Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker
Commits: 7553fe97 by Antoine Beaupré at 2018-02-16T14:02:20-05:00 mark golang's CVE-2018-6574 as dla-needed and add relation to CVE-2017-15041 - - - - - 4755a0f6 by Antoine Beaupré at 2018-02-16T14:02:22-05:00 CVE-2018-6829 gnupg n/a, libgcrypt dla-needed as mentioned in the notes, GnuPG uses Elgamal correctly so it is not vulnerable. libgcrypt, however, is, so it should at least be checked in wheezy and others. - - - - - 4880f3ef by Antoine Beaupré at 2018-02-16T14:36:45-05:00 re-add leptonlib to dla-needed - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -854,11 +854,12 @@ CVE-2018-6830 CVE-2018-6829 (cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt ...) - libgcrypt20 <unfixed> - libgcrypt11 <removed> - - gnupg1 <unfixed> - - gnupg <removed> + - gnupg1 <not-affected> + - gnupg <not-affected> NOTE: https://github.com/weikengchen/attack-on-libgcrypt-elgamal NOTE: https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki NOTE: https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html + NOTE: GnuPG uses elgamal in hybrid mode so it is not affected CVE-2018-6828 RESERVED CVE-2018-6827 (VOBOT CLOCK before 0.99.30 devices do not verify X.509 certificates ...) @@ -1607,6 +1608,7 @@ CVE-2018-6574 (Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases - golang-1.7 <unfixed> - golang <removed> NOTE: https://github.com/golang/go/issues/23672 + NOTE: similar to CVE-2017-15041, which was fixed in wheezy, but no-dsa in jessie and ignored in stretch CVE-2018-6573 RESERVED CVE-2018-6572 ===================================== data/dla-needed.txt ===================================== --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -25,6 +25,8 @@ gcc-4.7 (Roberto C. Sánchez) NOTE: Backport the retpoline support for spectre mitigation. NOTE: Do we want/need it on this gcc version as well? -- +golang +-- icu (Thorsten Alteholz) NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public -- @@ -43,6 +45,12 @@ libav (Hugo Lefeuvre) NOTE: I am currently working on CVE triage but I will not be able to process the whole backlog until May. NOTE: Help is welcome, feel free to mail Hugo. -- +leptonlib + NOTE: #885704 fix is incomplete and may require a CVE + NOTE: see also https://lists.debian.org/1518730488.2617.129.ca...@decadent.org.uk +-- +libgcrypt11 +-- libmad (Kurt Roeckx) -- libreoffice View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d3b329bad3ee4c1c346dc02ed2cfcbec406fefc0...4880f3ef311538de940214f314c7d864d339568c --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d3b329bad3ee4c1c346dc02ed2cfcbec406fefc0...4880f3ef311538de940214f314c7d864d339568c You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits