From 15d6fc5ac0252009c206ea583e3a2300c6f410b1 Mon Sep 17 00:00:00 2001 From: Markus Koschany Date: Sat, 3 Apr 2021 19:32:42 +0200 Subject: CVE-2021-21295,CVE-2021-21409,netty: Mark as ignored for Stretch The fix for both CVE requires a backport of the new HTTP2 API. There have been major changes between the current version in Stretch 4.1.7 and the most recent release 4.1.60. Since the logic changed and the API is marked as "unstable" in certain places, a backport poses a significant risk to break any project that still relies on the old logic. In contrast the security risk is low. Hence these issues are ignored in Stretch. --- data/CVE/list.2021 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/CVE/list.2021 b/data/CVE/list.2021 index a15f0bf258..79652b1d94 100644 --- a/data/CVE/list.2021 +++ b/data/CVE/list.2021 @@ -19155,6 +19155,7 @@ CVE-2021-21410 RESERVED CVE-2021-21409 (Netty is an open-source, asynchronous event-driven network application ...) - netty 1:4.1.48-4 (bug #986217) + [stretch] - netty (Minor issue, fix requires major changes of HTTP2 module) NOTE: Fixed by: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432 NOTE: https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32 NOTE: Is a followup to: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj @@ -19431,6 +19432,7 @@ CVE-2021-21296 (Fleet is an open source osquery manager. In Fleet before version NOT-FOR-US: Fleet CVE-2021-21295 (Netty is an open-source, asynchronous event-driven network application ...) - netty 1:4.1.48-3 (bug #984948) + [stretch] - netty (Minor issue, fix requires major changes of HTTP2 module) NOTE: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj NOTE: https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4 CVE-2021-21294 (Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface f ...) -- cgit v1.2.3