summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMoritz Muehlenhoff <jmm@debian.org>2021-03-04 11:29:46 +0100
committerMoritz Muehlenhoff <jmm@debian.org>2021-03-04 11:29:46 +0100
commitc2ab014a002af7c1b23b585c55d68539d89b5b20 (patch)
tree7aa4b10a6f6287b7ed9e3c4c7321b6850f9516d3
parentd3fde9d1438f898a9a75dc108bfa752e39c8407f (diff)
final polishing
-rw-r--r--data/CVE/2021.list7
-rw-r--r--doc/security-team.d.o/triage4
2 files changed, 6 insertions, 5 deletions
diff --git a/data/CVE/2021.list b/data/CVE/2021.list
index b0c0538050..0ac94fcd2a 100644
--- a/data/CVE/2021.list
+++ b/data/CVE/2021.list
@@ -11,7 +11,7 @@ CVE-2021-27942
CVE-2021-27941
RESERVED
CVE-2021-27940 (resources/public/js/orchestrator.js in openark orchestrator before 3.2 ...)
- TODO: check
+ NOT-FOR-US: openark
CVE-2021-27939
RESERVED
CVE-2021-27938
@@ -4563,7 +4563,7 @@ CVE-2021-25916
CVE-2021-25915
RESERVED
CVE-2021-25914 (Prototype pollution vulnerability in 'object-collider' versions 1.0.0 ...)
- TODO: check
+ NOT-FOR-US: object-collider
CVE-2021-25913 (Prototype pollution vulnerability in 'set-or-get' version 1.0.0 throug ...)
NOT-FOR-US: Node set-or-get
CVE-2021-25912 (Prototype pollution vulnerability in 'dotty' versions 0.0.1 through 0. ...)
@@ -6101,6 +6101,7 @@ CVE-2021-25290
CVE-2021-25289
RESERVED
- pillow 8.1.1-1
+ [buster] - pillow <not-affected> (Vulnerable code not present)
NOTE: https://pillow.readthedocs.io/en/stable/releasenotes/8.1.1.html
CVE-2021-25288
RESERVED
@@ -10245,7 +10246,7 @@ CVE-2021-23349
CVE-2021-23348
RESERVED
CVE-2021-23347 (The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 ...)
- TODO: check
+ NOT-FOR-US: argo-cd
CVE-2021-23346
RESERVED
CVE-2021-23345 (All versions of package github.com/thecodingmachine/gotenberg are vuln ...)
diff --git a/doc/security-team.d.o/triage b/doc/security-team.d.o/triage
index a45407efc4..828c919eca 100644
--- a/doc/security-team.d.o/triage
+++ b/doc/security-team.d.o/triage
@@ -4,10 +4,10 @@ Security updates affecting a released Debian suite can fall under three types:
These are getting announced via [debian-security-announce](https://www.debian.org/security/) and also redistributed via other sources (news feeds etc).
- Low severity updates can be included in [point releases](https://wiki.debian.org/DebianReleases/PointReleases), which are getting released every 2-3 months (any user using the [proposed-updates mechanism](https://www.debian.org/releases/proposed-updates) can also use them before they get released). This provides a good balance between fixing low impact issues before the next stable
- release, which can simply all be installed in one go when a point release happens.
+ release, which can simply be installed in one go when a point release happens.
- Some issues are simply not worth fixing in a stable release (for multiple reasons, e.g. because they are mostly a PR hype, or because they
- are mitigated in Debian via a different config or toolchain hardening).
+ are mitigated in Debian via a different config or toolchain hardening or because the impact is so marginal that it doesn't warrant an update).
Every incoming security issue gets triaged. Security issues which are being flagged for the second category are being displayed in the [Debian Package Tracker](https://tracker.debian.org), in fact you might have been redirected from the PTS to this page.

© 2014-2022 Faster IT GmbH | imprint | privacy policy