Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 4856645b by Moritz Muehlenhoff at 2020-06-15T22:15:18+02:00 bustre/stretch triage new kfreebsd issue - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -780,7 +780,9 @@ CVE-2020-13819 CVE-2020-13818 (In Zoho ManageEngine OpManager before 125144, when <cachestart> ...) NOT-FOR-US: Zoho ManageEngine OpManager CVE-2020-13817 (ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote att ...) - - ntp 1:4.2.8p14+dfsg-1 + - ntp 1:4.2.8p14+dfsg-1 (low) + [buster] - ntp <ignored> (Minor issue) + [stretch] - ntp <ignored> (Minor issue) [jessie] - ntp <ignored> (Too intrusive to backport, requires new configuration) NOTE: http://support.ntp.org/bin/view/Main/NtpBug3596 NOTE: https://bugs.ntp.org/show_bug.cgi?id=3596 @@ -931,6 +933,8 @@ CVE-2020-13791 (hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an o NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00831.html CVE-2020-13790 (libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-r ...) - libjpeg-turbo <unfixed> (bug #962829) + [buster] - libjpeg-turbo <no-dsa> (Minor issue) + [stretch] - libjpeg-turbo <no-dsa> (Minor issue) [jessie] - libjpeg-turbo <ignored> (No package in Debian jessie uses the TurboJPEG API) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/1bfb0b5247f4fc8f6677639781ce468543490216 (1.5.x) @@ -1032,6 +1036,8 @@ CVE-2020-13758 (modules/security/classes/general.post_filter.php/post_filter.php NOT-FOR-US: Bitrix24 CVE-2020-13757 (Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ...) - python-rsa <unfixed> (bug #962142) + [buster] - python-rsa <no-dsa> (Minor issue) + [stretch] - python-rsa <no-dsa> (Minor issue) [jessie] - python-rsa <no-dsa> (No reverse dependencies) NOTE: https://github.com/sybrenstuvel/python-rsa/issues/146 CVE-2020-13756 (Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data ...) @@ -1160,6 +1166,7 @@ CVE-2020-13697 CVE-2020-13696 (An issue was discovered in LinuxTV xawtv before 3.107. The function de ...) {DLA-2246-1} - xawtv <unfixed> (bug #962221) + [stretch] - xawtv <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/6 NOTE: Fixed by: https://git.linuxtv.org/xawtv3.git/commit/?id=31f31f9cbaee7be806cba38e0ff5431bd44b20a3 NOTE: Fixed by: https://git.linuxtv.org/xawtv3.git/commit/?id=36dc44e68e5886339b4a0fbe3f404fb1a4fd2292 @@ -1241,6 +1248,8 @@ CVE-2020-13660 (CMS Made Simple through 2.2.14 allows XSS via a crafted File Pic NOT-FOR-US: CMS Made Simple CVE-2020-13659 (address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer d ...) - qemu <unfixed> + [buster] - qemu <postponed> (Minor issue) + [stretch] - qemu <postponed> (Minor issue) NOTE: https://bugs.launchpad.net/qemu/+bug/1878259 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg07313.html CVE-2020-13658 @@ -4120,7 +4129,9 @@ CVE-2020-12430 (An issue was discovered in qemuDomainGetStatsIOThread in qemu/qe NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1804548 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1828190 CVE-2019-20792 (OpenSC before 0.20.0 has a double free in coolkey_free_private_data be ...) - - opensc 0.20.0-1 + - opensc 0.20.0-1 (low) + [buster] - opensc <no-dsa> (Minor issue) + [stretch] - opensc <no-dsa> (Minor issue) [jessie] - opensc <postponed> (Minor issue but can be worth fixing later) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19208 NOTE: https://github.com/OpenSC/OpenSC/commit/c246f6f69a749d4f68626b40795a4f69168008f4 @@ -9837,6 +9848,7 @@ CVE-2020-10738 (A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before CVE-2020-10737 (A race condition was found in the mkhomedir tool shipped with the oddj ...) - oddjob 0.34.6-1 (bug #960089) [buster] - oddjob <no-dsa> (Minor issue) + [stretch] - oddjob <no-dsa> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1833042 NOTE: https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac CVE-2020-10736 [authorization bypass in mons & mgrs] @@ -39329,6 +39341,8 @@ CVE-2020-0199 (In TimeCheck::TimeCheckThread::threadLoop of TimeCheck.cpp, there CVE-2020-0198 (In exif_data_load_data_content of exif-data.c, there is a possible UBS ...) {DLA-2249-1} - libexif 0.6.22-2 (bug #962345) + [buster] - libexif <no-dsa> (Minor issue) + [stretch] - libexif <no-dsa> (Minor issue) NOTE: https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0 NOTE: https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c CVE-2020-0197 (In InitDataParser::parsePssh of InitDataParser.cpp, there is a possibl ...) ===================================== data/dsa-needed.txt ===================================== @@ -14,8 +14,12 @@ If needed, specify the release by adding a slash after the name of the source pa -- chromium -- +docker.io (jmm) +-- ffmpeg (jmm) -- +fwupd +-- jruby/oldstable -- libopenmpt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4856645bc915fd9d1adac518df0f7b55fac72e24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4856645bc915fd9d1adac518df0f7b55fac72e24 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits