buster/bullseye triage

author: Moritz Mühlenhoff <jmm@debian.org> 2022-01-04 17:16:13 +0100
committer: Moritz Mühlenhoff <jmm@debian.org> 2022-01-04 17:16:49 +0100
commit: c931d850fb446bda7dc01c4dff4ae86b6a47d275 (patch)
tree: afc17d1af8b29784ae56518ecd34667ac13cda11
parent: a8281efd7711a01fc8389648e4e0bd637b60b8fe (diff)
3 files changed, 19 insertions, 1 deletions
diff --git a/data/CVE/2021.list b/data/CVE/2021.list
index c51313ab5e..db502d438d 100644
--- a/data/CVE/2021.list
+++ b/data/CVE/2021.list
@@ -537,9 +537,13 @@ CVE-2021-4189 [ftplib should not use the host from the PASV response]
 	RESERVED
 	- python3.10 <not-affected> (Fixed before initial upload to Debian unstable)
 	- python3.9 3.9.7-1
+	[bullseye] - python3.9 <no-dsa> (Minor issue)
 	- python3.7 <removed>
+	[buster] - python3.7 <no-dsa> (Minor issue)
 	- python3.5 <removed>
 	- python2.7 <unfixed>
+	[bullseye] - python2.7 <ignored> (Python 2.7 in Bullseye not covered by security support)
+	[buster] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue43285
 	NOTE: https://github.com/python/cpython/commit/0ab152c6b5d95caa2dc1a30fa96e10258b5f188e (master)
 	NOTE: https://github.com/python/cpython/commit/7dcb4baa4f0fde3aef5122a8e9f6a41853ec9335 (v3.9.3)
@@ -2737,6 +2741,8 @@ CVE-2021-45041 (SuiteCRM before 7.12.2 and 8.x before 8.0.1 allows authenticated
 	NOT-FOR-US: SuiteCRM
 CVE-2021-4110 (mruby is vulnerable to NULL Pointer Dereference ...)
 	- mruby <unfixed> (bug #1001768)
+	[bullseye] - mruby <no-dsa> (Minor issue)
+	[buster] - mruby <no-dsa> (Minor issue)
 	[stretch] - mruby <postponed> (revisit when/if fix is complete)
 	NOTE: https://huntr.dev/bounties/4ce5dc47-2512-4c87-8609-453adc8cad20
 	NOTE: https://github.com/mruby/mruby/commit/f5e10c5a79a17939af763b1dcf5232ce47e24a34
@@ -3193,6 +3199,8 @@ CVE-2021-44848 (In Cibele Thinfinity VirtualUI before 3.0, /changePassword retur
 	NOT-FOR-US: Cibele Thinfinity VirtualUI
 CVE-2021-44847 (A stack-based buffer overflow in handle_request function in DHT.c in t ...)
 	- libtoxcore 0.2.13-1 (bug #1001711)
+	[bullseye] - libtoxcore <no-dsa> (Minor issue)
+	[buster] - libtoxcore <no-dsa> (Minor issue)
 	NOTE: https://github.com/TokTok/c-toxcore/pull/1718
 	NOTE: https://blog.tox.chat/2021/12/stack-based-buffer-overflow-vulnerability-in-udp-packet-handling-in-toxcore-cve-2021-44847/
 	NOTE: Introduced by: https://github.com/TokTok/c-toxcore/commit/71260e38e8d12547b0e55916daf6cadd72f52e19 (v0.1.9)
@@ -11452,11 +11460,13 @@ CVE-2021-41497 (Null pointer reference in CMS_Conservative_increment_obj in RaRe
 	NOT-FOR-US: RaRe-Technologies bounter
 CVE-2021-41496 (Buffer overflow in the array_from_pyobj function of fortranobject.c in ...)
