Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e7d70537 by Moritz Muehlenhoff at 2019-04-21T20:39:39Z
buster triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1554,7 +1554,9 @@ CVE-2019-10742
CVE-2019-10741 (K-9 Mail v5.600 can include the original quoted HTML code of a
special ...)
NOT-FOR-US: K-9 Mail
CVE-2019-10740 (In Roundcube Webmail 1.3.4, an attacker in possession of
S/MIME or PGP ...)
- - roundcube <unfixed>
+ - roundcube <unfixed> (bug #927713)
+ [buster] - roundcube <postponed> (Revisit when fixed upstream)
+ [stretch] - roundcube <postponed> (Revisit when fixed upstream)
NOTE: https://github.com/roundcube/roundcubemail/issues/6638
CVE-2019-10739
RESERVED
@@ -3174,7 +3176,7 @@ CVE-2019-10046
CVE-2019-10045
RESERVED
CVE-2019-10044 (Telegram Desktop before 1.5.12 on Windows, and the Telegram
applicatio ...)
- - telegram-desktop <unfixed>
+ - telegram-desktop <unfixed> (bug #927711)
NOTE:
https://github.com/blazeinfosec/advisories/blob/master/telegram-advisory.txt
CVE-2019-10043
RESERVED
@@ -4635,6 +4637,7 @@ CVE-2019-9752 (An issue was discovered in Open Ticket
Request System (OTRS) 5.x
NOTE: OTRS 5:
https://github.com/OTRS/otrs/commit/d4e3dfbaa054762b29df54705aa412685dd37e15
CVE-2019-9751 (An issue was discovered in Open Ticket Request System (OTRS)
6.x befor ...)
- otrs2 6.0.17-1
+ [buster] - otrs2 <no-dsa> (Non-free not supported)
[stretch] - otrs2 <no-dsa> (Non-free not supported)
[jessie] - otrs2 <not-affected> (Vulnerable code not present)
NOTE:
https://community.otrs.com/security-advisory-2019-02-security-update-for-otrs-framework
@@ -18493,7 +18496,7 @@ CVE-2019-3886 (An incorrect permissions check was
discovered in libvirt 4.8.0 an
NOTE: Fixed by:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=2a07c990bd9143d7a0fe8d1b6b7c763c52185240
NOTE: Fixed by:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=ae076bb40e0e150aef41361b64001138d04d6c60
CVE-2019-3885 (A use-after-free flaw was found in pacemaker up to and
including versi ...)
- - pacemaker <unfixed>
+ - pacemaker <unfixed> (bug #927714)
NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
CVE-2019-3884
RESERVED
@@ -29943,14 +29946,14 @@ CVE-2018-19417 (An issue was discovered in the MQTT
server in Contiki-NG before
NOT-FOR-US: Contiki-NG
CVE-2018-19517 (An issue was discovered in sysstat 12.1.1. The remap_struct
function i ...)
[experimental] - sysstat 12.0.3-1
- - sysstat <unfixed> (low; bug #914553)
+ - sysstat 12.0.3-2 (low; bug #914553)
[stretch] - sysstat <not-affected> (Vulnerable code introduced later)
[jessie] - sysstat <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/sysstat/sysstat/issues/199
NOTE: Fixed by:
https://github.com/sysstat/sysstat/commit/fbc691eaaa10d0bcea6741d5a223dc3906106548
CVE-2018-19416 (An issue was discovered in sysstat 12.1.1. The remap_struct
function i ...)
[experimental] - sysstat 12.0.3-1
- - sysstat <unfixed> (low; bug #914384)
+ - sysstat 12.0.3-2 (low; bug #914384)
[stretch] - sysstat <not-affected> (Vulnerable code introduced later)
[jessie] - sysstat <not-affected> (vulnerable code was introduced later)
NOTE: https://github.com/sysstat/sysstat/issues/196
@@ -36871,10 +36874,10 @@ CVE-2018-16880 (A flaw was found in the Linux
kernel's handle_rx() function in t
CVE-2018-16879 (Ansible Tower before version 3.3.3 does not set a secure
channel as it ...)
NOT-FOR-US: Ansible Tower
CVE-2018-16878 (A flaw was found in pacemaker up to and including version
2.0.1. An in ...)
- - pacemaker <unfixed>
+ - pacemaker <unfixed> (bug #927714)
NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
CVE-2018-16877 (A flaw was found in the way pacemaker's client-server
authentication w ...)
- - pacemaker <unfixed>
+ - pacemaker <unfixed> (bug #927714)
NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
CVE-2018-16876 (ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to
a infor ...)
{DSA-4396-1}
@@ -52912,6 +52915,7 @@ CVE-2018-10894 (It was found that SAML authentication
in Keycloak 3.4.3.Final in
NOT-FOR-US: Keycloak
CVE-2018-10893 (Multiple integer overflow and buffer overflow issues were
discovered i ...)
- spice-gtk <unfixed> (bug #904161)
+ [buster] - spice-gtk <no-dsa> (Minor issue)
[stretch] - spice-gtk <no-dsa> (Minor issue)
[jessie] - spice-gtk <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1598234
@@ -81098,7 +81102,7 @@ CVE-2018-1110 [Improper Input Validation]
NOTE: http://www.openwall.com/lists/oss-security/2018/04/23/2
CVE-2018-1109
RESERVED
- - node-braces <unfixed>
+ - node-braces <unfixed> (bug #927716)
[stretch] - node-braces <ignored> (Nodejs in stretch not covered by
security support)
NOTE: https://snyk.io/vuln/npm:braces:20180219
NOTE:
https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
@@ -87248,7 +87252,7 @@ CVE-2017-16121 (datachannel-client is a signaling
implementation for DataChannel
CVE-2017-16120 (liyujing is a static file server. liyujing is vulnerable to a
director ...)
NOT-FOR-US: liyujing
CVE-2017-16119 (Fresh is a module used by the Express.js framework for HTTP
response f ...)
- - node-fresh <unfixed>
+ - node-fresh <unfixed> (bug #927715)
[stretch] - node-braces <ignored> (Nodejs in stretch not covered by
security support)
NOTE: https://nodesecurity.io/advisories/526
CVE-2017-16118 (The forwarded module is used by the Express.js framework to
handle the ...)
@@ -87443,7 +87447,7 @@ CVE-2017-16028 (react-native-meteor-oauth is a library
for Oauth2 login to a Met
CVE-2017-16027
RESERVED
CVE-2017-16026 (Request is an http client. If a request is made using
```multipart```, ...)
- - node-request <unfixed> (bug #901708)
+ - node-request 2.88.1-1 (bug #901708)
[stretch] - node-request <ignored> (Nodejs in stretch not covered by
security support)
NOTE: https://github.com/request/request/issues/1904
NOTE: https://nodesecurity.io/advisories/309
@@ -108813,6 +108817,7 @@ CVE-2017-9116 (In OpenEXR 2.2.0, an invalid read of
size 1 in the uncompress fun
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9115 (In OpenEXR 2.2.0, an invalid write of size 2 in the = operator
functio ...)
- openexr <unfixed> (bug #873885)
+ [buster] - openexr <no-dsa> (Minor issue)
[stretch] - openexr <no-dsa> (Minor issue)
[jessie] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr <no-dsa> (Minor issue)
@@ -108820,6 +108825,7 @@ CVE-2017-9115 (In OpenEXR 2.2.0, an invalid write of
size 2 in the = operator fu
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9114 (In OpenEXR 2.2.0, an invalid read of size 1 in the refill
function in ...)
- openexr <unfixed> (bug #873885)
+ [buster] - openexr <no-dsa> (Minor issue)
[stretch] - openexr <no-dsa> (Minor issue)
[jessie] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr <no-dsa> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7d70537a49b4f0a6c19b211cd359614e4fd8a10
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7d70537a49b4f0a6c19b211cd359614e4fd8a10
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
