Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: b64e74c8 by Moritz Muehlenhoff at 2019-02-08T22:06:30Z buster triage - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -8623,7 +8623,7 @@ CVE-2019-3826 [Stored DOM cross-site scripting (XSS) attack via crafted URL] [stretch] - prometheus <not-affected> (Only affects 2.1.0 onwards) NOTE: https://github.com/prometheus/prometheus/pull/5163 CVE-2019-3825 (A vulnerability was discovered in gdm before 3.31.4. When timed login ...) - - gdm3 <unfixed> (low) + - gdm3 <unfixed> (low; bug #921764) [stretch] - gdm3 <no-dsa> (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/gdm/issues/460 CVE-2019-3824 @@ -10720,6 +10720,7 @@ CVE-2018-1000826 (Microweber version <= 1.0.7 contains a Cross Site Scripting NOT-FOR-US: Microweber CVE-2018-1000825 (FreeCol version <= nightly-2018-08-22 contains a XML External Entity ...) - freecol <unfixed> (bug #917023; low) + [buster] - freecol <no-dsa> (Minor issue) [stretch] - freecol <no-dsa> (Minor issue) [jessie] - freecol <end-of-life> (Games are not supported) NOTE: https://github.com/FreeCol/freecol/issues/26 @@ -20699,9 +20700,7 @@ CVE-2018-19107 (In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called fro CVE-2018-19106 RESERVED CVE-2018-19105 (LibreCAD 2.1.3 allows remote attackers to cause a denial of service ...) - - librecad <unfixed> - [stretch] - librecad <no-dsa> (Minor issue) - [jessie] - librecad <no-dsa> (Minor issue) + - librecad <undetermined> NOTE: https://code610.blogspot.com/2018/11/crashing-librecad-213.html CVE-2018-19104 (In BageCMS 3.1.3, upload/index.php has a CSRF vulnerability that can be ...) NOT-FOR-US: BageCMS @@ -24539,8 +24538,9 @@ CVE-2018-17615 (This vulnerability allows remote attackers to execute arbitrary CVE-2018-17614 (This vulnerability allows remote attackers to execute arbitrary code ...) NOT-FOR-US: Losant Arduino MQTT Client CVE-2018-17613 (Telegram Desktop (aka tdesktop) 1.3.16 alpha, when "Use proxy" is ...) - - telegram-desktop <unfixed> (bug #921133) + - telegram-desktop <unfixed> (unimportant; bug #921133) NOTE: https://www.inputzero.io/2018/09/telegram-share-password-in-cleartext.html + NOTE: Non issue, works as expected, should probably be rejected CVE-2018-17612 (Sennheiser HeadSetup 7.3.4903 places Certification Authority (CA) ...) NOT-FOR-US: Sennheiser CVE-2018-17611 (Foxit PhantomPDF and Reader before 9.3 allow remote attackers to ...) @@ -28894,7 +28894,8 @@ CVE-2018-15913 CVE-2018-15912 (An issue was discovered in manjaro-update-system.sh in manjaro-system ...) NOT-FOR-US: manjaro-update-system.sh in manjaro-system on Manjaro Linux CVE-2018-15919 (Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 ...) - - openssh <unfixed> (bug #907503) + - openssh <unfixed> (low; bug #907503) + [buster] - openssh <no-dsa> (Minor issue) [stretch] - openssh <no-dsa> (Minor issue) [jessie] - openssh <no-dsa> (Minor issue) NOTE: http://www.openwall.com/lists/oss-security/2018/08/27/2 @@ -32134,7 +32135,7 @@ CVE-2018-14638 (A flaw was found in 389-ds-base before version 1.3.8.4-13. The p CVE-2018-14637 (The SAML broker consumer endpoint in Keycloak before version ...) NOT-FOR-US: Keycloak CVE-2018-14636 (Live-migrated instances are briefly able to inspect traffic for other ...) - - neutron <unfixed> (low) + - neutron 2:13.0.0-1 (low) [stretch] - neutron <no-dsa> (Minor issue) [jessie] - neutron <ignored> (Minor issue) CVE-2018-14635 (When using the Linux bridge ml2 driver, non-privileged tenants are ...) @@ -39052,7 +39053,7 @@ CVE-2018-12030 (Chevereto Free before 1.0.13 has XSS. ...) NOT-FOR-US: Chevereto Free CVE-2018-12029 (A race condition in the nginx module in Phusion Passenger 3.x through ...) {DLA-1399-1} - - passenger <unfixed> + - passenger <unfixed> (bug #921767) - ruby-passenger <removed> NOTE: https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/ NOTE: https://github.com/phusion/passenger/commit/207870f5b7f5cc240587ab0977d6046782ae1d86 @@ -39814,21 +39815,25 @@ CVE-2018-11741 (NEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable Sess NOT-FOR-US: NEC Univerge Sv9100 WebPro devices CVE-2018-11740 (An issue was discovered in libtskbase.a in The Sleuth Kit (TSK) from ...) - sleuthkit <unfixed> (low; bug #902187) + [buster] - sleuthkit <no-dsa> (Minor issue) [stretch] - sleuthkit <no-dsa> (Minor issue) [jessie] - sleuthkit <no-dsa> (Minor issue) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1264 CVE-2018-11739 (An issue was discovered in libtskimg.a in The Sleuth Kit (TSK) from ...) - sleuthkit <unfixed> (low; bug #902187) + [buster] - sleuthkit <no-dsa> (Minor issue) [stretch] - sleuthkit <no-dsa> (Minor issue) [jessie] - sleuthkit <no-dsa> (Minor issue) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1267 CVE-2018-11738 (An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from ...) - sleuthkit <unfixed> (low; bug #902187) + [buster] - sleuthkit <no-dsa> (Minor issue) [stretch] - sleuthkit <no-dsa> (Minor issue) [jessie] - sleuthkit <no-dsa> (Minor issue) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1265 CVE-2018-11737 (An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from ...) - sleuthkit <unfixed> (low; bug #902187) + [buster] - sleuthkit <no-dsa> (Minor issue) [stretch] - sleuthkit <no-dsa> (Minor issue) [jessie] - sleuthkit <no-dsa> (Minor issue) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1266 @@ -62860,7 +62865,8 @@ CVE-2017-17944 CVE-2017-17943 RESERVED CVE-2017-17942 (In LibTIFF 4.0.9, there is a heap-based buffer over-read in the ...) - - tiff <unfixed> (bug #885579) + - tiff <unfixed> (low; bug #885579) + [buster] - tiff <postponed> (Minor issue, revisit once fixed upstream) [stretch] - tiff <postponed> (Minor issue, revisit once fixed upstream) [jessie] - tiff <postponed> (Minor issue, revisit once fixed upstream) [wheezy] - tiff <postponed> (Minor issue, revisit once fixed upstream) @@ -64504,8 +64510,9 @@ CVE-2018-3211 (Vulnerability in the Java SE, Java SE Embedded component of Oracl CVE-2018-3210 (Vulnerability in the Oracle GlassFish Server component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-3209 (Vulnerability in the Java SE component of Oracle Java SE ...) - - openjfx <unfixed> + - openjfx 11+26-1 [stretch] - openjfx <ignored> (Specific details withheld by Oracle, impossible to fix) + NOTE: CPU marks this as only affecting 8.x, so marking first 11 upload as fixed CVE-2018-3208 (Vulnerability in the Hyperion Data Relationship Management component ...) NOT-FOR-US: Oracle CVE-2018-3207 (Vulnerability in the PeopleSoft Enterprise PeopleTools component of ...) @@ -66750,12 +66757,12 @@ CVE-2017-17689 (The S/MIME specification allows a Cipher Block Chaining (CBC) .. NOTE: https://dot.kde.org/2018/05/15/efail-and-kmail NOTE: protocol vulnerability can't be fixed in implementations but they can prevent exploitation by disabling loading of remote content CVE-2017-17688 (** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode ...) - - enigmail <unfixed> (bug #898630) - [stretch] - enigmail <ignored> (Package broken in stable, can be fixed along when updated for ESR60) + - enigmail 2:2.0.6.1-4 (bug #898630) [jessie] - enigmail <end-of-life> (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html) NOTE: vulnerability is in the clients handling, not in OpenPGP NOTE: https://efail.de NOTE: possibly https://sourceforge.net/p/enigmail/source/ci/f6c111 and https://sourceforge.net/p/enigmail/source/ci/d2a83a + NOTE: Marking the first 2.x version which reached unstable as fixed, see discussion in #898630 CVE-2017-17687 RESERVED CVE-2017-17686 @@ -91917,6 +91924,7 @@ CVE-2017-1000048 (the web framework using ljharb's qs module older than v6.3.2, NOT-FOR-US: ljharb CVE-2017-1000047 (rbenv (all current versions) is vulnerable to Directory Traversal in ...) - rbenv <unfixed> (bug #869702) + [buster] - rbenv <no-dsa> (Minor issue) [stretch] - rbenv <no-dsa> (Minor issue) [jessie] - rbenv <no-dsa> (Minor issue) [wheezy] - rbenv <no-dsa> (Minor issue) @@ -109067,11 +109075,10 @@ CVE-2017-5669 (The do_shmat function in ipc/shm.c in the Linux kernel through 4. - linux 4.9.13-1 NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=192931 CVE-2017-5666 (The free_options function in options_manager.c in mp3splt 2.6.2 allows ...) - - mp3splt <unfixed> (bug #854278) - [jessie] - mp3splt <no-dsa> (Minor issue) - [wheezy] - mp3splt <no-dsa> (Minor issue) + - mp3splt <unfixed> (unimportant; bug #854278) NOTE: https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c NOTE: https://sourceforge.net/p/mp3splt/bugs/209/ + NOTE: Negligable security impact CVE-2017-5665 (The splt_cue_export_to_file function in cue.c in libmp3splt 0.9.2 ...) - mp3splt <unfixed> (unimportant) NOTE: https://blogs.gentoo.org/ago/2017/01/29/mp3splt-null-pointer-dereference-in-splt_cue_export_to_file-cue-c @@ -119173,7 +119180,7 @@ CVE-2017-2301 (On Juniper Networks products or platforms running Junos OS 11.4 p CVE-2017-2300 (On Juniper Networks SRX Series Services Gateways chassis clusters ...) NOT-FOR-US: Juniper CVE-2017-2299 (Versions of the puppetlabs-apache module prior to 1.11.1 and 2.1.0 ...) - - puppet-module-puppetlabs-apache <unfixed> (bug #875983) + - puppet-module-puppetlabs-apache 3.0.0-1 (bug #875983) [stretch] - puppet-module-puppetlabs-apache <no-dsa> (Minor issue) [jessie] - puppet-module-puppetlabs-apache <no-dsa> (Minor issue) NOTE: https://puppet.com/security/cve/CVE-2017-2299 @@ -129746,6 +129753,7 @@ CVE-2016-7955 (The logcheck function in session.inc in AlienVault OSSIM before 5 NOT-FOR-US: AlienVault OSSIM CVE-2016-7954 (Bundler 1.x might allow remote attackers to inject arbitrary Ruby code ...) - bundler <unfixed> (bug #842504) + [buster] - bundler <ignored> (Minor issue, too intrusive to backport) [stretch] - bundler <ignored> (Minor issue, too intrusive to backport) [jessie] - bundler <ignored> (Minor issue, too intrusive to backport) [wheezy] - bundler <no-dsa> (Minor issue, too intrusive to backport) @@ -176221,13 +176229,10 @@ CVE-2013-7437 (Multiple integer overflows in potrace 1.11 allow remote attackers NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=955808 NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/12 CVE-2015-2785 (The GIF encoder in Byzanz allows remote attackers to cause a denial of ...) - - byzanz <unfixed> (low; bug #778261) - [stretch] - byzanz <ignored> (Minor issue) - [jessie] - byzanz <ignored> (Minor issue) - [wheezy] - byzanz <ignored> (Minor issue) - [squeeze] - byzanz <ignored> (Minor issue) + - byzanz <unfixed> (unimportant; bug #778261) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=852481 NOTE: http://www.openwall.com/lists/oss-security/2015/02/06/11 + NOTE: Only applies to debug recordings, negligable security impact CVE-2012-6689 (The netlink_sendmsg function in net/netlink/af_netlink.c in the Linux ...) {DLA-246-1} - linux 3.6.4-1 @@ -225380,6 +225385,7 @@ CVE-2013-0343 (The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the L CVE-2013-0342 [CreateID() creates serialized packet IDs for RADIUS] RESERVED - pyrad <unfixed> (low; bug #701151) + [buster] - pyrad <no-dsa> (Minor issue) [stretch] - pyrad <no-dsa> (Minor issue) [jessie] - pyrad <no-dsa> (Minor issue) [wheezy] - pyrad <no-dsa> (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b64e74c8310288727ccf31a563d6bbebe926e10b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b64e74c8310288727ccf31a563d6bbebe926e10b You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits