bullseye triage

2 files changed, 14 insertions, 6 deletions

diff --git a/data/CVE/2018.list b/data/CVE/2018.list
index 3a8be60142..071f1be863 100644
--- a/data/CVE/2018.list
+++ b/data/CVE/2018.list
@@ -497,12 +497,13 @@ CVE-2018-21037 (Subrion CMS 4.1.5 (and possibly earlier versions) allow CSRF to
 CVE-2018-21036 (Sails.js before v1.0.0-46 allows attackers to cause a denial of servic ...)
 	NOT-FOR-US: Sails.js
 CVE-2018-21035 (In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB f ...)
-	- qtwebsockets-opensource-src <unfixed> (low; bug #953049)
-	[buster] - qtwebsockets-opensource-src <ignored> (Minor issue)
+	- qtwebsockets-opensource-src 5.15.1-2 (low; bug #953049)
+	[buster] - qtwebsockets-opensource-src <ignored> (Minor issue, fix adds new API only)
 	[stretch] - qtwebsockets-opensource-src <ignored> (Minor issue)
 	[jessie] - qtwebsockets-opensource-src <no-dsa> (Minor issue)
 	NOTE: https://bugreports.qt.io/browse/QTBUG-70693
 	NOTE: https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735
+	NOTE: https://github.com/qt/qtwebsockets/commit/ed93680f34e92ad0383aa4e610bb65689118ca93
 CVE-2018-21034 (In Argo versions prior to v1.5.0-rc1, it was possible for authenticate ...)
 	NOT-FOR-US: Argo
 CVE-2018-21033 (A vulnerability in Hitachi Command Suite prior to 8.6.2-00, Hitachi Au ...)
diff --git a/data/CVE/2020.list b/data/CVE/2020.list
index 47a4da1d55..a16e5d4489 100644
--- a/data/CVE/2020.list
+++ b/data/CVE/2020.list
@@ -1497,24 +1497,28 @@ CVE-2020-35507 (There's a flaw in bfd_pef_parse_function_stubs of bfd/pef.c in b
 CVE-2020-35506 [use after free vulnerability in esp_do_dma() in hw/scsi/esp.c]
 	RESERVED
 	- qemu <unfixed>
+	[bullseye] - qemu <postponed> (Minor issue)
 	[buster] - qemu <postponed> (Fix along in future DSA)
 	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909996
 CVE-2020-35505 [NULL pointer dereference in do_busid_cmd() in hw/scsi/esp.c]
 	RESERVED
 	- qemu <unfixed>
+	[bullseye] - qemu <postponed> (Minor issue)
 	[buster] - qemu <postponed> (Fix along in future DSA)
 	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909769
 CVE-2020-35504 [NULL pointer dereference in scsi_req_continue() in hw/scsi/scsi-bus.c]
 	RESERVED
-	- qemu <unfixed>
+	- qemu <unfixed> (bug #979679)
+	[bullseye] - qemu <postponed> (Minor issue)
 	[buster] - qemu <postponed> (Fix along in future DSA)
 	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1909766
 CVE-2020-35503 [QEMU: NULL pointer dereference issue in megasas-gen2 host bus adapter]
 	RESERVED
-	- qemu <unfixed>
+	- qemu <unfixed> (bug #979678)
+	[bullseye] - qemu <postponed> (Minor issue)
 	[buster] - qemu <postponed> (Fix along in future DSA)
 	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910346
@@ -9344,7 +9348,8 @@ CVE-2020-26666
 CVE-2020-26665
 	RESERVED
 CVE-2020-26664 (A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media play ...)
-	- vlc <unfixed>
+	- vlc <unfixed> (low; bug #979676)
+	[buster] - vlc <postponed> (Minor issue, wait for 3.0.12 release)
 	NOTE: https://code.videolan.org/videolan/vlc-3.0/-/commit/ec1f55ee9ace5cc675395a1bc9700d99679e7e8c (3.0.12)
 	NOTE: https://gist.githubusercontent.com/henices/db11664dd45b9f322f8514d182aef5ea/raw/d56940c8bf211992bf4f3309a85bb2b69383e511/CVE-2020-26664.txt
 CVE-2020-26663
@@ -35778,7 +35783,9 @@ CVE-2020-14395
 	RESERVED
 CVE-2020-14394 [infinite loop in xhci_ring_chain_length() in hw/usb/hcd-xhci.c]
 	RESERVED
-	- qemu <unfixed>
+	- qemu <unfixed> (bug #979677)
+	[bullseye] - qemu <postponed> (Minor issue)
+	[buster] - qemu <postponed> (Minor issue)
 	[stretch] - qemu <postponed> (Fix along in future DLA)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1908004
 CVE-2020-14393 (A buffer overflow was found in perl-DBI &lt; 1.643 in DBI.xs. A local  ...)