 	- numpy <unfixed>
+	[bullseye] - numpy <no-dsa> (Minor issue)
 	NOTE: https://github.com/numpy/numpy/issues/19000
 	NOTE: https://github.com/numpy/numpy/pull/20630
 	NOTE: https://github.com/numpy/numpy/commit/271010f1037150e95017f803f4214b8861e528f2
 CVE-2021-41495 (Null Pointer Dereference vulnerability exists in numpy.sort in NumPy & ...)
 	- numpy <unfixed>
+	[bullseye] - numpy <no-dsa> (Minor issue)
 	NOTE: https://github.com/numpy/numpy/issues/19038
 	TODO: check for classification/severity
 CVE-2021-41494
@@ -21729,6 +21739,8 @@ CVE-2021-37233
 	RESERVED
 CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124.204813 ...)
 	- atomicparsley 20210715.151551.e7ad03a-1 (bug #993366)
+	[bullseye] - atomicparsley <no-dsa> (Minor issue)
+	[buster] - atomicparsley <no-dsa> (Minor issue)
 	[stretch] - atomicparsley <no-dsa> (Minor issue)
 	- gtkpod <unfixed> (bug #993376)
 	[bullseye] - gtkpod <ignored> (Minor issue)
@@ -21738,6 +21750,8 @@ CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124.
 	NOTE: https://github.com/wez/atomicparsley/issues/32
 CVE-2021-37231 (A stack-buffer-overflow occurs in Atomicparsley 20210124.204813.840499 ...)
 	- atomicparsley 20210715.151551.e7ad03a-1 (bug #993372)
+	[bullseye] - atomicparsley <no-dsa> (Minor issue)
+	[buster] - atomicparsley <no-dsa> (Minor issue)
 	[stretch] - atomicparsley <no-dsa> (Minor issue)
 	- gtkpod <unfixed> (bug #993375)
 	[bullseye] - gtkpod <ignored> (Minor issue)
@@ -28823,9 +28837,9 @@ CVE-2021-34142
 	RESERVED
 CVE-2021-34141 (Incomplete string comparison in the numpy.core component in NumPy1.9.x ...)
 	- numpy <unfixed>
+	[bullseye] - numpy <no-dsa> (Minor issue)
 	NOTE: https://github.com/numpy/numpy/issues/18993
 	NOTE: https://github.com/numpy/numpy/commit/eeef9d4646103c3b1afd3085f1393f2b3f9575b2 (v1.23.0.dev0)
-	TODO: check
 CVE-2021-34140
 	RESERVED
 CVE-2021-34139
diff --git a/data/CVE/2022.list b/data/CVE/2022.list
index 6dca4d7351..d214ebf1b0 100644
--- a/data/CVE/2022.list
+++ b/data/CVE/2022.list
@@ -482,6 +482,8 @@ CVE-2022-0081
 	RESERVED
 CVE-2022-0080 (mruby is vulnerable to Heap-based Buffer Overflow ...)
 	- mruby <unfixed>
+	[bullseye] - mruby <no-dsa> (Minor issue)
+	[buster] - mruby <no-dsa> (Minor issue)
 	NOTE: https://huntr.dev/bounties/59a70392-4864-4ce3-8e35-6ac2111d1e2e/
 	NOTE: https://github.com/mruby/mruby/commit/28ccc664e5dcd3f9d55173e9afde77c4705a9ab6
 CVE-2022-0079 (showdoc is vulnerable to Generation of Error Message Containing Sensit ...)
diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt
index 751a91ba15..5df89ceac1 100644
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -33,6 +33,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more recent v4.19.y versions.
 --
+lxml
+--
 ndpi/oldstable
 --
 nodejs (jmm)
author	Moritz Mühlenhoff <jmm@debian.org>	2022-01-04 17:16:13 +0100
committer	Moritz Mühlenhoff <jmm@debian.org>	2022-01-04 17:16:49 +0100
commit	c931d850fb446bda7dc01c4dff4ae86b6a47d275 (patch)
tree	afc17d1af8b29784ae56518ecd34667ac13cda11
parent	a8281efd7711a01fc8389648e4e0bd637b60b8fe (diff)