Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
882875a5 by Moritz Muehlenhoff at 2019-02-15T19:53:32Z
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1406,12 +1406,14 @@ CVE-2019-7667
CVE-2019-7666
RESERVED
CVE-2019-7665 (In elfutils 0.175, a heap-based buffer over-read was discovered
in the ...)
- - elfutils <unfixed> (bug #921880)
+ - elfutils <unfixed> (low; bug #921880)
+ [stretch] - elfutils <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24089
NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html
NOTE:
https://sourceware.org/git/?p=elfutils.git;a=commit;h=de01cc6f9446187d69b9748bb3636361c79e77a4
CVE-2019-7664 (In elfutils 0.175, a negative-sized memcpy is attempted in
elf_cvt_note ...)
- - elfutils <unfixed> (bug #921881)
+ - elfutils <unfixed> (low; bug #921881)
+ [stretch] - elfutils <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24084
NOTE:
https://sourceware.org/git/?p=elfutils.git;a=commit;h=e65d91d21cb09d83b001fef9435e576ba447db32
CVE-2019-7663 (An Invalid Address dereference was discovered in ...)
@@ -1479,19 +1481,27 @@ CVE-2019-7639 (An issue was discovered in
gsi-openssh-server 7.9p1 on Fedora 29.
NOT-FOR-US: gsi-openssh-server (OpenSSH patched with
openssh-7.9p1-gsissh.patch)
CVE-2019-7638 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through
2.0.9 has ...)
- libsdl1.2 <unfixed>
+ [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 <unfixed>
+ [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4500
CVE-2019-7637 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through
2.0.9 has ...)
- libsdl1.2 <unfixed>
+ [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 <unfixed>
+ [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4497
CVE-2019-7636 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through
2.0.9 has ...)
- libsdl1.2 <unfixed>
+ [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 <unfixed>
+ [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4499
CVE-2019-7635 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through
2.0.9 has ...)
- libsdl1.2 <unfixed>
+ [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 <unfixed>
+ [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4498
CVE-2018-20764 (A buffer overflow exists in HelpSystems tcpcrypt on Linux,
used for ...)
TODO: check
@@ -1611,31 +1621,45 @@ CVE-2019-7579
RESERVED
CVE-2019-7578 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through
2.0.9 has ...)
- libsdl1.2 <unfixed>
+ [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 <unfixed>
+ [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4494
CVE-2019-7577 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through
2.0.9 has ...)
- libsdl1.2 <unfixed>
+ [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 <unfixed>
+ [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
CVE-2019-7576 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through
2.0.9 has ...)
- libsdl1.2 <unfixed>
+ [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 <unfixed>
+ [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4490
CVE-2019-7575 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through
2.0.9 has ...)
- libsdl1.2 <unfixed>
+ [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 <unfixed>
+ [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4493
CVE-2019-7574 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through
2.0.9 has ...)
- libsdl1.2 <unfixed>
+ [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 <unfixed>
+ [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4496
CVE-2019-7573 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through
2.0.9 has ...)
- libsdl1.2 <unfixed>
+ [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 <unfixed>
+ [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4491
CVE-2019-7572 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through
2.0.9 has ...)
- libsdl1.2 <unfixed>
+ [stretch] - libsdl1.2 <no-dsa> (Minor issue)
- libsdl2 <unfixed>
+ [stretch] - libsdl2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4495
CVE-2019-7571
RESERVED
@@ -1973,9 +1997,10 @@ CVE-2019-7444
CVE-2019-7443 [Insecure handling of arguments in helpers]
RESERVED
- kauth 5.54.0-2 (bug #921995)
+ [stretch] - kauth <no-dsa> (Minor issue)
+ - kde4libs <unfixed>
NOTE:
https://mail.kde.org/pipermail/kde-announce/2019-February/000011.html
NOTE:
https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3f4a
- TODO: check kde4libs
CVE-2019-7442
RESERVED
CVE-2019-7441
@@ -2169,6 +2194,7 @@ CVE-2019-1000022 (Taoensso Sente version Prior to version
1.14.0 contains a Cros
NOT-FOR-US: Taoensso Sente
CVE-2019-1000021 (slixmpp version before commit
7cd73b594e8122dddf847953fcfc85ab4d316416 ...)
