Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: f5361dc0 by Moritz Muehlenhoff at 2018-04-02T13:04:35+02:00 several web2py issue n/a, mark the existing no-dsa entries as <ignored> unixodbc no-dsa ntp postponed podofo CVE dupe - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -2774,10 +2774,9 @@ CVE-2018-8001 (In PoDoFo 0.9.5, there exists a heap-based buffer over-read ...) NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/14/ NOTE: Upstream commit: http://sourceforge.net/p/podofo/code/1909 CVE-2018-8000 (In PoDoFo 0.9.5, there exists a heap-based buffer overflow ...) - - libpodofo <unfixed> (bug #892520) NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548918 NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/13/ - NOTE: Believed to be a dupe of CVE-2017-5886 + NOTE: Upstream tracked this down as a of CVE-2017-5886 CVE-2018-7999 (In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference ...) - graphite2 1.3.11-2 (bug #892590) [stretch] - graphite2 <no-dsa> (Minor issue) @@ -4508,6 +4507,8 @@ CVE-2018-7410 RESERVED CVE-2018-7409 (In unixODBC before 2.3.5, there is a buffer overflow in the ...) - unixodbc <unfixed> (bug #891596) + [stretch] - unixodbc <no-dsa> (Minor issue) + [jessie] - unixodbc <no-dsa> (Minor issue) [wheezy] - unixodbc <ignored> (Minor issue) NOTE: Fixed by: https://sourceforge.net/p/unixodbc/code/136/ NOTE: https://github.com/lurcher/unixODBC/commit/4f9f77fb4204659ec9b7be8745d9e05a539c80b9 @@ -5321,6 +5322,8 @@ CVE-2018-7183 (Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S CVE-2018-7182 (The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows ...) - ntp 1:4.2.8p11+dfsg-1 + [stretch] - ntp <postponed> (Can be fixed along in a future update) + [jessie] - ntp <postponed> (Can be fixed along in a future update) [wheezy] - ntp <not-affected> (Issue not present) - ntpsec 1.0.0+dfsg1-5 NOTE: http://www.kb.cert.org/vuls/id/961909 @@ -91530,25 +91533,25 @@ CVE-2016-4809 (The archive_read_format_cpio_read_header function in ...) NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/fd7e0c02e272913a0a8b6d492c7260dfca0b1408 (v3.2.1) CVE-2016-10321 (web2py before 2.14.6 does not properly check if a host is denied before ...) - web2py <removed> (bug #860038) - [jessie] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production) + [jessie] - web2py <ignored> (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585#issuecomment-284317919 NOTE: https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426 CVE-2016-4808 (Web2py versions 2.14.5 and below was affected by CSRF (Cross Site ...) - web2py <removed> (bug #856127) - [jessie] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production) + [jessie] - web2py <ignored> (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585 NOTE: https://github.com/web2py/web2py/commit/4bd002aee978813bc664cf186ef38ff4e8bbe1cd CVE-2016-4807 (Web2py versions 2.14.5 and below was affected by Reflected XSS ...) - web2py <removed> (bug #856127) - [jessie] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production) + [jessie] - web2py <ignored> (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585 NOTE: https://github.com/web2py/web2py/commit/51c3b633fe7ad647bc3013e899c1e3a910362dd1 CVE-2016-4806 (Web2py versions 2.14.5 and below was affected by Local File Inclusion ...) - web2py <removed> (bug #856127) - [jessie] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production) + [jessie] - web2py <ignored> (Minor issue; issue in web admin interface which has no need to be used in production) [wheezy] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production) NOTE: https://github.com/web2py/web2py/issues/1585 NOTE: https://github.com/web2py/web2py/issues/1316 @@ -94053,6 +94056,8 @@ CVE-2016-3960 (Integer overflow in the x86 shadow pagetable code in Xen allows l NOTE: http://xenbits.xen.org/xsa/advisory-173.html CVE-2016-3957 (The secure_load function in gluon/utils.py in web2py before 2.14.2 ...) - web2py <removed> (bug #891220) + [jessie] - web2py <not-affected> (Vulnerable code not present) + [wheezy] - web2py <not-affected> (Vulnerable code not present) CVE-2016-3956 (The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js ...) - npm <unfixed> (bug #850322) [jessie] - npm <no-dsa> (Minor issue) @@ -94061,10 +94066,16 @@ CVE-2016-3956 (The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Nod NOTE: https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 (3.8.3) CVE-2016-3954 (web2py before 2.14.2 allows remote attackers to obtain the ...) - web2py <removed> (bug #891220) + [jessie] - web2py <not-affected> (Vulnerable code not present) + [wheezy] - web2py <not-affected> (Vulnerable code not present) CVE-2016-3953 (The sample web application in web2py before 2.14.2 might allow remote ...) - web2py <removed> (bug #891220) + [jessie] - web2py <not-affected> (Vulnerable code not present) + [wheezy] - web2py <not-affected> (Vulnerable code not present) CVE-2016-3952 (web2py before 2.14.1, when using the standalone version, allows remote ...) - web2py <removed> (bug #891220) + [jessie] - web2py <not-affected> (Vulnerable code not present) + [wheezy] - web2py <not-affected> (Vulnerable code not present) CVE-2016-3951 (Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux ...) {DSA-3607-1 DLA-516-1} - linux 4.5.1-1 @@ -111343,7 +111354,7 @@ CVE-2015-7236 (Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c NOTE: http://www.openwall.com/lists/oss-security/2015/09/17/1 CVE-2015-6961 (Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows ...) - web2py 2.12.3-1 - [jessie] - web2py <no-dsa> (Minor issue) + [jessie] - web2py <ignored> (Minor issue) [wheezy] - web2py <no-dsa> (Minor issue) NOTE: Fixed by: https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0 (R-2.12.1) NOTE: https://github.com/web2py/web2py/issues/731 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5361dc07cf645cf1d9ee84f7f6e307d39337601 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5361dc07cf645cf1d9ee84f7f6e307d39337601 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits