Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker
Commits: 958c1045 by Antoine Beaupré at 2018-04-11T09:42:48-04:00 triage nmap out of jessie and wheezy: vulnerable code introduced later - - - - - 127100fa by Antoine Beaupré at 2018-04-11T09:44:34-04:00 follow jessie and no-dla for mysql (postponed) and zsh (minor) - - - - - 69be5443 by Antoine Beaupré at 2018-04-11T09:44:47-04:00 squirrelmail should be doable in lts - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -410,7 +410,9 @@ CVE-2018-1000164 [Improper neutralization of CRLF Sequences http/wsgi.py:process CVE-2018-1000161 [directory traversal in the way the non-default http-fetch script sanitized URLs] - nmap 7.70+dfsg1-1 [stretch] - nmap <no-dsa> (Minor issue) - [jessie] - nmap <no-dsa> (Minor issue) + [jessie] - nmap <not-affected> (Vulnerable code not present) + [wheezy] - nmap <not-affected> (Vulnerable code not present) + NOTE: script added in 6.49BETA6 according to https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-1000161 CVE-2018-1000157 REJECTED CVE-2018-9838 (The caml_ba_deserialize function in byterun/bigarray.c in the standard ...) @@ -19320,6 +19322,7 @@ CVE-2018-2767 [Use of SSL/TLS not enforced in client library (Return of BACKRONY - mysql-5.7 <unfixed> - mysql-5.5 <removed> [jessie] - mysql-5.5 <postponed> (Wait for next upstream security/bugfix release) + [wheezy] - mysql-5.5 <postponed> (Wait for next upstream security/bugfix release) NOTE: http://www.openwall.com/lists/oss-security/2018/04/08/2 NOTE: Result from an incomplete fix for CVE-2015-3152 and related CVE for NOTE: Oracle products. @@ -23843,6 +23846,7 @@ CVE-2018-1100 [check bounds on buffer in mail checking] - zsh 5.5-1 (bug #895225) [stretch] - zsh <no-dsa> (Minor issue) [jessie] - zsh <no-dsa> (Minor issue) + [wheezy] - zsh <no-dsa> (Minor issue) NOTE: https://www.zsh.org/cgi-bin/mla/redirect?WORKERNUMBER=42607 NOTE: https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/ CVE-2018-1099 (DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An ...) ===================================== data/dla-needed.txt ===================================== --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -93,6 +93,8 @@ sharutils (Abhijith PA) -- slurm-llnl (Thorsten Alteholz) -- +squirrelmail +-- tiff (Hugo Lefeuvre) NOTE: incomplete fix of CVE-2017-18013, see CVE-2018-7456. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bdd1de62c2618453a8f9dccf14f810930d5a8893...69be54436ac87ff91f3f23983ea8e23325237287 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bdd1de62c2618453a8f9dccf14f810930d5a8893...69be54436ac87ff91f3f23983ea8e23325237287 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits