Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2fc91a81 by Moritz Muehlenhoff at 2020-07-31T07:48:12+02:00
stable triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -459,6 +459,7 @@ CVE-2020-15948
RESERVED
CVE-2020-XXXX [RUSTSEC-2020-0026]
- rust-linked-hash-map <unfixed> (bug #966246)
+ [buster] - rust-linked-hash-map <no-dsa> (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0026.html
CVE-2020-15947
RESERVED
@@ -803,6 +804,7 @@ CVE-2020-15804
RESERVED
CVE-2020-15803 (Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through
4.4.x bef ...)
- zabbix 1:5.0.2+dfsg-1 (bug #966146)
+ [buster] - zabbix <no-dsa> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-18057
CVE-2020-15802
RESERVED
@@ -2047,8 +2049,11 @@ CVE-2020-15305 (An issue was discovered in OpenEXR
before 2.5.2. Invalid input c
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/730
CVE-2020-15304 (An issue was discovered in OpenEXR before 2.5.2. An invalid
tiled inpu ...)
- openexr <unfixed>
+ [buster] - openexr <not-affected> (Vulnerable code not present)
+ [stretch] - openexr <not-affected> (Vulnerable code not present)
[jessie] - openexr <no-dsa> (Minor issue)
NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/727
+ NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/36e05c14c612a89c43d4e0b013669ecd7f8e3440
CVE-2020-15303
RESERVED
CVE-2020-15302 (In Argent RecoveryManager before
0xdc350d09f71c48c5D22fBE2741e4d6A0397 ...)
@@ -5326,9 +5331,11 @@ CVE-2020-14020
RESERVED
CVE-2020-14019 (Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for
/etc/targ ...)
- python-rtslib-fb <unfixed>
+ [buster] - python-rtslib-fb <not-affected> (Introduced in 2.1.70)
[stretch] - python-rtslib-fb <not-affected> (vulnerable code introduced
later, shutil.copyfile is not used)
[jessie] - python-rtslib-fb <not-affected> (vulnerable code introduced
later, shutil.copyfile is not used)
NOTE: https://github.com/open-iscsi/rtslib-fb/pull/162
+ NOTE:
https://github.com/open-iscsi/rtslib-fb/commit/75e73778dce1cb7a2816a936240ef75adfbd6ed9
CVE-2020-14018 (An issue was discovered in Navigate CMS 2.9 r1433. There is a
stored X ...)
NOT-FOR-US: Navigate CMS
CVE-2020-14017 (An issue was discovered in Navigate CMS 2.9 r1433. Sessions,
as well a ...)
@@ -11818,7 +11825,6 @@ CVE-2020-11759 (An issue was discovered in OpenEXR
before 2.4.1. Because of inte
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/b9997d0c045fa01af3d2e46e1a74b07cc4519446
NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/acad98d6d3e787f36012a3737c23c42c7f43a00f
- TODO: check completeness for upstream commits to cover CVE-2020-11759
CVE-2020-11758 (An issue was discovered in OpenEXR before 2.4.1. There is an
out-of-bo ...)
[experimental] - openexr 2.5.0-1
- openexr <unfixed> (bug #959444)
@@ -74521,7 +74527,7 @@ CVE-2019-8945 (Zimbra Collaboration 8.7.x - 8.8.11P2
contains persistent XSS. ..
CVE-2019-8944 (An Information Exposure issue in the Terraform deployment step
in Octo ...)
NOT-FOR-US: Terraform
CVE-2019-8943 (WordPress through 5.0.3 allows Path Traversal in
wp_crop_image(). An a ...)
- - wordpress <unfixed> (bug #923583)
+ - wordpress <undetermined> (bug #923583)
[jessie] - wordpress <postponed> (requires privileged account, not
directly exploitable as CVE-2019-8942 is fixed, no official patch)
NOTE:
https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
NOTE: This CVE is explicitly for the mentioned Path Traversal in
wp_crop_image().
@@ -99366,6 +99372,7 @@ CVE-2019-0194 (Apache Camel's File is vulnerable to
directory traversal. Camel 2
CVE-2019-0193 (In Apache Solr, the DataImportHandler, an optional but popular
module ...)
{DLA-1954-1}
- lucene-solr 3.6.2+dfsg-22 (low)
+ [buster] - lucene-solr <no-dsa> (Minor issue)
NOTE: https://issues.apache.org/jira/browse/SOLR-13669
NOTE: upstream recommends everybody upgrade or rework their
configuration
NOTE: consider backporting enable.dih.dataConfigParam instead:
@@ -113600,6 +113607,7 @@ CVE-2018-14029 (CSRF vulnerability in admin/user/edit
in Creatiwity wityCMS 0.6.
NOT-FOR-US: Creatiwity wityCMS
CVE-2018-14028 (In WordPress 4.9.7, plugins uploaded via the admin area are
not verifi ...)
- wordpress <unfixed> (bug #906565)
+ [buster] - wordpress <postponed> (Minor issue, revisit when fixed
upstream)
[stretch] - wordpress <no-dsa> (Minor issue)
[jessie] - wordpress <postponed> (no sanctioned patch)
NOTE: https://core.trac.wordpress.org/ticket/44710
=====================================
data/dsa-needed.txt
=====================================
@@ -32,8 +32,12 @@ nginx
rails (jmm)
Sylvain Beucler proposed to help for the update, remaining CVEs to be done
--
+ruby-kramdown
+--
teeworlds (jmm)
--
+thunderbird (jmm)
+--
webkit2gtk
--
xcftools
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fc91a817f86e109b8769dd47ca48c3d3137e3b9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fc91a817f86e109b8769dd47ca48c3d3137e3b9
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
