-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: glib2.0
Version: 2.42.1-1+deb8u1
CVE ID : CVE-2019-12450
Debian Bug : 929753
It was discovered that GLib does not properly restrict some file
permissions while a copy operation is in progress; instead, default
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Tue, 18 Jun 2019 21:27:05 +0200
Source: glib2.0
Binary: libglib2.0-0 libglib2.0-tests libglib2.0-udeb libglib2.0-bin
libglib2.0-dev libglib2.0-0-dbg libglib2.0-data libglib2.0-doc libgio-fam
libglib2.0-0-refdbg
Architecture:
Hello,
Am 18.06.19 um 10:05 schrieb Brian May:
> The upstream patch patches "c->description" which is not used in
> Jessie. OK, so probably not vulnerable.
[...]
I requested feedback from upstream about CVE-2019-12779 before.
https://github.com/ClusterLabs/libqb/issues/338
It seems they do
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Package: kdepim
Version: 4:4.14.1-1+deb8u2
CVE ID : CVE-2019-10732
Debian Bug : 926996
A reply-based decryption oracle was found in kdepim, which provides
the KMail e-mail client.
An attacker in possession of S/MIME or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Tue, 18 Jun 2019 10:55:26 +0200
Source: kdepim
Binary: kdepim kdepim-mobile akregator kaddressbook kaddressbook-mobile kalarm
kdepim-kresources storageservicemanager kleopatra kmail kmail-mobile knode
knotes notes-mobile
Package: linux-4.9
Version: 4.9.168-1+deb9u3~deb8u1
CVE ID : CVE-2019-3846 CVE-2019-5489 CVE-2019-9500 CVE-2019-9503
CVE-2019-10126 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479
CVE-2019-11486 CVE-2019-11599 CVE-2019-11815 CVE-2019-11833
Hi Brian,
> libqb
> NOTE: 20190616: Upstream patch does not apply at all, but it appears that
>
> NOTE: 20190616: package is still vulnerable in ipc_posix_mq.c etc. or
> NOTE: 20190616: wherever it uses c->pid w/NAME_MAX. (lamby)
NB. "appears that" — it was a rather cursory glance
The upstream patch patches "c->description" which is not used in
Jessie. OK, so probably not vulnerable.
Looking at data/dla-needed.txt:
libqb
NOTE: 20190616: Upstream patch does not apply at all, but it appears that
NOTE: 20190616: package is still vulnerable in ipc_posix_mq.c etc. or