Antoine Beaupré pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7553fe97 by Antoine Beaupré at 2018-02-16T14:02:20-05:00
mark golang's CVE-2018-6574 as dla-needed and add relation to CVE-2017-15041
- - - - -
4755a0f6 by Antoine Beaupré at 2018-02-16T14:02:22-05:00
CVE-2018-6829 gnupg n/a, libgcrypt dla-needed
as mentioned in the notes, GnuPG uses Elgamal correctly so it is not
vulnerable. libgcrypt, however, is, so it should at least be checked in wheezy
and others.
- - - - -
4880f3ef by Antoine Beaupré at 2018-02-16T14:36:45-05:00
re-add leptonlib to dla-needed
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -854,11 +854,12 @@ CVE-2018-6830
CVE-2018-6829 (cipher/elgamal.c in Libgcrypt through 1.8.2, when used to
encrypt ...)
- libgcrypt20 <unfixed>
- libgcrypt11 <removed>
- - gnupg1 <unfixed>
- - gnupg <removed>
+ - gnupg1 <not-affected>
+ - gnupg <not-affected>
NOTE: https://github.com/weikengchen/attack-on-libgcrypt-elgamal
NOTE: https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki
NOTE:
https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html
+ NOTE: GnuPG uses elgamal in hybrid mode so it is not affected
CVE-2018-6828
RESERVED
CVE-2018-6827 (VOBOT CLOCK before 0.99.30 devices do not verify X.509
certificates ...)
@@ -1607,6 +1608,7 @@ CVE-2018-6574 (Go before 1.8.7, Go 1.9.x before 1.9.4,
and Go 1.10 pre-releases
- golang-1.7 <unfixed>
- golang <removed>
NOTE: https://github.com/golang/go/issues/23672
+ NOTE: similar to CVE-2017-15041, which was fixed in wheezy, but no-dsa
in jessie and ignored in stretch
CVE-2018-6573
RESERVED
CVE-2018-6572
=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -25,6 +25,8 @@ gcc-4.7 (Roberto C. Sánchez)
NOTE: Backport the retpoline support for spectre mitigation.
NOTE: Do we want/need it on this gcc version as well?
--
+golang
+--
icu (Thorsten Alteholz)
NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in
Chromium project; report is not visible to the public
--
@@ -43,6 +45,12 @@ libav (Hugo Lefeuvre)
NOTE: I am currently working on CVE triage but I will not be able to process
the whole backlog until May.
NOTE: Help is welcome, feel free to mail Hugo.
--
+leptonlib
+ NOTE: #885704 fix is incomplete and may require a CVE
+ NOTE: see also
https://lists.debian.org/1518730488.2617.129.ca...@decadent.org.uk
+--
+libgcrypt11
+--
libmad (Kurt Roeckx)
--
libreoffice
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/d3b329bad3ee4c1c346dc02ed2cfcbec406fefc0...4880f3ef311538de940214f314c7d864d339568c
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/d3b329bad3ee4c1c346dc02ed2cfcbec406fefc0...4880f3ef311538de940214f314c7d864d339568c
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
