Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: d085fc39 by Moritz Muehlenhoff at 2018-09-20T18:57:20Z stretch triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -334,6 +334,7 @@ CVE-2018-17183 (Artifex Ghostscript before 9.25 allowed a user-writable error ex NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624 CVE-2018-17095 (An issue has been discovered in mpruett Audio File Library (aka ...) - audiofile <unfixed> + [stretch] - audiofile <no-dsa> (Minor issue) [jessie] - audiofile <postponed> (Can be fixed along in future DLA) NOTE: https://github.com/mpruett/audiofile/issues/50 NOTE: https://github.com/mpruett/audiofile/issues/51 @@ -422,6 +423,7 @@ CVE-2018-17058 RESERVED CVE-2018-17057 (An issue was discovered in TCPDF before 6.2.22. Attackers can trigger ...) - tcpdf <unfixed> (bug #908866) + [stretch] - tcpdf <no-dsa> (Minor issue) [jessie] - tcpdf <ignored> (Minor issue) NOTE: https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26e NOTE: Was considered minor for jessie since arbitrary deserialization @@ -1560,6 +1562,7 @@ CVE-2018-1000673 REJECTED CVE-2018-1000671 (sympa version 6.2.16 and later contains a CWE-601: URL Redirection to ...) - sympa <unfixed> (bug #908165) + [stretch] - sympa <no-dsa> (Minor issue) NOTE: https://github.com/sympa-community/sympa/issues/268 NOTE: https://github.com/sympa-community/sympa/commit/c6ce32a6c203070702eac45a4442a17d2bf7b0c1 NOTE: https://github.com/sympa-community/sympa/commit/03314a9baf7f7903283253829877afd0ae50e325 @@ -6169,6 +6172,7 @@ CVE-2018-14637 RESERVED CVE-2018-14636 (Live-migrated instances are briefly able to inspect traffic for other ...) - neutron <unfixed> (low) + [stretch] - neutron <no-dsa> (Minor issue) [jessie] - neutron <ignored> (Minor issue) CVE-2018-14635 (When using the Linux bridge ml2 driver, non-privileged tenants are ...) - neutron 2:13.0.0-1 @@ -7218,6 +7222,7 @@ CVE-2018-14321 RESERVED CVE-2018-14320 (This vulnerability allows remote attackers to disclose sensitive ...) - libpodofo <unfixed> + [stretch] - libpodofo <no-dsa> (Minor issue) [jessie] - libpodofo <ignored> (Minor issue) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-18-1046/ CVE-2018-14319 @@ -7814,8 +7819,7 @@ CVE-2018-14044 (The RateTransposer::setChannels function in RateTransposer.cpp i CVE-2018-14043 (mstdlib (aka the M Standard Library for C) 1.2.0 has incorrect file ...) NOT-FOR-US: mstdlib CVE-2018-14042 (In Bootstrap before 4.1.2, XSS is possible in the data-container ...) - - twitter-bootstrap <unfixed> - [jessie] - twitter-bootstrap <not-affected> (Vulnerable code not present) + - twitter-bootstrap <not-affected> (Vulnerable code not present) - twitter-bootstrap3 <unfixed> (bug #907414) [jessie] - twitter-bootstrap3 <not-affected> (Vulnerable code not present) NOTE: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ @@ -7824,8 +7828,7 @@ CVE-2018-14042 (In Bootstrap before 4.1.2, XSS is possible in the data-container NOTE: https://github.com/twbs/bootstrap/pull/26630 NOTE: https://github.com/twbs/bootstrap/pull/26630/commits/efca80bb5bb34546a2e7a9488b89f71457d2ad92 CVE-2018-14041 (In Bootstrap before 4.1.2, XSS is possible in the data-target property ...) - - twitter-bootstrap <unfixed> - [jessie] - twitter-bootstrap <not-affected> (Vulnerable code not present) + - twitter-bootstrap <not-affected> (Vulnerable code not present) - twitter-bootstrap3 <unfixed> (bug #907414) [jessie] - twitter-bootstrap3 <not-affected> (Vulnerable code not present) NOTE: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ @@ -7835,8 +7838,7 @@ CVE-2018-14041 (In Bootstrap before 4.1.2, XSS is possible in the data-target pr NOTE: https://github.com/twbs/bootstrap/pull/26630/commits/3229efc0811df29765c1d0a949c85362378b0628 CVE-2018-14040 (In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent ...) {DLA-1479-1} - - twitter-bootstrap <unfixed> - [jessie] - twitter-bootstrap <not-affected> (Vulnerable code not present) + - twitter-bootstrap <not-affected> (Vulnerable code not present) - twitter-bootstrap3 <unfixed> (bug #907414) NOTE: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ NOTE: https://github.com/twbs/bootstrap/issues/26423 @@ -11112,11 +11114,10 @@ CVE-2018-1000522 CVE-2018-1000521 (BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in ...) NOT-FOR-US: BigTree-CMS CVE-2018-1000520 (ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite Allows ...) - - mbedtls <unfixed> (low) - [stretch] - mbedtls <no-dsa> (Minor issue) - - polarssl <removed> - [jessie] - polarssl <no-dsa> (Minor issue) + - mbedtls <unfixed> (unimportant) + - polarssl <removed> (unimportant) NOTE: https://github.com/ARMmbed/mbedtls/issues/1561 + NOTE: No security impact CVE-2018-1000519 (aio-libs aiohttp-session contains a Session Fixation vulnerability in ...) NOT-FOR-US: aio-libs aiohttp-session CVE-2018-1000518 (aaugustin websockets version 4 contains a CWE-409: Improper Handling ...) ===================================== data/dsa-needed.txt ===================================== @@ -20,6 +20,8 @@ asterisk -- ceph -- +hylafax (jmm) +-- gitlab -- ghostscript @@ -75,6 +77,10 @@ passenger php7.0 wait until more severe issues have come up -- +smarty3 +-- +spamassassin +-- sssd Maintainer prepared an update and proposed debdiff, acked for upload, but update needs further testing before release. -- @@ -82,3 +88,5 @@ symfony -- wesnoth-1.12 -- +wireshark +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d085fc39adb3955d57b0a42cb221f14ebe4b94eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d085fc39adb3955d57b0a42cb221f14ebe4b94eb You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits