Ola Lundqvist pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
87322fcf by Ola Lundqvist at 2020-01-19T22:12:38+01:00
Concluded that the mentioned code is in place for jessie but the vulnerability
is minor. It is possible to execute arbitrary arithmetic expression but not
arbitrary expression.
- - - - -
5051c52b by Ola Lundqvist at 2020-01-19T22:28:08+01:00
CVE-2019-19918 and CVE-2019-19917 are marked as no-dsa for Buster and Stretch.
No reason to treat Jessie differently. Since there are just two CVEs for lout
the package is also removed from dla-needed.txt.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -7878,11 +7878,13 @@ CVE-2019-19918 (Lout 3.40 has a heap-based buffer
overflow in the srcnext() func
- lout <unfixed> (bug #947113)
[buster] - lout <no-dsa> (Minor issue)
[stretch] - lout <no-dsa> (Minor issue)
+ [jessie] - lout <ignored> (Minor issue)
NOTE:
https://lists.gnu.org/archive/html/lout-users/2019-12/msg00001.html
CVE-2019-19917 (Lout 3.40 has a buffer overflow in the StringQuotedWord()
function in ...)
- lout <unfixed> (bug #947113)
[buster] - lout <no-dsa> (Minor issue)
[stretch] - lout <no-dsa> (Minor issue)
+ [jessie] - lout <ignored> (Minor issue)
NOTE:
https://lists.gnu.org/archive/html/lout-users/2019-12/msg00002.html
CVE-2020-3939
RESERVED
@@ -29598,7 +29600,10 @@ CVE-2019-14869 (A flaw was found in all versions of
ghostscript 9.x before 9.50,
CVE-2019-14868 [environment variables on startup are interpreted as arithmetic
expression leading to code injection]
RESERVED
- ksh 2020.0.0-2.1 (bug #948989)
+ [jessie] - ksh <ignored> (Minor issue)
NOTE:
https://github.com/att/ast/commit/c7de8b641266bac7c77942239ac659edfee9ecd2
+ NOTE: It is possible to execute arbitrary arithmetic expression but not
arbitrary expression. Jessie
+ NOTE: and buster tested so far. (opal) Due to this marked as minor
issue for jessie.
CVE-2019-14867 (A flaw was found in IPA, all 4.6.x versions before 4.6.7, all
4.7.x ve ...)
- freeipa 4.8.3-1
[buster] - freeipa <no-dsa> (Minor issue; can be fixed via point
release)
=====================================
data/dla-needed.txt
=====================================
@@ -40,10 +40,6 @@ ibus
jackson-databind
NOTE: 20200105: Can be postponed again. (apo)
--
-ksh
- NOTE: 20200118: Upstream patch doesn't apply at all, but not clear if
- NOTE: 20200118: or not. Thus, deeper triaging required. (sunweaver)
---
libexif (Hugo Lefeuvre)
NOTE: 20191111: Contacted upstream for relevant commits of CVE-2019-9278.
(utkarsh2102)
NOTE: 20191114: Pinged upstream; just have the Android patch yet.
(utkarsh2102)
@@ -75,15 +71,6 @@ linux (Ben Hutchings)
--
linux-4.9 (Ben Hutchings)
--
-lout
- NOTE: 20191221: Package is orphaned and has similar version in unstable.
- NOTE: 20191221: Upstream maintenance may have ceased to exist, too.
- NOTE: 20191221: If we fix it in jessie LTS, we should als NMU those fixes
- NOTE: 20191221: to unstable. (sunweaver)
- NOTE: 20191221:
https://lists.gnu.org/archive/html/lout-users/2019-12/msg00005.html
- NOTE: 20191221: (-> at least someone is still active on lout, providing some
- NOTE: 20191221: patches, not related to the open CVEs, though)
---
nss (Markus Koschany)
--
opendmarc (Thorsten Alteholz)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/b25c30c0a23f30d378c1e31169ebf8005c207ced...5051c52bfa35dac18e7e96145af84a0fc6965602
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/b25c30c0a23f30d378c1e31169ebf8005c207ced...5051c52bfa35dac18e7e96145af84a0fc6965602
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
