stretch/buster triage

5 files changed, 45 insertions, 7 deletions

diff --git a/data/CVE/2008.list b/data/CVE/2008.list
index 491381c1b1..f12b9fe439 100644
--- a/data/CVE/2008.list
+++ b/data/CVE/2008.list
@@ -8329,8 +8329,7 @@ CVE-2008-4440 (The to-upgrade plugin in feta 1.4.16 allows local users to overwr
 	{DSA-1643-1}
 	- feta 1.4.16+nmu1 (low; bug #496397)
 CVE-2008-4977
-	- postfix <unfixed> (unimportant; bug #496401)
-	NOTE: Not enabled by default, needs manual modification of a script
+	NOTE: Historic Postfix non issue, #496401
 CVE-2008-4944 (writtercontrol in cdcontrol 1.90 allows local users to overwrite arbit ...)
 	- cdcontrol <removed> (low; bug #496438)
 	[etch] - cdcontrol <no-dsa> (Minor issue)
diff --git a/data/CVE/2017.list b/data/CVE/2017.list
index eb2a43ad11..ebe98a2429 100644
--- a/data/CVE/2017.list
+++ b/data/CVE/2017.list
@@ -1,8 +1,9 @@
 CVE-2017-18594 (nse_libssh2.cc in Nmap 7.70 is subject to a denial of service conditio ...)
-	- nmap 7.80+dfsg1-1
+	- nmap 7.80+dfsg1-1 (unimportant)
 	NOTE: https://github.com/nmap/nmap/commit/350bbe0597d37ad67abe5fef8fba984707b4e9ad
 	NOTE: https://github.com/nmap/nmap/issues/1077
 	NOTE: https://github.com/nmap/nmap/issues/1227
+	NOTE: Crash in CLI tool, no security impact
 CVE-2017-18593 (The updraftplus plugin before 1.13.5 for WordPress has XSS in rare cas ...)
 	NOT-FOR-US: updraftplus plugin for WordPress
 CVE-2017-18592 (The woocommerce-catalog-enquiry plugin before 3.1.0 for WordPress has  ...)
diff --git a/data/CVE/2018.list b/data/CVE/2018.list
index 7a1f344d16..b5cb8306fc 100644
--- a/data/CVE/2018.list
+++ b/data/CVE/2018.list
@@ -354,7 +354,9 @@ CVE-2018-20848 (Advisto PEEL SHOPPING 9.0.0 has CSRF via en/achat/caddie_ajout.p
 	NOT-FOR-US: Advisto PEEL SHOPPING
 CVE-2018-20847 (An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the functi ...)
 	{DLA-1851-1}
-	- openjpeg2 <unfixed> (bug #931294)
+	- openjpeg2 <unfixed> (low; bug #931294)
+	[buster] - openjpeg2 <no-dsa> (Minor issue)
+	[stretch] - openjpeg2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949
 	NOTE: https://github.com/uclouvain/openjpeg/issues/431
 	NOTE: https://github.com/uclouvain/openjpeg/commit/c58df149900df862806d0e892859b41115875845
diff --git a/data/CVE/2019.list b/data/CVE/2019.list
index 27ae3478f8..fa9f34c4de 100644
--- a/data/CVE/2019.list
+++ b/data/CVE/2019.list
@@ -419,6 +419,7 @@ CVE-2019-15718 [Missing access controls on systemd-resolved's D-Bus interface]
 	NOTE: https://github.com/systemd/systemd/commit/35e528018f315798d3bffcb592b32a0d8f5162bd
 CVE-2019-15717 (Irssi 1.2.x before 1.2.2 has a use-after-free if the IRC server sends  ...)
 	- irssi <unfixed> (bug #936074)
+	[buster] - irssi <no-dsa> (Minor issue)
 	[stretch] - irssi <not-affected> (Vulnerable code not present)
 	[jessie] - irssi <not-affected> (Vulnerable code not present)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/08/29/3
@@ -1602,6 +1603,8 @@ CVE-2019-15152
 	RESERVED
 CVE-2019-15151 (AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h. ...)
 	- adplug <unfixed>
+	[buster] - adplug <no-dsa> (Minor issue)
+	[stretch] - adplug <no-dsa> (Minor issue)
 	NOTE: https://github.com/adplug/adplug/issues/91
 CVE-2019-15150 (In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulner ...)
 	NOT-FOR-US: OAuth2 Client MediaWiki extension
@@ -2588,12 +2591,18 @@ CVE-2019-14735
 	RESERVED
 CVE-2019-14734 (AdPlug 2.3.1 has multiple heap-based buffer overflows in CmtkLoader::l ...)
 	- adplug <unfixed>
+	[buster] - adplug <no-dsa> (Minor issue)
+	[stretch] - adplug <no-dsa> (Minor issue)
 	NOTE: https://github.com/adplug/adplug/issues/90
 CVE-2019-14733 (AdPlug 2.3.1 has multiple heap-based buffer overflows in CradLoader::l ...)
 	- adplug <unfixed>
+	[buster] - adplug <no-dsa> (Minor issue)
+	[stretch] - adplug <no-dsa> (Minor issue)
 	NOTE: https://github.com/adplug/adplug/issues/89
 CVE-2019-14732 (AdPlug 2.3.1 has multiple heap-based buffer overflows in Ca2mLoader::l ...)
 	- adplug <unfixed>
+	[buster] - adplug <no-dsa> (Minor issue)
+	[stretch] - adplug <no-dsa> (Minor issue)
 	NOTE: https://github.com/adplug/adplug/issues/88
 CVE-2019-14731 (An issue was discovered in ZenTao 11.5.1. There is an XSS (stored) vul ...)
 	NOT-FOR-US: ZenTao CMS
@@ -2673,12 +2682,18 @@ CVE-2019-14693 (Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML Ex
 	NOT-FOR-US: Zoho ManageEngine AssetExplorer
 CVE-2019-14692 (AdPlug 2.3.1 has a heap-based buffer overflow in CmkjPlayer::load() in ...)
 	- adplug <unfixed>
+	[buster] - adplug <no-dsa> (Minor issue)
+	[stretch] - adplug <no-dsa> (Minor issue)
 	NOTE: https://github.com/adplug/adplug/issues/87
 CVE-2019-14691 (AdPlug 2.3.1 has a heap-based buffer overflow in CdtmLoader::load() in ...)
 	- adplug <unfixed>
+	[buster] - adplug <no-dsa> (Minor issue)
+	[stretch] - adplug <no-dsa> (Minor issue)
 	NOTE: https://github.com/adplug/adplug/issues/86
 CVE-2019-14690 (AdPlug 2.3.1 has a heap-based buffer overflow in CxadbmfPlayer::__bmf_ ...)
 	- adplug <unfixed>
+	[buster] - adplug <no-dsa> (Minor issue)
+	[stretch] - adplug <no-dsa> (Minor issue)
 	NOTE: https://github.com/adplug/adplug/issues/85
 CVE-2019-14697 (musl libc through 1.1.23 has an x87 floating-point stack adjustment im ...)
 	- musl 1.1.23-2
@@ -3123,11 +3138,15 @@ CVE-2019-14498 (A divide-by-zero error exists in the Control function of demux/c
 	NOTE: https://www.videolan.org/security/sb-vlc308.html
 CVE-2019-14497 (ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTr ...)
 	- milkytracker <unfixed> (bug #933964)
+	[buster] - milkytracker <no-dsa> (Minor issue)
+	[stretch] - milkytracker <no-dsa> (Minor issue)
 	[jessie] - milkytracker <no-dsa> (Minor issue)
 	NOTE: https://github.com/milkytracker/MilkyTracker/issues/182
 	NOTE: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7
 CVE-2019-14496 (LoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker 1.02.00 ha ...)
