Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
686beee2 by Moritz Muehlenhoff at 2018-04-30T22:52:20+02:00
add wavpack to dsa-needed, n/a for jessie
lrzsz, cacti, flac, uimaj no-dsa
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -91,24 +91,34 @@ CVE-2018-10541
RESERVED
CVE-2018-10540 (An issue was discovered in WavPack 5.1.0 and earlier for W64
input. ...)
- wavpack <unfixed>
+ [jessie] - wavpack <not-affected> (Vulnerable code not present,
introduced in 5.0.0)
+ [wheezy] - wavpack <not-affected> (Vulnerable code not present,
introduced in 5.0.0)
NOTE:
https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d
NOTE: https://github.com/dbry/WavPack/issues/33
CVE-2018-10539 (An issue was discovered in WavPack 5.1.0 and earlier for
DSDiff input. ...)
- wavpack <unfixed>
+ [jessie] - wavpack <not-affected> (Vulnerable code not present,
introduced in 5.0.0)
+ [wheezy] - wavpack <not-affected> (Vulnerable code not present,
introduced in 5.0.0)
NOTE:
https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d
NOTE: https://github.com/dbry/WavPack/issues/33
CVE-2018-10538 (An issue was discovered in WavPack 5.1.0 and earlier for WAV
input. ...)
- wavpack <unfixed>
+ [jessie] - wavpack <not-affected> (Vulnerable code not present,
introduced in 5.0.0)
+ [wheezy] - wavpack <not-affected> (Vulnerable code not present,
introduced in 5.0.0)
NOTE:
https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d
NOTE: https://github.com/dbry/WavPack/issues/33
CVE-2018-10537 (An issue was discovered in WavPack 5.1.0 and earlier. The W64
parser ...)
- wavpack <unfixed>
+ [jessie] - wavpack <not-affected> (Vulnerable code not present,
introduced in 5.0.0)
+ [wheezy] - wavpack <not-affected> (Vulnerable code not present,
introduced in 5.0.0)
NOTE:
https://github.com/dbry/WavPack/commit/26cb47f99d481ad9b93eeff80d26e6b63bbd7e15
NOTE: https://github.com/dbry/WavPack/issues/30
NOTE: https://github.com/dbry/WavPack/issues/31
NOTE: https://github.com/dbry/WavPack/issues/32
CVE-2018-10536 (An issue was discovered in WavPack 5.1.0 and earlier. The WAV
parser ...)
- wavpack <unfixed>
+ [jessie] - wavpack <not-affected> (Vulnerable code not present,
introduced in 5.0.0)
+ [wheezy] - wavpack <not-affected> (Vulnerable code not present,
introduced in 5.0.0)
NOTE:
https://github.com/dbry/WavPack/commit/26cb47f99d481ad9b93eeff80d26e6b63bbd7e15
NOTE: https://github.com/dbry/WavPack/issues/30
NOTE: https://github.com/dbry/WavPack/issues/31
@@ -866,7 +876,9 @@ CVE-2018-10196
RESERVED
CVE-2018-10195 [rzsz: sz can leak data to receiving side]
RESERVED
- - lrzsz <unfixed> (bug #897010)
+ - lrzsz <unfixed> (low; bug #897010)
+ [stretch] - lrzsz <no-dsa> (Minor issue)
+ [jessie] - lrzsz <no-dsa> (Minor issue)
NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1090051
NOTE: Fedora patch:
https://src.fedoraproject.org/cgit/rpms/lrzsz.git/tree/lrzsz-0.12.20.patch
CVE-2018-10194 (The set_text_distance function in devices/vector/gdevpdts.c in
the ...)
@@ -1232,10 +1244,14 @@ CVE-2018-10074 (The hi3660_stub_clk_probe function in
...)
- linux <not-affected> (Vulnerable code introduced later)
NOTE: Fixed by:
https://git.kernel.org/linus/9903e41ae1f5d50c93f268ca3304d4d7c64b9311 (4.16-rc7)
CVE-2018-10061 (Cacti before 1.1.37 has XSS because it makes certain
htmlspecialchars ...)
- - cacti 1.1.37+ds1-1
+ - cacti 1.1.37+ds1-1 (low)
+ [stretch] - cacti <no-dsa> (Minor issue)
+ [jessie] - cacti <no-dsa> (Minor issue)
NOTE: https://github.com/Cacti/cacti/issues/1457
CVE-2018-10060 (Cacti before 1.1.37 has XSS because it does not properly
reject ...)
- - cacti 1.1.37+ds1-1
+ - cacti 1.1.37+ds1-1 (low)
+ [stretch] - cacti <no-dsa> (Minor issue)
+ [jessie] - cacti <no-dsa> (Minor issue)
NOTE: https://github.com/Cacti/cacti/issues/1457
CVE-2018-10059 (Cacti before 1.1.37 has XSS because the get_current_page
function in ...)
- cacti 1.1.37+ds1-1
@@ -33075,6 +33091,8 @@ CVE-2017-15692 (In Apache Geode before v1.4.0, the
TcpServer within the Geode lo
NOT-FOR-US: Apache Geode
CVE-2017-15691 (In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior
to ...)
- uimaj <unfixed> (bug #897009)
+ [stretch] - uimaj <no-dsa> (Minor issue)
+ [jessie] - uimaj <no-dsa> (Minor issue)
NOTE: https://uima.apache.org/security_report#CVE-2017-15691
CVE-2017-15924 (In manager.c in ss-manager in shadowsocks-libev 3.1.0,
improper parsing ...)
{DSA-4009-1}
@@ -60286,7 +60304,9 @@ CVE-2017-6890 (A boundary error within the
"foveon_load_camf()" functi
CVE-2017-6889 (An integer overflow error within the
"foveon_load_camf()" function ...)
NOT-FOR-US: libraw demosaic extension (not packaged in Debian)
CVE-2017-6888 (An error in the "read_metadata_vorbiscomment_()"
function ...)
- - flac <unfixed> (bug #897015)
+ - flac <unfixed> (low; bug #897015)
+ [stretch] - flac <no-dsa> (Minor issue)
+ [jessie] - flac <no-dsa> (Minor issue)
NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/
NOTE:
https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67
CVE-2017-6887 (A boundary error within the "parse_tiff_ifd()"
function ...)
=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -92,6 +92,8 @@ undertow
--
vlc (jmm)
--
+wavpack (jmm)
+--
wordpress
Craig Small prepared update for stretch-security
Craig Small and Markus Koschany working on jessie-security update, needs
debdiff review
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/686beee24b1f679fc18486508e810ecca2784db8
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/686beee24b1f679fc18486508e810ecca2784db8
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