- slixmpp 1.4.2-1
+ [stretch] - slixmpp <no-dsa> (Minor issue)
NOTE:
https://lab.louiz.org/poezio/slixmpp/commit/7cd73b594e8122dddf847953fcfc85ab4d316416
CVE-2019-1000020 (libarchive version commit
5a98dcf8a86364b3c2c469c85b93647dfb139961 ...)
{DLA-1668-1}
@@ -2374,6 +2400,7 @@ CVE-2019-7311
RESERVED
CVE-2019-7310 (In Poppler 0.73.0, a heap-based buffer over-read (due to an
integer ...)
- poppler <unfixed> (bug #921215)
+ [stretch] - poppler <ignored> (Minor issue)
[jessie] - poppler <ignored> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12797
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/717
@@ -3624,6 +3651,7 @@ CVE-2019-6778 [slirp: heap buffer overflow in tcp_emu()]
- qemu-kvm <removed>
- slirp4netns 0.2.1-1
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg03132.html
+ NOTE:
https://git.qemu.org/?p=qemu.git;a=commit;h=a7104eda7dab99d0cdbd3595c211864cba415905
CVE-2019-6777 (An issue was discovered in ZoneMinder v1.32.3. Reflected XSS
exists in ...)
- zoneminder 1.32.3-2 (bug #920375)
NOTE: https://github.com/ZoneMinder/zoneminder/issues/2436
@@ -4213,6 +4241,7 @@ CVE-2019-6501 [scsi-generic: possible OOB access while
handling inquiry request]
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg02324.html
NOTE: Code introduced by
https://git.qemu.org/?p=qemu.git;a=commit;h=6c219fc8a1 ,
NOTE: but but the overflow was already possible before.
+ NOTE:
https://git.qemu.org/?p=qemu.git;a=commit;h=e909ff93698851777faac3c45d03c1b73f311ea6
CVE-2016-10739 (In the GNU C Library (aka glibc or libc6) through 2.28, the
getaddrinfo ...)
- glibc 2.28-6 (bug #920047)
[stretch] - glibc <no-dsa> (Minor issue)
@@ -4349,10 +4378,14 @@ CVE-2018-20727 (Multiple command injection
vulnerabilities in NeDi before 1.7Cp3
CVE-2015-9281 (Logon Manager in SAS Web Infrastructure Platform before 9.4M3
allows ...)
NOT-FOR-US: SAS Web Infrastructure Platform
CVE-2019-6462 (An issue was discovered in cairo 1.16.0. There is an infinite
loop in ...)
- - cairo <unfixed>
+ - cairo <unfixed> (low)
+ [busterh] - cairo <no-dsa> (Minor issue)
+ [stretch] - cairo <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/353
CVE-2019-6461 (An issue was discovered in cairo 1.16.0. There is an assertion
problem ...)
- - cairo <unfixed>
+ - cairo <unfixed> (low)
+ [busterh] - cairo <no-dsa> (Minor issue)
+ [stretch] - cairo <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/352
CVE-2019-6460 (An issue was discovered in GNU Recutils 1.8. There is a NULL
pointer ...)
- recutils <unfixed> (unimportant)
@@ -4389,22 +4422,26 @@ CVE-2019-6448
CVE-2019-6447 (The ES File Explorer File Manager application through 4.1.9.7.4
for ...)
NOT-FOR-US: ES File Explorer File Manager application
CVE-2018-20726 (A cross-site scripting (XSS) vulnerability exists in host.php
(via ...)
- - cacti 1.2.1+ds1-1
+ - cacti 1.2.1+ds1-1 (low)
+ [stretch] - cacti <no-dsa> (Minor issue)
[jessie] - cacti <ignored> (Minor issue)
NOTE:
https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d
NOTE: https://github.com/Cacti/cacti/issues/2213
CVE-2018-20725 (A cross-site scripting (XSS) vulnerability exists in ...)
