Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3567c990 by Moritz Muehlenhoff at 2018-04-03T22:21:29+02:00
puppet modules unimportant
add libslf4j-java to dsa-needed
libzypp ignored
radare, gpac, leptonlib no-dsa
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1029,14 +1029,20 @@ CVE-2018-8811 (Cross-site request forgery (CSRF)
vulnerability in ...)
NOT-FOR-US: OpenCMS
CVE-2018-8810 (In radare2 2.4.0, there is a heap-based buffer over-read in the
...)
- radare2 <unfixed>
+ [stretch] - radare2 <no-dsa> (Minor issue)
+ [jessie] - radare2 <no-dsa> (Minor issue)
[wheezy] - radare2 <not-affected> (vulnerable code not present)
NOTE: https://github.com/radare/radare2/issues/9727
CVE-2018-8809 (In radare2 2.4.0, there is a heap-based buffer over-read in the
...)
- - radare2 <unfixed>
+ - radare2 <unfixed> (low)
+ [stretch] - radare2 <no-dsa> (Minor issue)
+ [jessie] - radare2 <no-dsa> (Minor issue)
[wheezy] - radare2 <no-dsa> (minor issue, likely not even affected)
NOTE: https://github.com/radare/radare2/issues/9726
CVE-2018-8808 (In radare2 2.4.0, there is a heap-based buffer over-read in the
...)
- - radare2 <unfixed>
+ - radare2 <unfixed> (low)
+ [stretch] - radare2 <no-dsa> (Minor issue)
+ [jessie] - radare2 <no-dsa> (Minor issue)
[wheezy] - radare2 <no-dsa> (minor issue, likely not even affected)
NOTE: https://github.com/radare/radare2/issues/9725
CVE-2018-8807 (In libming 0.4.8, these is a use-after-free in the function ...)
@@ -3575,6 +3581,8 @@ CVE-2018-7719 (Acrolinx Server before 5.2.5 on Windows
allows Directory Traversa
NOT-FOR-US: Acrolinx Server
CVE-2018-7752 (GPAC through 0.7.1 has a Buffer Overflow in the
gf_media_avc_read_sps ...)
- gpac <unfixed> (bug #892526)
+ [stretch] - gpac <no-dsa> (Minor issue)
+ [jessie] - gpac <no-dsa> (Minor issue)
[wheezy] - gpac <not-affected> (vulnerable code not present)
NOTE: https://github.com/gpac/gpac/issues/997
NOTE:
https://github.com/gpac/gpac/commit/90dc7f853d31b0a4e9441cba97feccf36d8b69a4
@@ -5470,7 +5478,9 @@ CVE-2017-18190 (A localhost.localdomain whitelist entry
in valid_host() in ...)
NOTE:
https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41
(v2.2.2)
CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters
in a %s ...)
{DLA-1302-1}
- - leptonlib 1.75.3-2 (bug #890548)
+ - leptonlib 1.75.3-2 (low; bug #890548)
+ [stretch] - leptonlib <no-dsa> (Minor issue)
+ [jessie] - leptonlib <no-dsa> (Minor issue)
NOTE:
https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a
CVE-2018-7180 (SQL Injection exists in the Saxum Astro 4.0.14 component for
Joomla! ...)
NOT-FOR-US: Saxum Astro component for Joomla!
@@ -7368,9 +7378,9 @@ CVE-2018-6510
CVE-2018-6509
RESERVED
CVE-2018-6508 (Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to
a ...)
- - puppet-module-puppetlabs-apt <unfixed>
- - puppet-module-puppetlabs-apache <unfixed>
- - puppet-module-puppetlabs-mysql <unfixed>
+ - puppet-module-puppetlabs-apt <unfixed> (unimportant)
+ - puppet-module-puppetlabs-apache <unfixed> (unimportant)
+ - puppet-module-puppetlabs-mysql <unfixed> (unimportant)
NOTE: https://puppet.com/security/cve/CVE-2018-6508
NOTE: Issue in various puppet modules: facter_task, puppet_conf, apt,
apache and mysql modules
NOTE:
https://github.com/puppetlabs/puppetlabs-facter_task/commit/dd37c72e78c8a37e671e20becb05d6ceafdbd81c
@@ -7378,6 +7388,7 @@ CVE-2018-6508 (Puppet Enterprise 2017.3.x prior to
2017.3.3 are vulnerable to a
NOTE:
https://github.com/puppetlabs/puppetlabs-apt/commit/81879be960d5723016e3d0b4ff155ee704261bbc
NOTE:
https://github.com/puppetlabs/puppetlabs-apache/commit/81bc5119ceced1faa4bf261efa4b7cd3731ef3ef
NOTE:
https://github.com/puppetlabs/puppetlabs-mysql/commit/da3684c79d5fe6ece826e087e8693c75ac40414c
+ NOTE: This is only exploitable with Puppet Tasks, which aren't
packaged/available in Debian
CVE-2018-6507
RESERVED
CVE-2018-6506 (Cross-Site Scripting (XSS) exists in the Add Forum feature in
the ...)
@@ -14096,12 +14107,16 @@ CVE-2018-3837
RESERVED
CVE-2018-7442 (An issue was discovered in Leptonica through 1.75.3. The ...)
- leptonlib <unfixed>
+ [stretch] - leptonlib <no-dsa> (Minor issue)
+ [jessie] - leptonlib <no-dsa> (Minor issue)
NOTE: https://lists.debian.org/debian-lts/2018/02/msg00086.html
CVE-2018-7441 (Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which
might ...)
- - leptonlib <unfixed>
+ - leptonlib <unfixed> (unimportant)
NOTE: https://lists.debian.org/debian-lts/2018/02/msg00054.html
+ NOTE: Neutralised by kernel hardening
CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing
duplicated ...)
- - leptonlib 1.74.4-2 (bug #885704)
+ - leptonlib 1.74.4-2 (low; bug #885704)
+ [stretch] - leptonlib <no-dsa> (Minor issue)
[jessie] - leptonlib <not-affected> (Vulnerable code not present)
[wheezy] - leptonlib <not-affected> (Vulnerable code not present)
CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The ...)
@@ -14115,6 +14130,8 @@ CVE-2018-3836 [gplotMakeOutput Command Injection
Vulnerability]
RESERVED
{DLA-1284-1}
- leptonlib 1.75.3-1 (bug #889759)
+ [stretch] - leptonlib <no-dsa> (Minor issue)
+ [jessie] - leptonlib <no-dsa> (Minor issue)
NOTE:
https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516
NOTE: https://github.com/DanBloomberg/leptonica/issues/303
NOTE: When fixing this issue make sure the fix is complete and includes
as well
@@ -48538,6 +48555,7 @@ CVE-2017-9270 (In cryptctl before version 2.0 a
malicious server could send RPC
NOT-FOR-US: SuSE cryptctl
CVE-2017-9269 (In libzypp before August 2018 GPG keys attached to YUM
repositories ...)
- libzypp <unfixed>
+ [jessie] - libzypp <ignored> (Minor issue)
CVE-2017-9268 (In the open build service before 201707022 the wipetrigger and
rebuild ...)
- open-build-service <unfixed> (low)
[stretch] - open-build-service <no-dsa> (Minor issue)
@@ -54539,8 +54557,10 @@ CVE-2017-7437 (NetIQ Privileged Account Manager before
3.1 Patch Update 3 allowe
NOT-FOR-US: NetIQ Privileged Account Manager
CVE-2017-7436 (In libzypp before 20170803 it was possible to retrieve unsigned
...)
- libzypp <unfixed>
+ [jessie] - libzypp <ignored> (Minor issue)
CVE-2017-7435 (In libzypp before 20170803 it was possible to add unsigned YUM
...)
- libzypp <unfixed>
+ [jessie] - libzypp <ignored> (Minor issue)
CVE-2017-7434 (In the JDBC driver of NetIQ Identity Manager before 4.6 sending
out ...)
NOT-FOR-US: NetIQ Identity Manager
CVE-2017-7433 (An absolute path traversal vulnerability (CWE-36) in Micro
Focus Vibe ...)
=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -41,6 +41,8 @@ libav/oldstable
--
libidn
--
+libslf4j-java
+--
libmad
--
linux
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3567c990ffdf55a77d5f27b01ab1dee266ece832
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3567c990ffdf55a77d5f27b01ab1dee266ece832
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
