stretch triage

author: Moritz Muehlenhoff <jmm@debian.org> 2019-03-20 22:43:12 +0100
committer: Moritz Muehlenhoff <jmm@debian.org> 2019-03-20 22:43:12 +0100
commit: 4001123072286f4123a6f30005d3b9bd451a49c6 (patch)
tree: 58a19d5bb1516d0f64506cd2e616c27fef7cd2bf /data/CVE
parent: b3abf69543ae035dd5a4da42e5e2d5b5fd091b83 (diff)
3 files changed, 52 insertions, 21 deletions
diff --git a/data/CVE/2009.list b/data/CVE/2009.list
index f4813ad620..45c1c06bfc 100644
--- a/data/CVE/2009.list
+++ b/data/CVE/2009.list
@@ -1,6 +1,7 @@
 CVE-2009-5155 (In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp i ...)
 	[experimental] - gnulib 20180621~6979c25-1
 	- gnulib 20140202+stable-3.2 (bug #924613)
+	[stretch] - gnulib <no-dsa> (Minor issue)
 	- glibc 2.28-1
 	[stretch] - glibc <no-dsa> (Minor issue)
 	[jessie] - glibc <no-dsa> (Minor issue)
diff --git a/data/CVE/2018.list b/data/CVE/2018.list
index 7867d70f66..c9d72b98d1 100644
--- a/data/CVE/2018.list
+++ b/data/CVE/2018.list
@@ -15,7 +15,8 @@ CVE-2018-20808 (An XSS issue has been found with rd.cgi in Pulse Secure Pulse Co
 CVE-2018-20807 (An XSS issue has been found in welcome.cgi in Pulse Secure Pulse Conne ...)
 	NOT-FOR-US: Pulse Secure Pulse Connect Secure
 CVE-2018-20806 (Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the  ...)
-	- phamm <unfixed> (bug #924731)
+	- phamm <unfixed> (low; bug #924731)
+	[stretch] - phamm <no-dsa> (Minor issue)
 	NOTE: https://github.com/lota/phamm/issues/24
 CVE-2018-20805
 	RESERVED
@@ -29,6 +30,7 @@ CVE-2018-20801 (In js/parts/SvgRenderer.js in Highcharts JS before 6.1.0, the us
 	NOT-FOR-US: Highcharts JS
 CVE-2018-20800 (An issue was discovered in Open Ticket Request System (OTRS) 5.0.31 an ...)
 	- otrs2 6.0.14-1
+	[stretch] - otrs2 <no-dsa> (Non-free not supported)
 	[jessie] - otrs2 <not-affected> (Vulnerable code not present)
 	NOTE: https://community.otrs.com/security-advisory-2018-10-security-update-for-otrs-framework/
 	NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/8d17d58029efbb0bba25c4208e09e2d320eeb0c3
@@ -2947,7 +2949,7 @@ CVE-2018-19873 (An issue was discovered in Qt before 5.11.3. QBmpHandler has a b
 	NOTE: https://github.com/qt/qtbase/commit/621ab8ab59901cc3f9bd98be709929c9eac997a8
 CVE-2018-19872 (An issue was discovered in Qt 5.11. A malformed PPM image causes a div ...)
 	- qtbase-opensource-src 5.11.2+dfsg-3 (low)
-	[stretch] - qtimageformats-opensource-src <no-dsa> (Minor issue)
+	[stretch] - qtbase-opensource-src <no-dsa> (Minor issue)
 	NOTE: https://bugreports.qt.io/browse/QTBUG-69449
 	TODO: check if affects qt4-x11 as well
 CVE-2018-19871 (An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontr ...)
@@ -4923,6 +4925,7 @@ CVE-2018-19121 (An issue has been found in libIEC61850 v1.3. It is a SEGV in Eth
 CVE-2018-19141 (Open Ticket Request System (OTRS) 4.0.x before 4.0.33 and 5.0.x before ...)
 	{DLA-1592-1}
 	- otrs2 6.0.1-1
+	[stretch] - otrs2 <no-dsa> (Non-free not supported)
 	NOTE: https://community.otrs.com/security-advisory-2018-09-security-update-for-otrs-framework/
 	NOTE: Only the 4.x and 5.x series are affected (and possibly earlier versions).
 	NOTE: Add workaround and mark first 6.x version as fixing version
@@ -4934,6 +4937,7 @@ CVE-2018-19142 (Open Ticket Request System (OTRS) 6.0.x before 6.0.13 allows an
 CVE-2018-19143 (Open Ticket Request System (OTRS) 4.0.x before 4.0.33, 5.0.x before 5. ...)
 	{DLA-1592-1}
 	- otrs2 6.0.13-1
+	[stretch] - otrs2 <no-dsa> (Non-free not supported)
 	NOTE: https://community.otrs.com/security-advisory-2018-07-security-update-for-otrs-framework/
 CVE-2018-19120 (The HTML thumbnailer plugin in KDE Applications before 18.12.0 allows  ...)
