Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f5361dc0 by Moritz Muehlenhoff at 2018-04-02T13:04:35+02:00
several web2py issue n/a, mark the existing no-dsa entries as <ignored>
unixodbc no-dsa
ntp postponed
podofo CVE dupe
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2774,10 +2774,9 @@ CVE-2018-8001 (In PoDoFo 0.9.5, there exists a
heap-based buffer over-read ...)
NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/14/
NOTE: Upstream commit: http://sourceforge.net/p/podofo/code/1909
CVE-2018-8000 (In PoDoFo 0.9.5, there exists a heap-based buffer overflow ...)
- - libpodofo <unfixed> (bug #892520)
NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548918
NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/13/
- NOTE: Believed to be a dupe of CVE-2017-5886
+ NOTE: Upstream tracked this down as a of CVE-2017-5886
CVE-2018-7999 (In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference
...)
- graphite2 1.3.11-2 (bug #892590)
[stretch] - graphite2 <no-dsa> (Minor issue)
@@ -4508,6 +4507,8 @@ CVE-2018-7410
RESERVED
CVE-2018-7409 (In unixODBC before 2.3.5, there is a buffer overflow in the ...)
- unixodbc <unfixed> (bug #891596)
+ [stretch] - unixodbc <no-dsa> (Minor issue)
+ [jessie] - unixodbc <no-dsa> (Minor issue)
[wheezy] - unixodbc <ignored> (Minor issue)
NOTE: Fixed by: https://sourceforge.net/p/unixodbc/code/136/
NOTE:
https://github.com/lurcher/unixODBC/commit/4f9f77fb4204659ec9b7be8745d9e05a539c80b9
@@ -5321,6 +5322,8 @@ CVE-2018-7183 (Buffer overflow in the decodearr function
in ntpq in ntp 4.2.8p6
NOTE:
http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S
CVE-2018-7182 (The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11
allows ...)
- ntp 1:4.2.8p11+dfsg-1
+ [stretch] - ntp <postponed> (Can be fixed along in a future update)
+ [jessie] - ntp <postponed> (Can be fixed along in a future update)
[wheezy] - ntp <not-affected> (Issue not present)
- ntpsec 1.0.0+dfsg1-5
NOTE: http://www.kb.cert.org/vuls/id/961909
@@ -91530,25 +91533,25 @@ CVE-2016-4809 (The
archive_read_format_cpio_read_header function in ...)
NOTE: Fixed by:
https://github.com/libarchive/libarchive/commit/fd7e0c02e272913a0a8b6d492c7260dfca0b1408
(v3.2.1)
CVE-2016-10321 (web2py before 2.14.6 does not properly check if a host is
denied before ...)
- web2py <removed> (bug #860038)
- [jessie] - web2py <no-dsa> (Minor issue; issue in web admin interface
which has no need to be used in production)
+ [jessie] - web2py <ignored> (Minor issue; issue in web admin interface
which has no need to be used in production)
[wheezy] - web2py <no-dsa> (Minor issue; issue in web admin interface
which has no need to be used in production)
NOTE:
https://github.com/web2py/web2py/issues/1585#issuecomment-284317919
NOTE:
https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426
CVE-2016-4808 (Web2py versions 2.14.5 and below was affected by CSRF (Cross
Site ...)
- web2py <removed> (bug #856127)
- [jessie] - web2py <no-dsa> (Minor issue; issue in web admin interface
which has no need to be used in production)
+ [jessie] - web2py <ignored> (Minor issue; issue in web admin interface
which has no need to be used in production)
[wheezy] - web2py <no-dsa> (Minor issue; issue in web admin interface
which has no need to be used in production)
NOTE: https://github.com/web2py/web2py/issues/1585
NOTE:
https://github.com/web2py/web2py/commit/4bd002aee978813bc664cf186ef38ff4e8bbe1cd
CVE-2016-4807 (Web2py versions 2.14.5 and below was affected by Reflected XSS
...)
