mark puppet as ignored for released distros

1 files changed, 9 insertions, 0 deletions

diff --git a/data/CVE/2021.list b/data/CVE/2021.list
index d14cae7c4c..4bc78c0b55 100644
--- a/data/CVE/2021.list
+++ b/data/CVE/2021.list
@@ -41520,14 +41520,23 @@ CVE-2021-27026 (A flaw was divered in Puppet Enterprise and other Puppet product
 	NOT-FOR-US: Puppet Enterprise
 CVE-2021-27025 (A flaw was discovered in Puppet Agent where the agent may silently ign ...)
 	- puppet <unfixed>
+	[bullseye] - puppet <ignored> (Minor issue, too intrusive to backport)
+	[buster] - puppet <ignored> (Minor issue, too intrusive to backport)
 	NOTE: https://puppet.com/security/cve/cve-2021-27025
 	NOTE: https://github.com/puppetlabs/puppet/commit/da8b73edca174309a9bef5f62cd276933fe733e8 (6.25.1)
+	NOTE: Limited impact, needs a malformed custom type provider
 CVE-2021-27024 (A flaw was discovered in Continuous Delivery for Puppet Enterprise (CD ...)
 	NOT-FOR-US: Continuous Delivery for Puppet Enterprise
 CVE-2021-27023 (A flaw was discovered in Puppet Agent and Puppet Server that may resul ...)
 	- puppet <unfixed>
+	[bullseye] - puppet <ignored> (Minor issue)
+	[buster] - puppet <ignored> (Minor issue)
 	NOTE: https://puppet.com/security/cve/cve-2021-27023
 	NOTE: https://github.com/puppetlabs/puppet/commit/e90023a8b54a58073d71dae655d7636e2c9bcc61 (6.25.1)
+	NOTE: Marginal/unclear security implications, the redirects are fully under control of
+	NOTE: the puppet masters and the advisory states this CVE would be similar to CVE-2018-1000007,
+	NOTE: but CVE is for curl, which obviously has different scope being a library. Plus, all
+	NOTE: reasonably secure installations use client auth on the agents
 CVE-2021-27022 (A flaw was discovered in bolt-server and ace where running a task with ...)
 	- puppet <not-affected> (Only affects Puppet Enterprise)
 	NOTE: https://puppet.com/security/cve/CVE-2021-27022/