the Linux kernel 4.15.0, a NULL pointer dereference was discovered  ...)
 	- linux <unfixed> (low)
+	[bullseye] - linux <ignored> (Minor issue)
 	[buster] - linux <ignored> (Minor issue)
 	[stretch] - linux <ignored> (Minor issue)
 	- linux-4.9 <removed>
@@ -52143,6 +52144,7 @@ CVE-2018-1298 (A Denial of Service vulnerability was found in Apache Qpid Broker
 	NOTE: https://git-wip-us.apache.org/repos/asf?p=qpid-broker-j.git;h=4b9fb37
 CVE-2018-1297 (When using Distributed Test only (RMI based), Apache JMeter 2.x and 3. ...)
 	- jakarta-jmeter <unfixed> (low; bug #897259)
+	[bullseye] - jakarta-jmeter <ignored> (Minor issue, too intrusive to backport)
 	[buster] - jakarta-jmeter <ignored> (Minor issue, too intrusive to backport)
 	[stretch] - jakarta-jmeter <ignored> (Minor issue, too intrusive to backport)
 	[jessie] - jakarta-jmeter <ignored> (Minor issue, too intrusive to backport)
@@ -52171,6 +52173,7 @@ CVE-2018-1288 (In Apache Kafka 0.9.0.0 to 0.9.0.1, 0.10.0.0 to 0.10.2.1, 0.11.0.
 	- kafka <itp> (bug #786460)
 CVE-2018-1287 (In Apache JMeter 2.X and 3.X, when using Distributed Test only (RMI ba ...)
 	- jakarta-jmeter <unfixed> (low)
+	[bullseye] - jakarta-jmeter <no-dsa> (Minor issue)
 	[buster] - jakarta-jmeter <no-dsa> (Minor issue)
 	[stretch] - jakarta-jmeter <no-dsa> (Minor issue)
 	[jessie] - jakarta-jmeter <no-dsa> (Minor issue)
diff --git a/data/CVE/list.2019 b/data/CVE/list.2019
index 62a05951bb..85a6506d45 100644
--- a/data/CVE/list.2019
+++ b/data/CVE/list.2019
@@ -2994,6 +2994,8 @@ CVE-2019-19815 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem i
 	[stretch] - linux 4.9.184-1
 CVE-2019-19814 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image c ...)
 	- linux <unfixed>
+	[bullseye] - linux <no-dsa> (Minor issue)
+	[buster] - linux <no-dsa> (Minor issue)
 CVE-2019-19813 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, ...)
 	{DLA-2586-1 DLA-2385-1}
 	- linux 5.2.6-1
@@ -4175,6 +4177,8 @@ CVE-2019-19379 (In app/Controller/TagsController.php in MISP 2.4.118, users can
 	NOT-FOR-US: MISP
 CVE-2019-19378 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image  ...)
 	- linux <unfixed>
+	[bullseye] - linux <no-dsa> (Minor issue)
+	[buster] - linux <no-dsa> (Minor issue)
 CVE-2019-19377 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, ...)
 	{DLA-2483-1}
 	- linux 5.6.7-1
@@ -37855,6 +37859,7 @@ CVE-2019-6989 (TP-Link TL-WR940N is vulnerable to a stack-based buffer overflow,
 	NOT-FOR-US: TP-Link
 CVE-2019-6988 (An issue was discovered in OpenJPEG 2.3.0. It allows remote attackers  ...)
 	- openjpeg2 <unfixed> (low; bug #922648)
+	[bullseye] - openjpeg2 <ignored> (Minor issue)
 	[buster] - openjpeg2 <ignored> (Minor issue)
 	[stretch] - openjpeg2 <ignored> (Minor issue)
 	[jessie] - openjpeg2 <ignored> (Minor issue)
@@ -41639,6 +41644,7 @@ CVE-2019-5428
 	REJECTED
 CVE-2019-5427 (c3p0 version &lt; 0.9.5.4 may be exploited by a billion laughs attack  ...)
