stable triage

5 files changed, 17 insertions, 3 deletions

diff --git a/data/CVE/2017.list b/data/CVE/2017.list
index da380f7e8b..74e59494e8 100644
--- a/data/CVE/2017.list
+++ b/data/CVE/2017.list
@@ -1728,6 +1728,7 @@ CVE-2017-18214 (The moment module before 2.19.3 for Node.js is prone to a regula
 	NOTE: nodejs not covered by security support
 CVE-2017-18212 (An issue was discovered in JerryScript 1.0. There is a heap-based buff ...)
 	- iotjs 1.0+715-1
+	[buster] - iotjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/2140
 CVE-2017-18211 (In ImageMagick 7.0.7, a NULL pointer dereference vulnerability was fou ...)
 	{DLA-2366-1}
@@ -12016,6 +12017,7 @@ CVE-2017-14750
 	RESERVED
 CVE-2017-14749 (JerryScript 1.0 allows remote attackers to cause a denial of service ( ...)
 	- iotjs 1.0+715-1
+	[buster] - iotjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/2008
 CVE-2017-14748 (Race condition in Blizzard Overwatch 1.15.0.2 allows remote authentica ...)
 	NOT-FOR-US: Blizzard Overwatch
diff --git a/data/CVE/2018.list b/data/CVE/2018.list
index 5588f4caf5..583d0a8b76 100644
--- a/data/CVE/2018.list
+++ b/data/CVE/2018.list
@@ -15303,6 +15303,7 @@ CVE-2018-1000638 (MiniCMS version 1.1 contains a Cross Site Scripting (XSS) vuln
 	NOT-FOR-US: MiniCMS
 CVE-2018-1000636 (JerryScript version Tested on commit f86d7459d195c8ba58479d1861b0cc726 ...)
 	- iotjs 1.0+715-1
+	[buster] - iotjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/2435
 	NOTE: https://github.com/jerryscript-project/jerryscript/commit/87897849f6879df10e8ad68a41bf8cf507edf710
 CVE-2018-1000635 (The Open Microscopy Environment OMERO.server version 5.4.0 to 5.4.6 co ...)
@@ -26166,10 +26167,12 @@ CVE-2018-11420 (There is Memory corruption in the web interface of Moxa OnCell G
 	NOT-FOR-US: Moxa
 CVE-2018-11419 (An issue was discovered in JerryScript 1.0. There is a heap-based buff ...)
 	- iotjs 1.0+715-1
+	[buster] - iotjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/2230
 	NOTE: https://github.com/jerryscript-project/jerryscript/pull/2352
 CVE-2018-11418 (An issue was discovered in JerryScript 1.0. There is a heap-based buff ...)
 	- iotjs 1.0+715-1
+	[buster] - iotjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/2237
 	NOTE: https://github.com/jerryscript-project/jerryscript/pull/2352
 CVE-2018-11417
diff --git a/data/CVE/2019.list b/data/CVE/2019.list
index d34b440a4a..90da85788a 100644
--- a/data/CVE/2019.list
+++ b/data/CVE/2019.list
@@ -29644,6 +29644,7 @@ CVE-2019-1010177 (Jsish 2.4.70 2.047 is affected by: Use After Free. The impact
 	NOT-FOR-US: Jsish
 CVE-2019-1010176 (JerryScript commit 4e58ccf68070671e1fff5cd6673f0c1d5b80b166 is affecte ...)
 	- iotjs 1.0+715-1
+	[buster] - iotjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/2476
 	NOTE: https://github.com/jerryscript-project/jerryscript/commit/505dace719aebb3308a3af223cfaa985159efae0
 CVE-2019-1010175
diff --git a/data/CVE/2020.list b/data/CVE/2020.list
index 89055579b9..68aed828e6 100644
--- a/data/CVE/2020.list
+++ b/data/CVE/2020.list
@@ -225,10 +225,12 @@ CVE-2020-36068
 	RESERVED
 CVE-2020-36067 (GJSON &lt;=v1.6.5 allows attackers to cause a denial of service (panic ...)
 	- golang-github-tidwall-gjson <unfixed>
+	[buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
 	NOTE: https://github.com/tidwall/gjson/issues/196
 	NOTE: https://github.com/tidwall/gjson/commit/bf4efcb3c18d1825b2988603dea5909140a5302b
 CVE-2020-36066 (GJSON &lt;1.6.5 allows attackers to cause a denial of service (remote) ...)
