[Git][security-tracker-team/security-tracker][master] stretch triage

Moritz Muehlenhoff Tue, 26 Feb 2019 13:51:00 -0800

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
139a2cbf by Moritz Muehlenhoff at 2019-02-26T21:49:40Z
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -115,11 +115,9 @@ CVE-2019-9153
 CVE-2019-9152 (An issue was discovered in the HDF HDF5 1.10.4 library. There 
is an out ...)
        - hdf5 <undetermined>
        NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul8
-       TODO: check
 CVE-2019-9151 (An issue was discovered in the HDF HDF5 1.10.4 library. There 
is an out ...)
        - hdf5 <undetermined>
        NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul7
-       TODO: check
 CVE-2019-9150
        RESERVED
 CVE-2019-9149
@@ -1827,15 +1825,12 @@ CVE-2019-8399
 CVE-2019-8398 (An issue was discovered in the HDF HDF5 1.10.4 library. There 
is an out ...)
        - hdf5 <undetermined>
        NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul6
-       TODO: check
 CVE-2019-8397 (An issue was discovered in the HDF HDF5 1.10.4 library. There 
is an out ...)
        - hdf5 <undetermined>
        NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul5
-       TODO: check
 CVE-2019-8396 (A buffer overflow in H5O__layout_encode in H5Olayout.c in the 
HDF HDF5 ...)
        - hdf5 <undetermined>
        NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul4
-       TODO: check
 CVE-2019-8395 (An Insecure Direct Object Reference (IDOR) vulnerability exists 
in Zoho ...)
        NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus
 CVE-2019-8394 (Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 
10012 allows ...)
@@ -20084,6 +20079,7 @@ CVE-2018-19609 (ShowDoc 2.4.1 allows remote attackers 
to obtain sensitive inform
        NOT-FOR-US: ShowDoc
 CVE-2018-19608 (Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 
allows a ...)
        - mbedtls 2.14.1-1 (bug #915796)
+       [stretch] - mbedtls <no-dsa> (Minor issue)
        - polarssl <removed>
        NOTE: http://cat.eyalro.net/
        NOTE: 
https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released
@@ -33057,6 +33053,7 @@ CVE-2018-15757
        REJECTED
 CVE-2018-15756 (Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, 
...)
        - libspring-java 4.3.21-1 (bug #911786)
+       [stretch] - libspring-java <no-dsa> (Minor issue)
        [jessie] - libspring-java <not-affected> (vulnerable code introduced in 
later version)
        NOTE: https://pivotal.io/security/cve-2018-15756
 CVE-2018-15755 (Cloud Foundry CF Networking Release, versions 2.11.0 prior to 
2.16.0, ...)
@@ -45472,10 +45469,12 @@ CVE-2018-11041 (Cloud Foundry UAA, versions later 
than 4.6.0 and prior to 4.19.0
        NOT-FOR-US: Cloud Foundry
 CVE-2018-11040 (Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x 
prior to ...)
        - libspring-java 4.3.19-1
+       [stretch] - libspring-java <no-dsa> (Minor issue)
        [jessie] - libspring-java <no-dsa> (unable to find relevant commits)
        NOTE: https://pivotal.io/security/cve-2018-11040
 CVE-2018-11039 (Spring Framework (versions 5.0.x prior to 5.0.7, versions 
4.3.x prior ...)
        - libspring-java 4.3.19-1
+       [stretch] - libspring-java <no-dsa> (Minor issue)
        [jessie] - libspring-java <no-dsa> (Minor issue)
        NOTE: https://pivotal.io/security/cve-2018-11039
 CVE-2017-18270 (In the Linux kernel before 4.13.5, a local user could create 
keyrings ...)
@@ -73518,6 +73517,7 @@ CVE-2018-1273 (Spring Data Commons, versions prior to 
1.13 to 1.13.10, 2.0 to 2.
        NOT-FOR-US: Spring Data Commons
 CVE-2018-1272 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 
prior ...)
        - libspring-java 4.3.19-1 (bug #895114)
+       [stretch] - libspring-java <no-dsa> (Minor issue)
        [jessie] - libspring-java <not-affected> (vulnerable code not found)
        [wheezy] - libspring-java <not-affected> (Vulnerable broker code 
introduced in various commits re. 
https://github.com/spring-projects/spring-framework/blame/0009806debb578e884f6dc98bd1f2dc668020021/spring-messaging/src/main/java/org/springframework/messaging/simp/broker/DefaultSubscriptionRegistry.java)
        NOTE: https://pivotal.io/security/cve-2018-1272
@@ -73526,6 +73526,7 @@ CVE-2018-1271 (Spring Framework, versions 5.0 prior to 
5.0.5 and versions 4.3 pr
        NOTE: https://pivotal.io/security/cve-2018-1271
 CVE-2018-1270 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 
prior ...)
        - libspring-java 4.3.19-1 (bug #895114)
+       [stretch] - libspring-java <no-dsa> (Minor issue)
        [jessie] - libspring-java <not-affected> (vulnerable code not found)
        [wheezy] - libspring-java <not-affected> (Vulnerable broker code 
introduced in various commits re. 
https://github.com/spring-projects/spring-framework/blame/0009806debb578e884f6dc98bd1f2dc668020021/spring-messaging/src/main/java/org/springframework/messaging/simp/broker/DefaultSubscriptionRegistry.java)
        NOTE: https://pivotal.io/security/cve-2018-1270
@@ -73677,6 +73678,7 @@ CVE-2018-1200 (Apps Manager for PCF (Pivotal 
Application Service 1.11.x before .
        NOT-FOR-US: Pivotal
 CVE-2018-1199 (Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x 
before ...)
        - libspring-java 4.3.14-1 (bug #890001)
+       [stretch] - libspring-java <no-dsa> (Minor issue)
        [wheezy] - libspring-java <ignored> (Too intrusive to fix by upgrade)
        [jessie] - libspring-java <no-dsa> (fix for spring-security available 
but not for springframework)
        - libspring-security-java <itp> (bug #582181)


=====================================
data/dsa-needed.txt
=====================================
@@ -30,16 +30,12 @@ libidn
 libpng1.6
   wait for final patch
 --
-libspring-java
---
 linux
   Wait until more issues have piled up
 --
 mariadb-10.1
   
https://alioth-lists.debian.net/pipermail/pkg-mysql-maint/2019-February/012771.html
 --
-mbedtls
---
 mercurial
 
 mumble
@@ -55,6 +51,8 @@ openjpeg2 (luciano)
 --
 passenger
 --
+php7.0 (jmm)
+--
 runc
 --
 simplesamlphp



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/139a2cbf8955aed5411a088dab2834dbe084ca68

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/139a2cbf8955aed5411a088dab2834dbe084ca68
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] stretch triage

Reply via email to