 	- c3p0 <unfixed> (low; bug #927936)
+	[bullseye] - c3p0 <no-dsa> (Minor issue)
 	[buster] - c3p0 <no-dsa> (Minor issue)
 	[stretch] - c3p0 <no-dsa> (Minor issue)
 	[jessie] - c3p0 <no-dsa> (Minor issue)
diff --git a/data/CVE/list.2020 b/data/CVE/list.2020
index ebb93d81e2..79f17e0b2a 100644
--- a/data/CVE/list.2020
+++ b/data/CVE/list.2020
@@ -5573,6 +5573,7 @@ CVE-2020-28492
 	REJECTED
 CVE-2020-28491 (This affects the package com.fasterxml.jackson.dataformat:jackson-data ...)
 	- jackson-dataformat-cbor <unfixed> (bug #983664)
+	[bullseye] - jackson-dataformat-cbor <no-dsa> (Minor issue)
 	[buster] - jackson-dataformat-cbor <no-dsa> (Minor issue)
 	[stretch] - jackson-dataformat-cbor <no-dsa> (Minor issue)
 	NOTE: https://people.debian.org/~abhijith/CVE-2020-28491.txt (stretch fix)
@@ -59348,6 +59349,7 @@ CVE-2020-5239 (In Mailu before version 1.7, an authenticated user can exploit a
 	NOT-FOR-US: Mailu
 CVE-2020-5238 (The table extension in GitHub Flavored Markdown before version 0.29.0. ...)
 	- cmark-gfm <unfixed> (bug #965984)
+	[bullseye] - cmark-gfm <no-dsa> (Minor issue)
 	[buster] - cmark-gfm <no-dsa> (Minor issue)
 	- python-cmarkgfm <unfixed> (bug #965983)
 	[bullseye] - python-cmarkgfm <no-dsa> (Minor issue)
diff --git a/data/CVE/list.2021 b/data/CVE/list.2021
index 018b16ec8b..9a37c64cf5 100644
--- a/data/CVE/list.2021
+++ b/data/CVE/list.2021
@@ -2330,6 +2330,7 @@ CVE-2021-27918 (encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an
 	NOTE: https://github.com/golang/go/issues/44913
 CVE-2021-3420 (A flaw was found in newlib in versions prior to 4.0.0. Improper overfl ...)
 	- newlib <unfixed> (bug #984446)
+	[bullseye] - newlib <no-dsa> (Minor issue)
 	[buster] - newlib <no-dsa> (Minor issue)
 	[stretch] - newlib <no-dsa> (Minor issue)
 	- picolibc 1.5-1
@@ -19519,6 +19520,7 @@ CVE-2021-20197
 CVE-2021-20196 [block: fdc: null pointer dereference may lead to guest crash]
 	RESERVED
 	- qemu <unfixed> (bug #984453)
+	[bullseye] - qemu <postponed> (Minor issue, revisit when fixed upstream)
 	[buster] - qemu <postponed> (Fix along in future DSA)
 	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1919210
@@ -19547,6 +19549,7 @@ CVE-2021-20191
 	[buster] - ansible <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1916813
 	NOTE: https://github.com/ansible-collections/cisco.nxos/pull/227
+	NOTE: https://github.com/ansible-collections/cisco.nxos/commit/120956963f47502151a358e4a7bc2a87f71813aa
 CVE-2021-20190 (A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishan ...)
 	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
@@ -19587,6 +19590,7 @@ CVE-2021-20180
 	[buster] - ansible <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1915808
 	NOTE: https://github.com/ansible-collections/community.general/pull/1635
+	NOTE: https://github.com/ansible-collections/community.general/commit/1d0c5e2ba47724c31a18d7b08b9daf13df8829dc
 CVE-2021-20179 (A flaw was found in pki-core. An attacker who has successfully comprom ...)
 	- dogtag-pki 10.10.2-2
 	NOTE: https://github.com/dogtagpki/pki/pull/3475
@@ -19596,6 +19600,7 @@ CVE-2021-20178 [user data leak in snmp_facts module]
 	[buster] - ansible <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1914774
 	NOTE: https://github.com/ansible-collections/community.general/pull/1621
+	NOTE: https://github.com/ansible-collections/community.general/commit/3560aeb12f7061bf21d63ca0e1e19feb99c57de3
 CVE-2021-20177
 	RESERVED
 	{DSA-4843-1 DLA-2557-1}