Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: e7d70537 by Moritz Muehlenhoff at 2019-04-21T20:39:39Z buster triage - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -1554,7 +1554,9 @@ CVE-2019-10742 CVE-2019-10741 (K-9 Mail v5.600 can include the original quoted HTML code of a special ...) NOT-FOR-US: K-9 Mail CVE-2019-10740 (In Roundcube Webmail 1.3.4, an attacker in possession of S/MIME or PGP ...) - - roundcube <unfixed> + - roundcube <unfixed> (bug #927713) + [buster] - roundcube <postponed> (Revisit when fixed upstream) + [stretch] - roundcube <postponed> (Revisit when fixed upstream) NOTE: https://github.com/roundcube/roundcubemail/issues/6638 CVE-2019-10739 RESERVED @@ -3174,7 +3176,7 @@ CVE-2019-10046 CVE-2019-10045 RESERVED CVE-2019-10044 (Telegram Desktop before 1.5.12 on Windows, and the Telegram applicatio ...) - - telegram-desktop <unfixed> + - telegram-desktop <unfixed> (bug #927711) NOTE: https://github.com/blazeinfosec/advisories/blob/master/telegram-advisory.txt CVE-2019-10043 RESERVED @@ -4635,6 +4637,7 @@ CVE-2019-9752 (An issue was discovered in Open Ticket Request System (OTRS) 5.x NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/d4e3dfbaa054762b29df54705aa412685dd37e15 CVE-2019-9751 (An issue was discovered in Open Ticket Request System (OTRS) 6.x befor ...) - otrs2 6.0.17-1 + [buster] - otrs2 <no-dsa> (Non-free not supported) [stretch] - otrs2 <no-dsa> (Non-free not supported) [jessie] - otrs2 <not-affected> (Vulnerable code not present) NOTE: https://community.otrs.com/security-advisory-2019-02-security-update-for-otrs-framework @@ -18493,7 +18496,7 @@ CVE-2019-3886 (An incorrect permissions check was discovered in libvirt 4.8.0 an NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=2a07c990bd9143d7a0fe8d1b6b7c763c52185240 NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=ae076bb40e0e150aef41361b64001138d04d6c60 CVE-2019-3885 (A use-after-free flaw was found in pacemaker up to and including versi ...) - - pacemaker <unfixed> + - pacemaker <unfixed> (bug #927714) NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1 CVE-2019-3884 RESERVED @@ -29943,14 +29946,14 @@ CVE-2018-19417 (An issue was discovered in the MQTT server in Contiki-NG before NOT-FOR-US: Contiki-NG CVE-2018-19517 (An issue was discovered in sysstat 12.1.1. The remap_struct function i ...) [experimental] - sysstat 12.0.3-1 - - sysstat <unfixed> (low; bug #914553) + - sysstat 12.0.3-2 (low; bug #914553) [stretch] - sysstat <not-affected> (Vulnerable code introduced later) [jessie] - sysstat <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/sysstat/sysstat/issues/199 NOTE: Fixed by: https://github.com/sysstat/sysstat/commit/fbc691eaaa10d0bcea6741d5a223dc3906106548 CVE-2018-19416 (An issue was discovered in sysstat 12.1.1. The remap_struct function i ...) [experimental] - sysstat 12.0.3-1 - - sysstat <unfixed> (low; bug #914384) + - sysstat 12.0.3-2 (low; bug #914384) [stretch] - sysstat <not-affected> (Vulnerable code introduced later) [jessie] - sysstat <not-affected> (vulnerable code was introduced later) NOTE: https://github.com/sysstat/sysstat/issues/196 @@ -36871,10 +36874,10 @@ CVE-2018-16880 (A flaw was found in the Linux kernel's handle_rx() function in t CVE-2018-16879 (Ansible Tower before version 3.3.3 does not set a secure channel as it ...) NOT-FOR-US: Ansible Tower CVE-2018-16878 (A flaw was found in pacemaker up to and including version 2.0.1. An in ...) - - pacemaker <unfixed> + - pacemaker <unfixed> (bug #927714) NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1 CVE-2018-16877 (A flaw was found in the way pacemaker's client-server authentication w ...) - - pacemaker <unfixed> + - pacemaker <unfixed> (bug #927714) NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1 CVE-2018-16876 (ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a infor ...) {DSA-4396-1} @@ -52912,6 +52915,7 @@ CVE-2018-10894 (It was found that SAML authentication in Keycloak 3.4.3.Final in NOT-FOR-US: Keycloak CVE-2018-10893 (Multiple integer overflow and buffer overflow issues were discovered i ...) - spice-gtk <unfixed> (bug #904161) + [buster] - spice-gtk <no-dsa> (Minor issue) [stretch] - spice-gtk <no-dsa> (Minor issue) [jessie] - spice-gtk <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1598234 @@ -81098,7 +81102,7 @@ CVE-2018-1110 [Improper Input Validation] NOTE: http://www.openwall.com/lists/oss-security/2018/04/23/2 CVE-2018-1109 RESERVED - - node-braces <unfixed> + - node-braces <unfixed> (bug #927716) [stretch] - node-braces <ignored> (Nodejs in stretch not covered by security support) NOTE: https://snyk.io/vuln/npm:braces:20180219 NOTE: https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451 @@ -87248,7 +87252,7 @@ CVE-2017-16121 (datachannel-client is a signaling implementation for DataChannel CVE-2017-16120 (liyujing is a static file server. liyujing is vulnerable to a director ...) NOT-FOR-US: liyujing CVE-2017-16119 (Fresh is a module used by the Express.js framework for HTTP response f ...) - - node-fresh <unfixed> + - node-fresh <unfixed> (bug #927715) [stretch] - node-braces <ignored> (Nodejs in stretch not covered by security support) NOTE: https://nodesecurity.io/advisories/526 CVE-2017-16118 (The forwarded module is used by the Express.js framework to handle the ...) @@ -87443,7 +87447,7 @@ CVE-2017-16028 (react-native-meteor-oauth is a library for Oauth2 login to a Met CVE-2017-16027 RESERVED CVE-2017-16026 (Request is an http client. If a request is made using ```multipart```, ...) - - node-request <unfixed> (bug #901708) + - node-request 2.88.1-1 (bug #901708) [stretch] - node-request <ignored> (Nodejs in stretch not covered by security support) NOTE: https://github.com/request/request/issues/1904 NOTE: https://nodesecurity.io/advisories/309 @@ -108813,6 +108817,7 @@ CVE-2017-9116 (In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress fun NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9115 (In OpenEXR 2.2.0, an invalid write of size 2 in the = operator functio ...) - openexr <unfixed> (bug #873885) + [buster] - openexr <no-dsa> (Minor issue) [stretch] - openexr <no-dsa> (Minor issue) [jessie] - openexr <no-dsa> (Minor issue) [wheezy] - openexr <no-dsa> (Minor issue) @@ -108820,6 +108825,7 @@ CVE-2017-9115 (In OpenEXR 2.2.0, an invalid write of size 2 in the = operator fu NOTE: https://github.com/openexr/openexr/issues/232 CVE-2017-9114 (In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ...) - openexr <unfixed> (bug #873885) + [buster] - openexr <no-dsa> (Minor issue) [stretch] - openexr <no-dsa> (Minor issue) [jessie] - openexr <no-dsa> (Minor issue) [wheezy] - openexr <no-dsa> (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7d70537a49b4f0a6c19b211cd359614e4fd8a10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7d70537a49b4f0a6c19b211cd359614e4fd8a10 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits