Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d085fc39 by Moritz Muehlenhoff at 2018-09-20T18:57:20Z
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -334,6 +334,7 @@ CVE-2018-17183 (Artifex Ghostscript before 9.25 allowed a
user-writable error ex
NOTE:
http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624
CVE-2018-17095 (An issue has been discovered in mpruett Audio File Library
(aka ...)
- audiofile <unfixed>
+ [stretch] - audiofile <no-dsa> (Minor issue)
[jessie] - audiofile <postponed> (Can be fixed along in future DLA)
NOTE: https://github.com/mpruett/audiofile/issues/50
NOTE: https://github.com/mpruett/audiofile/issues/51
@@ -422,6 +423,7 @@ CVE-2018-17058
RESERVED
CVE-2018-17057 (An issue was discovered in TCPDF before 6.2.22. Attackers can
trigger ...)
- tcpdf <unfixed> (bug #908866)
+ [stretch] - tcpdf <no-dsa> (Minor issue)
[jessie] - tcpdf <ignored> (Minor issue)
NOTE:
https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26e
NOTE: Was considered minor for jessie since arbitrary deserialization
@@ -1560,6 +1562,7 @@ CVE-2018-1000673
REJECTED
CVE-2018-1000671 (sympa version 6.2.16 and later contains a CWE-601: URL
Redirection to ...)
- sympa <unfixed> (bug #908165)
+ [stretch] - sympa <no-dsa> (Minor issue)
NOTE: https://github.com/sympa-community/sympa/issues/268
NOTE:
https://github.com/sympa-community/sympa/commit/c6ce32a6c203070702eac45a4442a17d2bf7b0c1
NOTE:
https://github.com/sympa-community/sympa/commit/03314a9baf7f7903283253829877afd0ae50e325
@@ -6169,6 +6172,7 @@ CVE-2018-14637
RESERVED
CVE-2018-14636 (Live-migrated instances are briefly able to inspect traffic
for other ...)
- neutron <unfixed> (low)
+ [stretch] - neutron <no-dsa> (Minor issue)
[jessie] - neutron <ignored> (Minor issue)
CVE-2018-14635 (When using the Linux bridge ml2 driver, non-privileged tenants
are ...)
- neutron 2:13.0.0-1
@@ -7218,6 +7222,7 @@ CVE-2018-14321
RESERVED
CVE-2018-14320 (This vulnerability allows remote attackers to disclose
sensitive ...)
- libpodofo <unfixed>
+ [stretch] - libpodofo <no-dsa> (Minor issue)
[jessie] - libpodofo <ignored> (Minor issue)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-18-1046/
CVE-2018-14319
@@ -7814,8 +7819,7 @@ CVE-2018-14044 (The RateTransposer::setChannels function
in RateTransposer.cpp i
CVE-2018-14043 (mstdlib (aka the M Standard Library for C) 1.2.0 has incorrect
file ...)
NOT-FOR-US: mstdlib
CVE-2018-14042 (In Bootstrap before 4.1.2, XSS is possible in the
data-container ...)
- - twitter-bootstrap <unfixed>
- [jessie] - twitter-bootstrap <not-affected> (Vulnerable code not
present)
+ - twitter-bootstrap <not-affected> (Vulnerable code not present)
- twitter-bootstrap3 <unfixed> (bug #907414)
[jessie] - twitter-bootstrap3 <not-affected> (Vulnerable code not
present)
NOTE: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/
@@ -7824,8 +7828,7 @@ CVE-2018-14042 (In Bootstrap before 4.1.2, XSS is
possible in the data-container
NOTE: https://github.com/twbs/bootstrap/pull/26630
NOTE:
https://github.com/twbs/bootstrap/pull/26630/commits/efca80bb5bb34546a2e7a9488b89f71457d2ad92
CVE-2018-14041 (In Bootstrap before 4.1.2, XSS is possible in the data-target
property ...)
- - twitter-bootstrap <unfixed>
- [jessie] - twitter-bootstrap <not-affected> (Vulnerable code not
present)
+ - twitter-bootstrap <not-affected> (Vulnerable code not present)
- twitter-bootstrap3 <unfixed> (bug #907414)
[jessie] - twitter-bootstrap3 <not-affected> (Vulnerable code not
present)
NOTE: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/
@@ -7835,8 +7838,7 @@ CVE-2018-14041 (In Bootstrap before 4.1.2, XSS is
possible in the data-target pr
NOTE:
https://github.com/twbs/bootstrap/pull/26630/commits/3229efc0811df29765c1d0a949c85362378b0628
CVE-2018-14040 (In Bootstrap before 4.1.2, XSS is possible in the collapse
data-parent ...)
{DLA-1479-1}
- - twitter-bootstrap <unfixed>
- [jessie] - twitter-bootstrap <not-affected> (Vulnerable code not
present)
+ - twitter-bootstrap <not-affected> (Vulnerable code not present)
- twitter-bootstrap3 <unfixed> (bug #907414)
NOTE: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/
NOTE: https://github.com/twbs/bootstrap/issues/26423
@@ -11112,11 +11114,10 @@ CVE-2018-1000522
CVE-2018-1000521 (BigTree-CMS contains a Cross Site Scripting (XSS)
vulnerability in ...)
NOT-FOR-US: BigTree-CMS
CVE-2018-1000520 (ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite
Allows ...)
- - mbedtls <unfixed> (low)
- [stretch] - mbedtls <no-dsa> (Minor issue)
- - polarssl <removed>
- [jessie] - polarssl <no-dsa> (Minor issue)
+ - mbedtls <unfixed> (unimportant)
+ - polarssl <removed> (unimportant)
NOTE: https://github.com/ARMmbed/mbedtls/issues/1561
+ NOTE: No security impact
CVE-2018-1000519 (aio-libs aiohttp-session contains a Session Fixation
vulnerability in ...)
NOT-FOR-US: aio-libs aiohttp-session
CVE-2018-1000518 (aaugustin websockets version 4 contains a CWE-409: Improper
Handling ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ asterisk
--
ceph
--
+hylafax (jmm)
+--
gitlab
--
ghostscript
@@ -75,6 +77,10 @@ passenger
php7.0
wait until more severe issues have come up
--
+smarty3
+--
+spamassassin
+--
sssd
Maintainer prepared an update and proposed debdiff, acked for upload, but
update needs further testing before release.
--
@@ -82,3 +88,5 @@ symfony
--
wesnoth-1.12
--
+wireshark
+--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d085fc39adb3955d57b0a42cb221f14ebe4b94eb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d085fc39adb3955d57b0a42cb221f14ebe4b94eb
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
