Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
de2d2132 by Moritz Muehlenhoff at 2018-04-30T23:57:27+02:00
r-base non issue
readd chromium to dsa-needed, new upstream release
add and take quassel
phpmyadmin not-affected in jessie/stretch
one mruby issue not-affected
libgit, sqlite, libraw no-dsa
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -146,11 +146,15 @@ CVE-2018-10531
CVE-2018-10530
RESERVED
CVE-2018-10529 (An issue was discovered in LibRaw 0.18.9. There is an
out-of-bounds ...)
- - libraw <unfixed> (bug #897186)
+ - libraw <unfixed> (low; bug #897186)
+ [stretch] - libraw <no-dsa> (Minor issue)
+ [jessie] - libraw <no-dsa> (Minor issue)
NOTE:
https://github.com/LibRaw/LibRaw/commit/f0c505a3e5d47989a5f69be2d0d4f250af6b1a6c
NOTE: https://github.com/LibRaw/LibRaw/issues/144
CVE-2018-10528 (An issue was discovered in LibRaw 0.18.9. There is a
stack-based buffer ...)
- - libraw <unfixed> (bug #897185)
+ - libraw <unfixed> (low; bug #897185)
+ [stretch] - libraw <no-dsa> (Minor issue)
+ [jessie] - libraw <no-dsa> (Minor issue)
NOTE:
https://github.com/LibRaw/LibRaw/commit/895529fc2f2eb8bc633edd6b04b5b237eb4db564
NOTE: https://github.com/LibRaw/LibRaw/issues/144
CVE-2018-10527 (EasyCMS 1.3 is prone to Stored XSS when posting an article;
four fields ...)
@@ -910,6 +914,8 @@ CVE-2018-1000158 (cmsmadesimple version 2.2.7 contains a
Incorrect Access Contro
NOT-FOR-US: CMS Made Simple
CVE-2018-10199 (In versions of mruby up to and including 1.4.0, a
use-after-free ...)
- mruby 1.4.0+20180418+git54905e98-1 (bug #896021)
+ [stretch] - mruby <not-affected> (Vulnerable code introduced later)
+ [jessie] - mruby <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/mruby/mruby/issues/4001
NOTE:
https://github.com/mruby/mruby/commit/b51b21fc63c9805862322551387d9036f2b63433
CVE-2018-10193 (LogMeIn LastPass through 4.9.1 allows remote attackers to
cause a ...)
@@ -918,6 +924,8 @@ CVE-2018-10192 (IPVanish 3.0.11 for macOS suffers from a
root privilege escalati
NOT-FOR-US: IPVanish for macOS
CVE-2018-10191 (In versions of mruby up to and including 1.4.0, an integer
overflow ...)
- mruby 1.4.0+20180418+git54905e98-1 (bug #896020)
+ [stretch] - mruby <no-dsa> (Minor issue)
+ [jessie] - mruby <no-dsa> (Minor issue)
NOTE: https://github.com/mruby/mruby/issues/3995
NOTE:
https://github.com/mruby/mruby/commit/1905091634a6a2925c911484434448e568330626
CVE-2018-10190 (A vulnerability in London Trust Media Private Internet Access
(PIA) VPN ...)
@@ -926,6 +934,8 @@ CVE-2018-10189 (An issue was discovered in Mautic 1.x and
2.x before 2.13.0. It
NOT-FOR-US: Mautic
CVE-2018-10188 (phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker
to ...)
- phpmyadmin <unfixed> (bug #896490)
+ [stretch] - phpmyadmin <not-affected> (Vulnerable code not present)
+ [jessie] - phpmyadmin <not-affected> (Vulnerable code not present)
[wheezy] - phpmyadmin <not-affected> (vulnerable code not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2018-2/
NOTE:
https://github.com/phpmyadmin/phpmyadmin/commit/c6dd6b56e236a3aff953cee4135ecaa67130e641
@@ -3546,8 +3556,7 @@ CVE-2018-9062
CVE-2018-9061
RESERVED
CVE-2018-9060 (R 3.4.4 suffers from a local buffer overflow that allows code
...)
- - r-base <unfixed>
- [wheezy] - r-base <no-dsa> (Minor issue)
+ - r-base <not-affected> (R on Linux doesn't ship the GUI, likely
non-issue for Windows as well, see #897254)
NOTE: https://github.com/bzyo/CVE-PoCs/tree/master/CVE-2018-9060
CVE-2018-9059 (Stack-based buffer overflow in Easy File Sharing (EFS) Web
Server 7.2 ...)
NOT-FOR-US: Easy File Sharing (EFS)
@@ -5831,10 +5840,14 @@ CVE-2018-8100 (The JPXStream::readTilePart function in
JPXStream.cc in xpdf 4.00
NOTE: src:xpdf switched to use system poppler libary in 3.02-3
NOTE: Reproducer correctly detected as broken with jessie's poppler
build
CVE-2018-8099 (Incorrect returning of an error code in the
index.c:read_entry() ...)
- - libgit2 <unfixed> (bug #892962)
+ - libgit2 <unfixed> (low; bug #892962)
+ [stretch] - libgit2 <no-dsa> (Minor issue)
+ [jessie] - libgit2 <no-dsa> (Minor issue)
NOTE:
https://github.com/libgit2/libgit2/commit/58a6fe94cb851f71214dbefac3f9bffee437d6fe
CVE-2018-8098 (Integer overflow in the index.c:read_entry() function while ...)
- - libgit2 <unfixed> (bug #892961)
+ - libgit2 <unfixed> (low; bug #892961)
+ [stretch] - libgit2 <no-dsa> (Minor issue)
+ [jessie] - libgit2 <no-dsa> (Minor issue)
NOTE:
https://github.com/libgit2/libgit2/commit/3207ddb0103543da8ad2139ec6539f590f9900c1
NOTE:
https://github.com/libgit2/libgit2/commit/3db1af1f370295ad5355b8f64b865a2a357bcac0
CVE-2018-8097 (io/mongo/parser.py in Eve (aka pyeve) before 0.7.5 allows
remote ...)
@@ -73799,18 +73812,21 @@ CVE-2017-2521 (An issue was discovered in certain
Apple products. iOS before 10.
NOTE: Not covered by security support
CVE-2017-2520 (An issue was discovered in certain Apple products. iOS before
10.3.2 ...)
- sqlite3 3.16.2-1
+ [jessie] - sqlite3 <no-dsa> (Minor issue)
[wheezy] - sqlite3 <not-affected> (Vulnerable code not present)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=384
NOTE:
https://clusterfuzz-external.appspot.com/testcase?key=5694101458518016
NOTE: Fixed by: https://www.sqlite.org/src/info/2dc7eeb5b4d2eaf1
CVE-2017-2519 (An issue was discovered in certain Apple products. iOS before
10.3.2 ...)
- sqlite3 3.16.0-1
+ [jessie] - sqlite3 <no-dsa> (Minor issue)
[wheezy] - sqlite3 <not-affected> (Vulnerable code not present)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=288
NOTE:
https://clusterfuzz-external.appspot.com/testcase?key=6739028850245632
NOTE: Fixed by: https://www.sqlite.org/src/info/d08b72c38ff6fae6
CVE-2017-2518 (An issue was discovered in certain Apple products. iOS before
10.3.2 ...)
- sqlite3 3.15.2-1
+ [jessie] - sqlite3 <no-dsa> (Minor issue)
[wheezy] - sqlite3 <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=199
NOTE:
https://clusterfuzz-external.appspot.com/testcase?key=4603622180519936
=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -17,6 +17,8 @@ If needed, specify the release by adding a slash after the
name of the source pa
asterisk/stable
berni working on updates
--
+chromium-browser
+--
dokuwiki/oldstable
--
ffmpeg/stable
@@ -67,6 +69,8 @@ php-horde-image
phpmyadmin/oldstable (abhijith)
https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.2.12-2+deb8u3.dsc
--
+quassel (jmm)
+--
qemu/oldstable
--
redmine (seb)
@@ -98,7 +102,7 @@ wordpress
Craig Small prepared update for stretch-security
Craig Small and Markus Koschany working on jessie-security update, needs
debdiff review
--
-xen/oldstable
+xen
--
zendframework/oldstable
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/de2d2132752e67d8b3ec9a4d39c4c504d34da0be
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/de2d2132752e67d8b3ec9a4d39c4c504d34da0be
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