 	- milkytracker <unfixed> (bug #933964)
+	[buster] - milkytracker <no-dsa> (Minor issue)
+	[stretch] - milkytracker <no-dsa> (Minor issue)
 	[jessie] - milkytracker <no-dsa> (Minor issue)
 	NOTE: https://github.com/milkytracker/MilkyTracker/issues/183
 	NOTE: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7
@@ -3220,6 +3239,8 @@ CVE-2019-14465 (fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a
 	NOTE: https://github.com/schismtracker/schismtracker/commit/b78e8d32883f8a865035436af4fa6d541b6ebb42
 CVE-2019-14464 (XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 has a  ...)
 	- milkytracker <unfixed> (bug #933964)
+	[buster] - milkytracker <no-dsa> (Minor issue)
+	[stretch] - milkytracker <no-dsa> (Minor issue)
 	[jessie] - milkytracker <no-dsa> (Minor issue)
 	NOTE: https://github.com/milkytracker/MilkyTracker/issues/184
 	NOTE: https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34
@@ -3241,6 +3262,8 @@ CVE-2019-14460
 	RESERVED
 CVE-2019-14459 (nfdump 1.6.17 and earlier is affected by an integer overflow in the fu ...)
 	- nfdump 1.6.18-1 (bug #933740)
+	[buster] - nfdump <no-dsa> (Minor issue)
+	[stretch] - nfdump <no-dsa> (Minor issue)
 	NOTE: https://github.com/phaag/nfdump/issues/171
 	NOTE: https://github.com/phaag/nfdump/commit/3b006ededaf351f1723aea6c727c9edd1b1fff9b
 CVE-2019-14458
@@ -3446,6 +3469,7 @@ CVE-2019-14378 (ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer
 	- qemu 1:4.1-1 (bug #933741)
 	- qemu-kvm <removed>
 	- slirp4netns 0.3.2-1 (bug #933742)
+	[buster] - slirp4netns <no-dsa> (Fill be fixed via 10.1 point release)
 	NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210
 CVE-2019-14377
 	RESERVED
@@ -8368,7 +8392,9 @@ CVE-2019-12404
 CVE-2019-12403
 	RESERVED
 CVE-2019-12402 (The file name encoding algorithm used internally in Apache Commons Com ...)
-	- libcommons-compress-java <unfixed>
+	- libcommons-compress-java <unfixed> (low)
+	[buster] - libcommons-compress-java <no-dsa> (Minor issue)
+	[stretch] - libcommons-compress-java <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/08/27/1
 CVE-2019-12401
 	RESERVED
@@ -9210,12 +9236,17 @@ CVE-2019-12069
 	RESERVED
 CVE-2019-12068 [scsi: lsi: exit infinite loop while executing script]
 	RESERVED
-	- qemu <unfixed>
+	- qemu <unfixed> (low)
+	[buster] - qemu <postponed> (Minor issue, can be fixed along in future update)
+	[stretch] - qemu <postponed> (Minor issue, can be fixed along in future update)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01518.html
+	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08
 CVE-2019-12067 [ide: ahci: add check to avoid null dereference]
 	RESERVED
-	- qemu <unfixed>
+	- qemu <unfixed> (low)
+	[buster] - qemu <postponed> (Minor issue, can be fixed along in future update)
+	[stretch] - qemu <postponed> (Minor issue, can be fixed along in future update)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01358.html
 CVE-2019-12066
@@ -15915,6 +15946,7 @@ CVE-2019-9824 (tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.
 	- qemu 1:3.1+dfsg-6
 	- qemu-kvm <removed>
 	- slirp4netns 0.3.1-1
+	[buster] - slirp4netns <no-dsa> (Fill be fixed via 10.1 point release)
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg01871.html
 	NOTE: https://www.openwall.com/lists/oss-security/2019/03/18/1
 	NOTE: https://github.com/qemu/qemu/commit/d3222975c7d6cda9e25809dea05241188457b113
diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt
index b3ea1a3cde..8f6af79762 100644
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -18,6 +18,10 @@ If needed, specify the release by adding a slash after the name of the source pa
 apache2
   Possible regression: #936034, sf will look into it
 --
+chromium
+--
+docker.io (jmm)
+--
 evince/oldstable
 --
 exim4 (carnil)