CVE-2021-21295,CVE-2021-21409,netty: Mark as ignored for Stretch

The fix for both CVE requires a backport of the new HTTP2 API. There have been
major changes between the current version in Stretch 4.1.7 and the most recent
release 4.1.60. Since the logic changed and the API is marked as "unstable" in
certain places, a backport poses a significant risk to break any project that
still relies on the old logic. In contrast the security risk is low. Hence
these issues are ignored in Stretch.

1 files changed, 2 insertions, 0 deletions

diff --git a/data/CVE/2021.list b/data/CVE/2021.list
index a15f0bf258..79652b1d94 100644
--- a/data/CVE/2021.list
+++ b/data/CVE/2021.list
@@ -19155,6 +19155,7 @@ CVE-2021-21410
 	RESERVED
 CVE-2021-21409 (Netty is an open-source, asynchronous event-driven network application ...)
 	- netty 1:4.1.48-4 (bug #986217)
+	[stretch] - netty <ignored> (Minor issue, fix requires major changes of HTTP2 module)
 	NOTE: Fixed by: https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432
 	NOTE: https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32
 	NOTE: Is a followup to: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
@@ -19431,6 +19432,7 @@ CVE-2021-21296 (Fleet is an open source osquery manager. In Fleet before version
 	NOT-FOR-US: Fleet
 CVE-2021-21295 (Netty is an open-source, asynchronous event-driven network application ...)
 	- netty 1:4.1.48-3 (bug #984948)
+	[stretch] - netty <ignored> (Minor issue, fix requires major changes of HTTP2 module)
 	NOTE: https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj
 	NOTE: https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4
 CVE-2021-21294 (Http4s (http4s-blaze-server) is a minimal, idiomatic Scala interface f ...)