diff options
author | Moritz Muehlenhoff <jmm@debian.org> | 2019-09-04 21:28:50 +0200 |
---|---|---|
committer | Moritz Muehlenhoff <jmm@debian.org> | 2019-09-04 21:28:50 +0200 |
commit | c359ac5aafa8b8e47ee8921554dcfef7d0904037 (patch) | |
tree | ce90e921241ef5456ca05d8eb8d8379618a7b464 /data | |
parent | ab380ad9c4694931ae901c87c5772a530388d59a (diff) |
stretch/buster triage
Diffstat (limited to 'data')
-rw-r--r-- | data/CVE/2008.list | 3 | ||||
-rw-r--r-- | data/CVE/2017.list | 3 | ||||
-rw-r--r-- | data/CVE/2018.list | 4 | ||||
-rw-r--r-- | data/CVE/2019.list | 38 | ||||
-rw-r--r-- | data/dsa-needed.txt | 4 |
5 files changed, 45 insertions, 7 deletions
diff --git a/data/CVE/2008.list b/data/CVE/2008.list index 491381c1b1..f12b9fe439 100644 --- a/data/CVE/2008.list +++ b/data/CVE/2008.list @@ -8329,8 +8329,7 @@ CVE-2008-4440 (The to-upgrade plugin in feta 1.4.16 allows local users to overwr {DSA-1643-1} - feta 1.4.16+nmu1 (low; bug #496397) CVE-2008-4977 - - postfix <unfixed> (unimportant; bug #496401) - NOTE: Not enabled by default, needs manual modification of a script + NOTE: Historic Postfix non issue, #496401 CVE-2008-4944 (writtercontrol in cdcontrol 1.90 allows local users to overwrite arbit ...) - cdcontrol <removed> (low; bug #496438) [etch] - cdcontrol <no-dsa> (Minor issue) diff --git a/data/CVE/2017.list b/data/CVE/2017.list index eb2a43ad11..ebe98a2429 100644 --- a/data/CVE/2017.list +++ b/data/CVE/2017.list @@ -1,8 +1,9 @@ CVE-2017-18594 (nse_libssh2.cc in Nmap 7.70 is subject to a denial of service conditio ...) - - nmap 7.80+dfsg1-1 + - nmap 7.80+dfsg1-1 (unimportant) NOTE: https://github.com/nmap/nmap/commit/350bbe0597d37ad67abe5fef8fba984707b4e9ad NOTE: https://github.com/nmap/nmap/issues/1077 NOTE: https://github.com/nmap/nmap/issues/1227 + NOTE: Crash in CLI tool, no security impact CVE-2017-18593 (The updraftplus plugin before 1.13.5 for WordPress has XSS in rare cas ...) NOT-FOR-US: updraftplus plugin for WordPress CVE-2017-18592 (The woocommerce-catalog-enquiry plugin before 3.1.0 for WordPress has ...) diff --git a/data/CVE/2018.list b/data/CVE/2018.list index 7a1f344d16..b5cb8306fc 100644 --- a/data/CVE/2018.list +++ b/data/CVE/2018.list @@ -354,7 +354,9 @@ CVE-2018-20848 (Advisto PEEL SHOPPING 9.0.0 has CSRF via en/achat/caddie_ajout.p NOT-FOR-US: Advisto PEEL SHOPPING CVE-2018-20847 (An improper computation of p_tx0, p_tx1, p_ty0 and p_ty1 in the functi ...) {DLA-1851-1} - - openjpeg2 <unfixed> (bug #931294) + - openjpeg2 <unfixed> (low; bug #931294) + [buster] - openjpeg2 <no-dsa> (Minor issue) + [stretch] - openjpeg2 <no-dsa> (Minor issue) NOTE: https://github.com/uclouvain/openjpeg/commit/5d00b719f4b93b1445e6fb4c766b9a9883c57949 NOTE: https://github.com/uclouvain/openjpeg/issues/431 NOTE: https://github.com/uclouvain/openjpeg/commit/c58df149900df862806d0e892859b41115875845 diff --git a/data/CVE/2019.list b/data/CVE/2019.list index 27ae3478f8..fa9f34c4de 100644 --- a/data/CVE/2019.list +++ b/data/CVE/2019.list @@ -419,6 +419,7 @@ CVE-2019-15718 [Missing access controls on systemd-resolved's D-Bus interface] NOTE: https://github.com/systemd/systemd/commit/35e528018f315798d3bffcb592b32a0d8f5162bd CVE-2019-15717 (Irssi 1.2.x before 1.2.2 has a use-after-free if the IRC server sends ...) - irssi <unfixed> (bug #936074) + [buster] - irssi <no-dsa> (Minor issue) [stretch] - irssi <not-affected> (Vulnerable code not present) [jessie] - irssi <not-affected> (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2019/08/29/3 @@ -1602,6 +1603,8 @@ CVE-2019-15152 RESERVED CVE-2019-15151 (AdPlug 2.3.1 has a double free in the Cu6mPlayer class in u6m.h. ...) - adplug <unfixed> + [buster] - adplug <no-dsa> (Minor issue) + [stretch] - adplug <no-dsa> (Minor issue) NOTE: https://github.com/adplug/adplug/issues/91 CVE-2019-15150 (In the OAuth2 Client extension before 0.4 for MediaWiki, a CSRF vulner ...) NOT-FOR-US: OAuth2 Client MediaWiki extension @@ -2588,12 +2591,18 @@ CVE-2019-14735 RESERVED CVE-2019-14734 (AdPlug 2.3.1 has multiple heap-based buffer overflows in CmtkLoader::l ...) - adplug <unfixed> + [buster] - adplug <no-dsa> (Minor issue) + [stretch] - adplug <no-dsa> (Minor issue) NOTE: https://github.com/adplug/adplug/issues/90 CVE-2019-14733 (AdPlug 2.3.1 has multiple heap-based buffer overflows in CradLoader::l ...) - adplug <unfixed> + [buster] - adplug <no-dsa> (Minor issue) + [stretch] - adplug <no-dsa> (Minor issue) NOTE: https://github.com/adplug/adplug/issues/89 CVE-2019-14732 (AdPlug 2.3.1 has multiple heap-based buffer overflows in Ca2mLoader::l ...) - adplug <unfixed> + [buster] - adplug <no-dsa> (Minor issue) + [stretch] - adplug <no-dsa> (Minor issue) NOTE: https://github.com/adplug/adplug/issues/88 CVE-2019-14731 (An issue was discovered in ZenTao 11.5.1. There is an XSS (stored) vul ...) NOT-FOR-US: ZenTao CMS @@ -2673,12 +2682,18 @@ CVE-2019-14693 (Zoho ManageEngine AssetExplorer 6.2.0 is vulnerable to an XML Ex NOT-FOR-US: Zoho ManageEngine AssetExplorer CVE-2019-14692 (AdPlug 2.3.1 has a heap-based buffer overflow in CmkjPlayer::load() in ...) - adplug <unfixed> + [buster] - adplug <no-dsa> (Minor issue) + [stretch] - adplug <no-dsa> (Minor issue) NOTE: https://github.com/adplug/adplug/issues/87 CVE-2019-14691 (AdPlug 2.3.1 has a heap-based buffer overflow in CdtmLoader::load() in ...) - adplug <unfixed> + [buster] - adplug <no-dsa> (Minor issue) + [stretch] - adplug <no-dsa> (Minor issue) NOTE: https://github.com/adplug/adplug/issues/86 CVE-2019-14690 (AdPlug 2.3.1 has a heap-based buffer overflow in CxadbmfPlayer::__bmf_ ...) - adplug <unfixed> + [buster] - adplug <no-dsa> (Minor issue) + [stretch] - adplug <no-dsa> (Minor issue) NOTE: https://github.com/adplug/adplug/issues/85 CVE-2019-14697 (musl libc through 1.1.23 has an x87 floating-point stack adjustment im ...) - musl 1.1.23-2 @@ -3123,11 +3138,15 @@ CVE-2019-14498 (A divide-by-zero error exists in the Control function of demux/c NOTE: https://www.videolan.org/security/sb-vlc308.html CVE-2019-14497 (ModuleEditor::convertInstrument in tracker/ModuleEditor.cpp in MilkyTr ...) - milkytracker <unfixed> (bug #933964) + [buster] - milkytracker <no-dsa> (Minor issue) + [stretch] - milkytracker <no-dsa> (Minor issue) [jessie] - milkytracker <no-dsa> (Minor issue) NOTE: https://github.com/milkytracker/MilkyTracker/issues/182 NOTE: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7 CVE-2019-14496 (LoaderXM::load in LoaderXM.cpp in milkyplay in MilkyTracker 1.02.00 ha ...) - milkytracker <unfixed> (bug #933964) + [buster] - milkytracker <no-dsa> (Minor issue) + [stretch] - milkytracker <no-dsa> (Minor issue) [jessie] - milkytracker <no-dsa> (Minor issue) NOTE: https://github.com/milkytracker/MilkyTracker/issues/183 NOTE: https://github.com/milkytracker/MilkyTracker/commit/ea7772a3fae0a9dd0a322e8fec441d15843703b7 @@ -3220,6 +3239,8 @@ CVE-2019-14465 (fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a NOTE: https://github.com/schismtracker/schismtracker/commit/b78e8d32883f8a865035436af4fa6d541b6ebb42 CVE-2019-14464 (XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 has a ...) - milkytracker <unfixed> (bug #933964) + [buster] - milkytracker <no-dsa> (Minor issue) + [stretch] - milkytracker <no-dsa> (Minor issue) [jessie] - milkytracker <no-dsa> (Minor issue) NOTE: https://github.com/milkytracker/MilkyTracker/issues/184 NOTE: https://github.com/milkytracker/MilkyTracker/commit/fd607a3439fcdd0992e5efded3c16fc79c804e34 @@ -3241,6 +3262,8 @@ CVE-2019-14460 RESERVED CVE-2019-14459 (nfdump 1.6.17 and earlier is affected by an integer overflow in the fu ...) - nfdump 1.6.18-1 (bug #933740) + [buster] - nfdump <no-dsa> (Minor issue) + [stretch] - nfdump <no-dsa> (Minor issue) NOTE: https://github.com/phaag/nfdump/issues/171 NOTE: https://github.com/phaag/nfdump/commit/3b006ededaf351f1723aea6c727c9edd1b1fff9b CVE-2019-14458 @@ -3446,6 +3469,7 @@ CVE-2019-14378 (ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer - qemu 1:4.1-1 (bug #933741) - qemu-kvm <removed> - slirp4netns 0.3.2-1 (bug #933742) + [buster] - slirp4netns <no-dsa> (Fill be fixed via 10.1 point release) NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/126c04acbabd7ad32c2b018fe10dfac2a3bc1210 CVE-2019-14377 RESERVED @@ -8368,7 +8392,9 @@ CVE-2019-12404 CVE-2019-12403 RESERVED CVE-2019-12402 (The file name encoding algorithm used internally in Apache Commons Com ...) - - libcommons-compress-java <unfixed> + - libcommons-compress-java <unfixed> (low) + [buster] - libcommons-compress-java <no-dsa> (Minor issue) + [stretch] - libcommons-compress-java <no-dsa> (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2019/08/27/1 CVE-2019-12401 RESERVED @@ -9210,12 +9236,17 @@ CVE-2019-12069 RESERVED CVE-2019-12068 [scsi: lsi: exit infinite loop while executing script] RESERVED - - qemu <unfixed> + - qemu <unfixed> (low) + [buster] - qemu <postponed> (Minor issue, can be fixed along in future update) + [stretch] - qemu <postponed> (Minor issue, can be fixed along in future update) - qemu-kvm <removed> NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01518.html + NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08 CVE-2019-12067 [ide: ahci: add check to avoid null dereference] RESERVED - - qemu <unfixed> + - qemu <unfixed> (low) + [buster] - qemu <postponed> (Minor issue, can be fixed along in future update) + [stretch] - qemu <postponed> (Minor issue, can be fixed along in future update) - qemu-kvm <removed> NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01358.html CVE-2019-12066 @@ -15915,6 +15946,7 @@ CVE-2019-9824 (tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3. - qemu 1:3.1+dfsg-6 - qemu-kvm <removed> - slirp4netns 0.3.1-1 + [buster] - slirp4netns <no-dsa> (Fill be fixed via 10.1 point release) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-03/msg01871.html NOTE: https://www.openwall.com/lists/oss-security/2019/03/18/1 NOTE: https://github.com/qemu/qemu/commit/d3222975c7d6cda9e25809dea05241188457b113 diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index b3ea1a3cde..8f6af79762 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -18,6 +18,10 @@ If needed, specify the release by adding a slash after the name of the source pa apache2 Possible regression: #936034, sf will look into it -- +chromium +-- +docker.io (jmm) +-- evince/oldstable -- exim4 (carnil) |