- web2py <removed> (bug #856127)
- [jessie] - web2py <no-dsa> (Minor issue; issue in web admin interface
which has no need to be used in production)
+ [jessie] - web2py <ignored> (Minor issue; issue in web admin interface
which has no need to be used in production)
[wheezy] - web2py <no-dsa> (Minor issue; issue in web admin interface
which has no need to be used in production)
NOTE: https://github.com/web2py/web2py/issues/1585
NOTE:
https://github.com/web2py/web2py/commit/51c3b633fe7ad647bc3013e899c1e3a910362dd1
CVE-2016-4806 (Web2py versions 2.14.5 and below was affected by Local File
Inclusion ...)
- web2py <removed> (bug #856127)
- [jessie] - web2py <no-dsa> (Minor issue; issue in web admin interface
which has no need to be used in production)
+ [jessie] - web2py <ignored> (Minor issue; issue in web admin interface
which has no need to be used in production)
[wheezy] - web2py <no-dsa> (Minor issue; issue in web admin interface
which has no need to be used in production)
NOTE: https://github.com/web2py/web2py/issues/1585
NOTE: https://github.com/web2py/web2py/issues/1316
@@ -94053,6 +94056,8 @@ CVE-2016-3960 (Integer overflow in the x86 shadow
pagetable code in Xen allows l
NOTE: http://xenbits.xen.org/xsa/advisory-173.html
CVE-2016-3957 (The secure_load function in gluon/utils.py in web2py before
2.14.2 ...)
- web2py <removed> (bug #891220)
+ [jessie] - web2py <not-affected> (Vulnerable code not present)
+ [wheezy] - web2py <not-affected> (Vulnerable code not present)
CVE-2016-3956 (The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in
Node.js ...)
- npm <unfixed> (bug #850322)
[jessie] - npm <no-dsa> (Minor issue)
@@ -94061,10 +94066,16 @@ CVE-2016-3956 (The CLI in npm before 2.15.1 and 3.x
before 3.8.3, as used in Nod
NOTE:
https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29
(3.8.3)
CVE-2016-3954 (web2py before 2.14.2 allows remote attackers to obtain the ...)
- web2py <removed> (bug #891220)
+ [jessie] - web2py <not-affected> (Vulnerable code not present)
+ [wheezy] - web2py <not-affected> (Vulnerable code not present)
CVE-2016-3953 (The sample web application in web2py before 2.14.2 might allow
remote ...)
- web2py <removed> (bug #891220)
+ [jessie] - web2py <not-affected> (Vulnerable code not present)
+ [wheezy] - web2py <not-affected> (Vulnerable code not present)
CVE-2016-3952 (web2py before 2.14.1, when using the standalone version, allows
remote ...)
- web2py <removed> (bug #891220)
+ [jessie] - web2py <not-affected> (Vulnerable code not present)
+ [wheezy] - web2py <not-affected> (Vulnerable code not present)
CVE-2016-3951 (Double free vulnerability in drivers/net/usb/cdc_ncm.c in the
Linux ...)
{DSA-3607-1 DLA-516-1}
- linux 4.5.1-1
@@ -111343,7 +111354,7 @@ CVE-2015-7236 (Use-after-free vulnerability in
xprt_set_caller in rpcb_svc_com.c
NOTE: http://www.openwall.com/lists/oss-security/2015/09/17/1
CVE-2015-6961 (Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11
allows ...)
- web2py 2.12.3-1
- [jessie] - web2py <no-dsa> (Minor issue)
+ [jessie] - web2py <ignored> (Minor issue)
[wheezy] - web2py <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0
(R-2.12.1)
NOTE: https://github.com/web2py/web2py/issues/731
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5361dc07cf645cf1d9ee84f7f6e307d39337601
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5361dc07cf645cf1d9ee84f7f6e307d39337601
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
