Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 3567c990 by Moritz Muehlenhoff at 2018-04-03T22:21:29+02:00 puppet modules unimportant add libslf4j-java to dsa-needed libzypp ignored radare, gpac, leptonlib no-dsa - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -1029,14 +1029,20 @@ CVE-2018-8811 (Cross-site request forgery (CSRF) vulnerability in ...) NOT-FOR-US: OpenCMS CVE-2018-8810 (In radare2 2.4.0, there is a heap-based buffer over-read in the ...) - radare2 <unfixed> + [stretch] - radare2 <no-dsa> (Minor issue) + [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <not-affected> (vulnerable code not present) NOTE: https://github.com/radare/radare2/issues/9727 CVE-2018-8809 (In radare2 2.4.0, there is a heap-based buffer over-read in the ...) - - radare2 <unfixed> + - radare2 <unfixed> (low) + [stretch] - radare2 <no-dsa> (Minor issue) + [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (minor issue, likely not even affected) NOTE: https://github.com/radare/radare2/issues/9726 CVE-2018-8808 (In radare2 2.4.0, there is a heap-based buffer over-read in the ...) - - radare2 <unfixed> + - radare2 <unfixed> (low) + [stretch] - radare2 <no-dsa> (Minor issue) + [jessie] - radare2 <no-dsa> (Minor issue) [wheezy] - radare2 <no-dsa> (minor issue, likely not even affected) NOTE: https://github.com/radare/radare2/issues/9725 CVE-2018-8807 (In libming 0.4.8, these is a use-after-free in the function ...) @@ -3575,6 +3581,8 @@ CVE-2018-7719 (Acrolinx Server before 5.2.5 on Windows allows Directory Traversa NOT-FOR-US: Acrolinx Server CVE-2018-7752 (GPAC through 0.7.1 has a Buffer Overflow in the gf_media_avc_read_sps ...) - gpac <unfixed> (bug #892526) + [stretch] - gpac <no-dsa> (Minor issue) + [jessie] - gpac <no-dsa> (Minor issue) [wheezy] - gpac <not-affected> (vulnerable code not present) NOTE: https://github.com/gpac/gpac/issues/997 NOTE: https://github.com/gpac/gpac/commit/90dc7f853d31b0a4e9441cba97feccf36d8b69a4 @@ -5470,7 +5478,9 @@ CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in ...) NOTE: https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41 (v2.2.2) CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters in a %s ...) {DLA-1302-1} - - leptonlib 1.75.3-2 (bug #890548) + - leptonlib 1.75.3-2 (low; bug #890548) + [stretch] - leptonlib <no-dsa> (Minor issue) + [jessie] - leptonlib <no-dsa> (Minor issue) NOTE: https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a CVE-2018-7180 (SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! ...) NOT-FOR-US: Saxum Astro component for Joomla! @@ -7368,9 +7378,9 @@ CVE-2018-6510 CVE-2018-6509 RESERVED CVE-2018-6508 (Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a ...) - - puppet-module-puppetlabs-apt <unfixed> - - puppet-module-puppetlabs-apache <unfixed> - - puppet-module-puppetlabs-mysql <unfixed> + - puppet-module-puppetlabs-apt <unfixed> (unimportant) + - puppet-module-puppetlabs-apache <unfixed> (unimportant) + - puppet-module-puppetlabs-mysql <unfixed> (unimportant) NOTE: https://puppet.com/security/cve/CVE-2018-6508 NOTE: Issue in various puppet modules: facter_task, puppet_conf, apt, apache and mysql modules NOTE: https://github.com/puppetlabs/puppetlabs-facter_task/commit/dd37c72e78c8a37e671e20becb05d6ceafdbd81c @@ -7378,6 +7388,7 @@ CVE-2018-6508 (Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a NOTE: https://github.com/puppetlabs/puppetlabs-apt/commit/81879be960d5723016e3d0b4ff155ee704261bbc NOTE: https://github.com/puppetlabs/puppetlabs-apache/commit/81bc5119ceced1faa4bf261efa4b7cd3731ef3ef NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/da3684c79d5fe6ece826e087e8693c75ac40414c + NOTE: This is only exploitable with Puppet Tasks, which aren't packaged/available in Debian CVE-2018-6507 RESERVED CVE-2018-6506 (Cross-Site Scripting (XSS) exists in the Add Forum feature in the ...) @@ -14096,12 +14107,16 @@ CVE-2018-3837 RESERVED CVE-2018-7442 (An issue was discovered in Leptonica through 1.75.3. The ...) - leptonlib <unfixed> + [stretch] - leptonlib <no-dsa> (Minor issue) + [jessie] - leptonlib <no-dsa> (Minor issue) NOTE: https://lists.debian.org/debian-lts/2018/02/msg00086.html CVE-2018-7441 (Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which might ...) - - leptonlib <unfixed> + - leptonlib <unfixed> (unimportant) NOTE: https://lists.debian.org/debian-lts/2018/02/msg00054.html + NOTE: Neutralised by kernel hardening CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing duplicated ...) - - leptonlib 1.74.4-2 (bug #885704) + - leptonlib 1.74.4-2 (low; bug #885704) + [stretch] - leptonlib <no-dsa> (Minor issue) [jessie] - leptonlib <not-affected> (Vulnerable code not present) [wheezy] - leptonlib <not-affected> (Vulnerable code not present) CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The ...) @@ -14115,6 +14130,8 @@ CVE-2018-3836 [gplotMakeOutput Command Injection Vulnerability] RESERVED {DLA-1284-1} - leptonlib 1.75.3-1 (bug #889759) + [stretch] - leptonlib <no-dsa> (Minor issue) + [jessie] - leptonlib <no-dsa> (Minor issue) NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516 NOTE: https://github.com/DanBloomberg/leptonica/issues/303 NOTE: When fixing this issue make sure the fix is complete and includes as well @@ -48538,6 +48555,7 @@ CVE-2017-9270 (In cryptctl before version 2.0 a malicious server could send RPC NOT-FOR-US: SuSE cryptctl CVE-2017-9269 (In libzypp before August 2018 GPG keys attached to YUM repositories ...) - libzypp <unfixed> + [jessie] - libzypp <ignored> (Minor issue) CVE-2017-9268 (In the open build service before 201707022 the wipetrigger and rebuild ...) - open-build-service <unfixed> (low) [stretch] - open-build-service <no-dsa> (Minor issue) @@ -54539,8 +54557,10 @@ CVE-2017-7437 (NetIQ Privileged Account Manager before 3.1 Patch Update 3 allowe NOT-FOR-US: NetIQ Privileged Account Manager CVE-2017-7436 (In libzypp before 20170803 it was possible to retrieve unsigned ...) - libzypp <unfixed> + [jessie] - libzypp <ignored> (Minor issue) CVE-2017-7435 (In libzypp before 20170803 it was possible to add unsigned YUM ...) - libzypp <unfixed> + [jessie] - libzypp <ignored> (Minor issue) CVE-2017-7434 (In the JDBC driver of NetIQ Identity Manager before 4.6 sending out ...) NOT-FOR-US: NetIQ Identity Manager CVE-2017-7433 (An absolute path traversal vulnerability (CWE-36) in Micro Focus Vibe ...) ===================================== data/dsa-needed.txt ===================================== --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -41,6 +41,8 @@ libav/oldstable -- libidn -- +libslf4j-java +-- libmad -- linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3567c990ffdf55a77d5f27b01ab1dee266ece832 --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3567c990ffdf55a77d5f27b01ab1dee266ece832 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits