buster triage

1 files changed, 8 insertions, 8 deletions

diff --git a/data/CVE/2020.list b/data/CVE/2020.list
index eb975c0836..511527d4b3 100644
--- a/data/CVE/2020.list
+++ b/data/CVE/2020.list
@@ -93,6 +93,7 @@ CVE-2020-36245 (GramAddict through 1.2.3 allows remote attackers to execute arbi
 	NOT-FOR-US: GramAddict
 CVE-2020-36244 (The daemon in GENIVI Diagnostic Log and Trace (DLT) before 2.18.6 has  ...)
 	- dlt-daemon 2.18.6-1
+	[buster] - dlt-daemon <no-dsa> (Minor issue)
 	NOTE: https://github.com/GENIVI/dlt-daemon/issues/265
 	NOTE: https://github.com/GENIVI/dlt-daemon/pull/269
 	NOTE: https://github.com/GENIVI/dlt-daemon/commit/af734fe097ed379b0aa5fcf551886b1ce5098052 (v2.18.6)
@@ -1442,6 +1443,7 @@ CVE-2020-35679 (smtpd/table.c in OpenSMTPD before 6.8.0p1 lacks a certain regfre
 	NOTE: https://www.mail-archive.com/misc@opensmtpd.org/msg05188.html
 CVE-2020-35678 (Autobahn|Python before 20.12.3 allows redirect header injection. ...)
 	- python-autobahn <unfixed> (bug #978416)
+	[buster] - python-autobahn <no-dsa> (Minor issue)
 	[stretch] - python-autobahn <ignored> (Need a package which is not in this suite)
 	NOTE: https://github.com/crossbario/autobahn-python/pull/1439
 	NOTE: https://github.com/crossbario/autobahn-python/commit/f7b7ad5c1066bdcc551775b73da15dca5c111623 (v20.12.3)
@@ -5558,6 +5560,7 @@ CVE-2020-28499 (All versions of package merge are vulnerable to Prototype Pollut
 	NOTE: Only bogus references listed, unclear what this is about
 CVE-2020-28498 (The package elliptic before 6.5.4 are vulnerable to Cryptographic Issu ...)
 	- node-elliptic 6.5.4~dfsg-1
+	[buster] - node-elliptic <no-dsa> (Minor issue)
 	NOTE: https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f
 	NOTE: https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md
 CVE-2020-28497
@@ -5573,6 +5576,7 @@ CVE-2020-28494 (This affects the package total.js before 3.4.7. The issue occurs
 	NOT-FOR-US: Node total.js
 CVE-2020-28493 (This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDo ...)
 	- jinja2 2.11.3-1 (bug #982736)
+	[buster] - jinja2 <no-dsa> (Minor issue)
 	[stretch] - jinja2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/pallets/jinja/pull/1343
 	NOTE: https://snyk.io/vuln/SNYK-PYTHON-JINJA2-1012994
@@ -7025,7 +7029,6 @@ CVE-2020-27846 (A signature verification vulnerability exists in crewjam/saml. T
 CVE-2020-27845 (There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior t ...)
 	{DLA-2550-1}
 	- openjpeg2 2.4.0-1
-	[buster] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1302
 	NOTE: https://github.com/uclouvain/openjpeg/commit/8f5aff1dff510a964d3901d0fba281abec98ab63 (v2.4.0)
 CVE-2020-27844 (A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions prior  ...)
@@ -7035,19 +7038,16 @@ CVE-2020-27844 (A flaw was found in openjpeg's src/lib/openjp2/t2.c in versions
 	NOTE: Introduced by: https://github.com/uclouvain/openjpeg/commit/4edb8c83374f52cd6a8f2c7c875e8ffacccb5fa5
 CVE-2020-27843 (A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw all ...)
 	- openjpeg2 2.4.0-1 (bug #983663)
-	[buster] - openjpeg2 <no-dsa> (Minor issue)
 	[stretch] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1297
 	NOTE: Partial fix (preventing the out of bounds access): https://github.com/uclouvain/openjpeg/commit/38d661a3897052c7ff0b39b30c29cb067e130121 (2.4.0)
 CVE-2020-27842 (There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. An ...)
 	- openjpeg2 2.4.0-1
-	[buster] - openjpeg2 <no-dsa> (Minor issue)
 	[stretch] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1294
 CVE-2020-27841 (There's a flaw in openjpeg in versions prior to 2.4.0 in src/lib/openj ...)
 	{DLA-2550-1}
 	- openjpeg2 2.4.0-1
-	[buster] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1293
 	NOTE: https://github.com/rouault/openjpeg/commit/00383e162ae2f8fc951f5745bf1011771acb8dce  (v2.4.0)
 CVE-2020-27840 [Heap corruption via crafted DN strings]
@@ -7136,7 +7136,6 @@ CVE-2020-27824 [global-buffer-overflow read in lib-openjp2]
 	RESERVED
 	{DLA-2550-1}
 	- openjpeg2 2.4.0-1
-	[buster] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1286
 	NOTE: https://github.com/uclouvain/openjpeg/commit/6daf5f3e1ec6eff03b7982889874a3de6617db8d (v2.4.0)
 CVE-2020-27823 [Heap-buffer-overflow write in lib-openjp2]
@@ -7182,6 +7181,8 @@ CVE-2020-27814 (A heap-buffer overflow was found in the way openjpeg2 handled ce
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1283
 	NOTE: https://github.com/uclouvain/openjpeg/commit/eaa098b59b346cb88e4d10d505061f669d7134fc (v2.4.0)
 	NOTE: https://github.com/uclouvain/openjpeg/commit/15cf3d95814dc931ca0ecb132f81cb152e051bae (v2.4.0)
+	NOTE: https://github.com/uclouvain/openjpeg/commit/649298dcf84b2f20cfe458d887c1591db47372a6
+	NOTE: https://github.com/uclouvain/openjpeg/commit/4ce7d285a55d29b79880d0566d4b010fe1907aa9
 CVE-2020-27813 (An integer overflow vulnerability exists with the length of websocket  ...)
 	{DLA-2520-1}
 	- golang-github-gorilla-websocket <not-affected> (Fixed with first upload to Debian with renamed source package)
@@ -12541,6 +12542,7 @@ CVE-2020-25613 (An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6
 	[buster] - ruby2.5 2.5.5-3+deb10u3
 	- ruby2.3 <removed>
 	- jruby <unfixed> (bug #972230)
+	[buster] - jruby <no-dsa> (Minor issue)
 	NOTE: https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
 	NOTE: Fix in webrick: https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7
 CVE-2020-25612 (The NuPoint Messenger of Mitel MiCollab before 9.2 could allow an atta ...)
@@ -13903,6 +13905,7 @@ CVE-2020-24995
 	RESERVED
 CVE-2020-24994 (Stack overflow in the parse_tag function in libass/ass_parse.c in liba ...)
 	- libass 1:0.15.0-1
+	[buster] - libass <no-dsa> (Minor issue)
 	NOTE: https://github.com/libass/libass/issues/422
 	NOTE: https://github.com/libass/libass/issues/423
 	NOTE: https://github.com/libass/libass/commit/6835731c2fe4164a0c50bc91d12c43b2a2b4e799 (0.15.0)
@@ -34151,7 +34154,6 @@ CVE-2020-15390
 CVE-2020-15389 (jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free th ...)
 	{DLA-2277-1}
 	- openjpeg2 2.4.0-1 (bug #965220)
-	[buster] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1261
 	NOTE: https://github.com/uclouvain/openjpeg/commit/e8e258ab049240c2dd1f1051b4e773b21e2d3dc0 (v2.4.0)
 CVE-2020-15388
@@ -52417,7 +52419,6 @@ CVE-2020-8113 (GitLab 10.7 and later through 12.7.2 has Incorrect Access Control
 CVE-2020-8112 (opj_t1_clbl_decode_processor in openjp2/t1.c in OpenJPEG 2.3.1 through ...)
 	{DLA-2277-1 DLA-2089-1}
 	- openjpeg2 2.4.0-1 (bug #950184)
-	[buster] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1231
 	NOTE: https://github.com/rouault/openjpeg/commit/05f9b91e60debda0e83977e5e63b2e66486f7074 (v2.4.0)
 CVE-2020-8111
@@ -55302,7 +55303,6 @@ CVE-2020-6852 (CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmwa
 CVE-2020-6851 (OpenJPEG through 2.3.1 has a heap-based buffer overflow in opj_t1_clbl ...)
 	{DLA-2277-1 DLA-2081-1}
 	- openjpeg2 2.4.0-1 (bug #950000)
-	[buster] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/issues/1228
 	NOTE: https://github.com/uclouvain/openjpeg/commit/024b8407392cb0b82b04b58ed256094ed5799e04 (v2.4.0)
 CVE-2020-6850 (Utilities.php in the miniorange-saml-20-single-sign-on plugin before 4 ...)