 	- kio-extras 4:18.08.3-1 (bug #913595)
diff --git a/data/CVE/2019.list b/data/CVE/2019.list
index 0de808c729..c98ae33fff 100644
--- a/data/CVE/2019.list
+++ b/data/CVE/2019.list
@@ -983,11 +983,13 @@ CVE-2019-9753
 CVE-2019-9752 (An issue was discovered in Open Ticket Request System (OTRS) 5.x befor ...)
 	{DLA-1721-1}
 	- otrs2 6.0.16-1
+	[stretch] - otrs2 <no-dsa> (Non-free not supported)
 	NOTE: https://community.otrs.com/security-advisory-2019-01-security-update-for-otrs-framework/
 	NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/341c4096222819a108feb02256aba878943bf810
 	NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/d4e3dfbaa054762b29df54705aa412685dd37e15
 CVE-2019-9751 (An issue was discovered in Open Ticket Request System (OTRS) 6.x befor ...)
 	- otrs2 6.0.17-1
+	[stretch] - otrs2 <no-dsa> (Non-free not supported)
 	[jessie] - otrs2 <not-affected> (Vulnerable code not present)
 	NOTE: https://community.otrs.com/security-advisory-2019-02-security-update-for-otrs-framework
 	NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/1afb2b995e59551b927c2105e234e8b87efcc37a
@@ -1014,7 +1016,9 @@ CVE-2019-9741 (An issue was discovered in net/http in Go 1.11.5. CRLF injection
 	- golang-1.12 1.12-1
 	- golang-1.11 1.11.6-1 (bug #924630)
 	- golang-1.8 <removed>
+	[stretch] - golang-1.8 <postponed> (Minor issue, can be fixed along in future DSA)
 	- golang-1.7 <removed>
+	[stretch] - golang-1.7 <postponed> (Minor issue, can be fixed along in future DSA)
 	- golang <removed>
 	NOTE: https://github.com/golang/go/issues/30794
 	NOTE: https://github.com/golang/go/commit/829c5df58694b3345cb5ea41206783c8ccf5c3ca#diff-b97af51863ce82bf2a13003b52034aa9
@@ -1068,13 +1072,15 @@ CVE-2019-9722
 	RESERVED
 CVE-2019-9721 (A denial of service in the subtitle decoder in FFmpeg 4.1 allows attac ...)
 	- ffmpeg <unfixed>
+	[stretch] - ffmpeg <not-affected> (Vulnerable code not present)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc4838dedc3932e65
 CVE-2019-9720
 	RESERVED
 CVE-2019-9719
 	RESERVED
 CVE-2019-9718 (In FFmpeg 4.1, a denial of service in the subtitle decoder allows atta ...)
-	- ffmpeg <unfixed>
+	- ffmpeg <unfixed> (low)
+	[stretch] - ffmpeg <postponed> (Wait until fixed in 3.2.x release)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1f00c97bc3475c477f3c468cf2d924d5761d0982
 CVE-2019-9717
 	RESERVED
@@ -1144,6 +1150,7 @@ CVE-2019-9688 (sftnow through 2018-12-29 allows index.php?g=Admin&amp;m=User&amp
 	NOT-FOR-US: sftnow
 CVE-2019-9687 (PoDoFo 0.9.6 has a heap-based buffer overflow in PdfString::ConvertUTF ...)
 	- libpodofo <unfixed> (bug #924430)
+	[stretch] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/podofo/code/1969
 CVE-2019-9686 (pacman before 5.1.3 allows directory traversal when installing a remot ...)
 	NOT-FOR-US: pacman package manager for arch, different from src:pacman
@@ -1214,8 +1221,9 @@ CVE-2019-9658 (Checkstyle before 8.18 loads external DTDs by default. ...)
 CVE-2019-9657
 	RESERVED
 CVE-2019-9656 (An issue was discovered in LibOFX 0.9.14. There is a NULL pointer dere ...)
-	- libofx <unfixed> (bug #924350)
+	- libofx <unfixed> (unimportant; bug #924350)
 	NOTE: https://github.com/libofx/libofx/issues/22
+	NOTE: Negligible security impact
 CVE-2019-9655
 	RESERVED
 CVE-2019-9654
@@ -1324,6 +1332,7 @@ CVE-2019-9638 (An issue was discovered in the EXIF component in PHP before 7.1.2
 CVE-2019-9633 (gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent ...)
 	[experimental] - glib2.0 2.59.2-1
 	- glib2.0 <unfixed> (bug #924344)
+	[stretch] - glib2.0 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/issues/1649
 	NOTE: https://gitlab.gnome.org/GNOME/glib/commit/d553d92d6e9f53cbe5a34166fcb919ba652c6a8e (2.59.2)
 CVE-2019-9632 (ESAFENET CDG V3 and V5 has an arbitrary file download vulnerability vi ...)
@@ -1447,7 +1456,8 @@ CVE-2019-9580 (In st2web in StackStorm Web UI before 2.9.3 and 2.10.x before 2.1
 CVE-2019-9579
 	RESERVED
 CVE-2019-9578 (In devs.c in Yubico libu2f-host before 1.1.8, the response to init is  ...)
-	- libu2f-host 1.1.9-1 (bug #923874)
+	- libu2f-host 1.1.9-1 (low; bug #923874)
+	[stretch] - libu2f-host <no-dsa> (Minor issue)
 	NOTE: https://github.com/Yubico/libu2f-host/commit/e4bb58cc8b6202a421e65f8230217d8ae6e16eb5
 CVE-2019-9577
 	RESERVED
@@ -2709,69 +2719,82 @@ CVE-2019-9040 (S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user v
 CVE-2019-9039
 	RESERVED
 CVE-2019-9038 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
-	- libmatio <unfixed> (bug #924185)
+	- libmatio <unfixed> (low; bug #924185)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/103
 	NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
 	NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
 CVE-2019-9037 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
-	- libmatio <unfixed> (bug #924185)
+	- libmatio <unfixed> (low; bug #924185)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/103
 	NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
 	NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
 CVE-2019-9036 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
-	- libmatio <unfixed> (bug #924185)
+	- libmatio <unfixed> (low; bug #924185)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/103
 	NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
 	NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
 	NOTE: Not completely fixed with the initial two commits, cf.
 	NOTE: https://github.com/tbeu/matio/issues/103#issuecomment-472020538 ff
 CVE-2019-9035 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
-	- libmatio <unfixed> (bug #924185)
+	- libmatio <unfixed> (low; bug #924185)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/103
 	NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
 	NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
 CVE-2019-9034 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
-	- libmatio <unfixed> (bug #924185)
+	- libmatio <unfixed> (low; bug #924185)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/103
 	NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
 	NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
 CVE-2019-9033 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
-	- libmatio <unfixed> (bug #924185)
+	- libmatio <unfixed> (low; bug #924185)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/103
 	NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
 	NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
 CVE-2019-9032 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
-	- libmatio <unfixed> (bug #924185)
+	- libmatio <unfixed> (low; bug #924185)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/103
 	NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
 	NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
 CVE-2019-9031 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
-	- libmatio <unfixed> (bug #924185)
+	- libmatio <unfixed> (low; bug #924185)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/103
 	NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
 	NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
 CVE-2019-9030 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
-	- libmatio <unfixed> (bug #924185)
+	- libmatio <unfixed> (low; bug #924185)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/103
 	NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
 	NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
 CVE-2019-9029 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
-	- libmatio <unfixed> (bug #924185)
+	- libmatio <unfixed> (low; bug #924185)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/103
 	NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
 	NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
 CVE-2019-9028 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
-	- libmatio <unfixed> (bug #924185)
+	- libmatio <unfixed> (low; bug #924185)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/103
 	NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
 	NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
 CVE-2019-9027 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
-	- libmatio <unfixed> (bug #924185)
+	- libmatio <unfixed> (low; bug #924185)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/103
 	NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
 	NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
 CVE-2019-9026 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
-	- libmatio <unfixed> (bug #924185)
+	- libmatio <unfixed> (low; bug #924185)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/103
 	NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
 	NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
@@ -5504,10 +5527,12 @@ CVE-2019-7735
 CVE-2019-7734
 	RESERVED
 CVE-2019-7733 (In Live555 0.95, there is a buffer overflow via a large integer in a C ...)
-	- liblivemedia <unfixed>
+	- liblivemedia <unfixed> (low)
+	[stretch] - liblivemedia <no-dsa> (Minor issue)
 	NOTE: https://github.com/rgaufman/live555/issues/21
 CVE-2019-7732 (In Live555 0.95, a setup packet can cause a memory leak leading to DoS ...)
-	- liblivemedia <unfixed>
+	- liblivemedia <unfixed> (low)
+	[stretch] - liblivemedia <no-dsa> (Minor issue)
 	NOTE: https://github.com/rgaufman/live555/issues/20
 CVE-2019-7731 (MyWebSQL 3.7 has a remote code execution (RCE) vulnerability after an  ...)
 	NOT-FOR-US: MyWebSQL
@@ -5703,7 +5728,8 @@ CVE-2019-7650
 	RESERVED
 CVE-2019-7653 (The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CL ...)
 	{DLA-1717-1}
-	- rdflib 4.2.2-2 (bug #921751)
+	- rdflib 4.2.2-2 (low; bug #921751)
+	[stretch] - rdflib <no-dsa> (Minor issue)
 	NOTE: Debian specific issue as respective scripts are overwritten in Debian
 	NOTE: packaging as wrappers invoking python -m.
 CVE-2019-7649 (global.encryptPassword in bootstrap/global.js in CMSWing 1.3.7 relies  ...)
author	Moritz Muehlenhoff <jmm@debian.org>	2019-03-20 22:43:12 +0100
committer	Moritz Muehlenhoff <jmm@debian.org>	2019-03-20 22:43:12 +0100
commit	4001123072286f4123a6f30005d3b9bd451a49c6 (patch)
tree	58a19d5bb1516d0f64506cd2e616c27fef7cd2bf /data/CVE
parent	b3abf69543ae035dd5a4da42e5e2d5b5fd091b83 (diff)