- - cacti 1.2.1+ds1-1
+ - cacti 1.2.1+ds1-1 (low)
+ [stretch] - cacti <no-dsa> (Minor issue)
[jessie] - cacti <ignored> (Minor issue)
NOTE:
https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d
NOTE: https://github.com/Cacti/cacti/issues/2214
CVE-2018-20724 (A cross-site scripting (XSS) vulnerability exists in
pollers.php in ...)
- - cacti 1.2.1+ds1-1
+ - cacti 1.2.1+ds1-1 (low)
+ [stretch] - cacti <no-dsa> (Minor issue)
[jessie] - cacti <ignored> (Minor issue)
NOTE:
https://github.com/Cacti/cacti/commit/1f42478506d83d188f68ce5ff41728a7bd159f53
NOTE: https://github.com/Cacti/cacti/issues/2212
CVE-2018-20723 (A cross-site scripting (XSS) vulnerability exists in ...)
- - cacti 1.2.1+ds1-1
+ - cacti 1.2.1+ds1-1 (low)
+ [stretch] - cacti <no-dsa> (Minor issue)
[jessie] - cacti <ignored> (Minor issue)
NOTE:
https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d
NOTE: https://github.com/Cacti/cacti/issues/2215
@@ -10699,7 +10736,8 @@ CVE-2018-20664 (Zoho ManageEngine ADSelfService Plus
5.x before build 5701 has X
CVE-2018-20663 (The Reporting Addon (aka Reports Addon) through 2019-01-02 for
CUBA ...)
NOT-FOR-US: Reporting Addon for CUBA Platform
CVE-2018-20662 (In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers
to cause ...)
- - poppler <unfixed> (bug #918158)
+ - poppler <unfixed> (low; bug #918158)
+ [stretch] - poppler <no-dsa> (Minor issue)
[jessie] - poppler <postponed> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/706
NOTE: Initial approach of fixing the issue via
@@ -10925,7 +10963,8 @@ CVE-2018-20651 (A NULL pointer dereference was
discovered in ...)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24041
NOTE:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f
CVE-2018-20650 (A reachable Object::dictLookup assertion in Poppler 0.72.0
allows ...)
- - poppler <unfixed> (bug #917974)
+ - poppler <unfixed> (low; bug #917974)
+ [stretch] - poppler <no-dsa> (Minor issue)
[jessie] - poppler <postponed> (Minor issue)
NOTE:
https://gitlab.freedesktop.org/poppler/poppler/commit/de0c0b8324e776f0b851485e0fc9622fc35695b7
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/704
@@ -14940,6 +14979,7 @@ CVE-2018-20098 (There is a heap-based buffer over-read
in ...)
NOTE: https://github.com/TeamSeri0us/pocs/tree/master/exiv2/20181206
CVE-2018-20097 (There is a SEGV in
Exiv2::Internal::TiffParserWorker::findPrimaryGroups ...)
- exiv2 <unfixed> (low)
+ [stretch] - exiv2 <no-dsa> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/590
CVE-2018-20096 (There is a heap-based buffer over-read in the
Exiv2::tEXtToDataBuf ...)
[experimental] - exiv2 <unfixed> (low)
@@ -17766,7 +17806,8 @@ CVE-2018-19667
CVE-2018-19666 (The agent in OSSEC through 3.1.0 on Windows allows local users
to gain ...)
- ossec-hids <itp> (bug #361954)
CVE-2018-19665 (The Bluetooth subsystem in QEMU mishandles negative values for
length ...)
- - qemu 1:3.1+dfsg-2 (bug #916278)
+ - qemu 1:3.1+dfsg-2 (low; bug #916278)
+ [stretch] - qemu <postponed> (Revisit when final upstream patch is out)
- qemu-kvm <removed>
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html
NOTE: note that previously mentioned patch will never be merged by
upstream, see
@@ -20806,6 +20847,7 @@ CVE-2018-19536
RESERVED
CVE-2018-19535 (In Exiv2 0.26 and previous versions, PngChunk::readRawProfile
in ...)
- exiv2 <unfixed> (bug #915135)
+ [stretch] - exiv2 <no-dsa> (Minor issue)
NOTE: https://github.com/Exiv2/exiv2/issues/428
NOTE: https://github.com/Exiv2/exiv2/pull/430
CVE-2018-19534
@@ -25016,6 +25058,7 @@ CVE-2018-18065 (_set_key in
agent/helpers/table_container.c in Net-SNMP before 5
NOTE:
https://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d/
CVE-2018-18064 (cairo through 1.15.14 has an out-of-bounds stack-memory write
during ...)
- cairo <unfixed> (bug #916083)
+ [stretch] - cairo <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/341
CVE-2018-18063
RESERVED
@@ -30964,8 +31007,8 @@ CVE-2018-15748 (On Dell 2335dn printers with Printer
Firmware Version 2.70.05.02
CVE-2018-15747
RESERVED
CVE-2018-15746 (qemu-seccomp.c in QEMU might allow local OS guest users to
cause a ...)
- - qemu 1:3.1+dfsg-1 (bug #907500)
- [stretch] - qemu <no-dsa> (Minor issue; Only enabled by default later,
but supported)
+ - qemu 1:3.1+dfsg-1 (low; bug #907500)
+ [stretch] - qemu <ignored> (Minor issue, too risky to backport, not
enabled by default)
[jessie] - qemu <no-dsa> (Minor issue; Only enabled by default later,
but supported)
- qemu-kvm <removed>
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg02289.html
@@ -31374,7 +31417,8 @@ CVE-2018-15588 (MailMate before 1.11.3 mishandles a
suspicious HTML/MIME structu
CVE-2018-15587 (GNOME Evolution through 3.28.2 is prone to OpenPGP signatures
being ...)
- evolution <unfixed>
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=796424
- TODO: check
+ NOTE:
https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21
+ NOTE:
https://gitlab.gnome.org/GNOME/evolution/commit/f66cd3e1db301d264563b4222a3574e2e58e2b85
CVE-2018-15586 (Enigmail before 2.0.6 is prone to to OpenPGP signatures being
spoofed ...)
- enigmail 2:2.0.6.1-2
[jessie] - enigmail <end-of-life> (see
https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html)
@@ -98195,13 +98239,20 @@ CVE-2017-9504
REJECTED
CVE-2017-9503 (QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2
Host ...)
{DLA-1497-1}
- - qemu 1:2.10.0-1 (bug #865754)
- [stretch] - qemu <no-dsa> (Minor issue, can be included in future
update)
+ - qemu 1:2.10.0-1 (low; bug #865754)
+ [stretch] - qemu <ignored> (Minor issue, too intrusive to backport)
[wheezy] - qemu <not-affected> (Vulnerable code not present)
- qemu-kvm <removed>
[wheezy] - qemu-kvm <not-affected> (Vulnerable code not present)
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg01313.html
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg01309.html
+ NOTE:
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=87e459a810d7b1ec1638085b5a80ea3d9b43119a
+ NOTE:
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=b356807fcdfc45583c437f761fc579ab2a8eab11
+ NOTE:
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=36c327a69d723571f02a7691631667cdb1865ee1
+ NOTE:
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=5104fac8539eaf155fc6de93e164be43e1e62242
+ NOTE:
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=24c0c77af515acbf0f9705e8096f33ef24d37430
+ NOTE:
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=134550bf81a026e18cf58b81e2c2cceaf516f92e
+ NOTE:
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=660174fc1b346803b3f1d7c260e2a36329b66435
CVE-2017-9502 (In curl before 7.54.1 on Windows and DOS, libcurl's default
protocol ...)
- curl <not-affected> (Windows only)
CVE-2017-9501 (In ImageMagick 7.0.5-7 Q16, an assertion failure was found in
the ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -59,6 +59,8 @@ passenger
rdesktop
Maintainer will prepare an update
--
+runc
+--
simplesamlphp
--
smarty3
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/882875a5757496f52fbffdc1000da8894f47bae9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/882875a5757496f52fbffdc1000da8894f47bae9
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