 	- golang-github-tidwall-gjson <unfixed>
+	[buster] - golang-github-tidwall-gjson <no-dsa> (Minor issue)
 	NOTE: https://github.com/tidwall/gjson/issues/195
 	NOTE: https://github.com/tidwall/match/commit/c2f534168b739a7ec1821a33839fb2f029f26bbc
 CVE-2020-36065
@@ -1318,6 +1320,7 @@ CVE-2020-35546
 	RESERVED
 CVE-2020-35545 (Time-based SQL injection exists in Spotweb 1.4.9 via the query string. ...)
 	- spotweb <unfixed> (bug #977719)
+	[buster] - spotweb <no-dsa> (Minor issue)
 	NOTE: https://github.com/spotweb/spotweb/issues/629
 	NOTE: https://github.com/spotweb/spotweb/commit/fefb39ad143caad021ad496427617db79c42aff2
 CVE-2020-35544
@@ -1475,6 +1478,7 @@ CVE-2020-35492 [cairo: libreoffice slideshow aborts with stack smashing in cairo
 	RESERVED
 	{DLA-2518-1}
 	- cairo 1.16.0-5 (bug #978658)
+	[buster] - cairo <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/cairo/cairo/-/issues/437
 	NOTE: Introduced by: https://gitlab.freedesktop.org/cairo/cairo/-/commit/c986a7310bb06582b7d8a566d5f007ba4e5e75bf (1.12.12)
 	NOTE: Fixed by: https://gitlab.freedesktop.org/cairo/cairo/-/commit/03a820b173ed1fdef6ff14b4468f5dbc02ff59be
@@ -2386,6 +2390,7 @@ CVE-2020-29658
 	RESERVED
 CVE-2020-29657 (In JerryScript 2.3.0, there is an out-of-bounds read in main_print_unh ...)
 	- iotjs <unfixed> (bug #977736)
+	[buster] - iotjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/4244
 CVE-2020-29656 (An information disclosure vulnerability exists in RT-AC88U Download Ma ...)
 	NOT-FOR-US: RT-AC88U Download Master
@@ -10132,7 +10137,8 @@ CVE-2020-26265 (Go Ethereum, or "Geth", is the official Golang implementation of
 CVE-2020-26264 (Go Ethereum, or "Geth", is the official Golang implementation of the E ...)
 	- golang-github-go-ethereum <itp> (bug #890541)
 CVE-2020-26263 (tlslite-ng is an open source python library that implements SSL and TL ...)
-	- tlslite-ng <unfixed>
+	- tlslite-ng <removed>
+	[buster] - tlslite-ng <ignored> (Minor issue)
 	NOTE: https://github.com/tlsfuzzer/tlslite-ng/security/advisories/GHSA-wvcv-832q-fjg7
 	NOTE: https://github.com/tlsfuzzer/tlslite-ng/commit/c28d6d387bba59d8bd5cb3ba15edc42edf54b368
 	NOTE: https://github.com/tlsfuzzer/tlslite-ng/pull/438
@@ -14593,6 +14599,7 @@ CVE-2020-24345 (** DISPUTED ** JerryScript through 2.3.0 allows stack consumptio
 	NOTE: Disputed JerryScript issue
 CVE-2020-24344 (JerryScript through 2.3.0 has a (function({a=arguments}){const argumen ...)
 	- iotjs <unfixed>
+	[buster] - iotjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/3976
 	NOTE: https://github.com/jerryscript-project/jerryscript/commit/841d536fce1ce29267cdf0ea12be4026e1c35d3a
 CVE-2020-24343 (Artifex MuJS through 1.0.7 has a use-after-free in jsrun.c because of  ...)
@@ -37825,6 +37832,7 @@ CVE-2020-13650 (An issue was discovered in DigDash 2018R2 before p20200210 and 2
 	NOT-FOR-US: DigDash
 CVE-2020-13649 (parser/js/js-scanner.c in JerryScript 2.2.0 mishandles errors during c ...)
 	- iotjs 1.0+715-1
+	[buster] - iotjs <no-dsa> (Minor issue)
 	NOTE: https://github.com/jerryscript-project/jerryscript/commit/69f8e78c2f8d562bd6d8002b5488f1662ac30d24
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/3786
 	NOTE: https://github.com/jerryscript-project/jerryscript/issues/3788
diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt
index 611f33d7c4..6c630b71be 100644
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -14,12 +14,12 @@ If needed, specify the release by adding a slash after the name of the source pa
 --
 ansible
 --
-firefox-esr
+firefox-esr (jmm)
 --
 knot-resolver
   Santiago Ruano Rincón proposed a debdiff for review
 --
-libxstream-java
+libxstream-java (jmm)
   Markus Koschany proposed an update for review
 --
 linux (carnil)