Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
918cff8e by Moritz Muehlenhoff at 2018-06-22T00:25:51+02:00
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -540,7 +540,8 @@ CVE-2018-12439 (MatrixSSL through 3.9.5 Open allows a
memory-cache side-channel
CVE-2018-12438 (The Elliptic Curve Cryptography library (aka sunec or
libsunec) allows ...)
TODO: check
CVE-2018-12437 (LibTomCrypt through 1.18.1 allows a memory-cache side-channel
attack on ...)
- - libtomcrypt <unfixed> (bug #901626)
+ - libtomcrypt <unfixed> (low; bug #901626)
+ [stretch] - libtomcrypt <no-dsa> (Minor issue)
NOTE: https://github.com/libtom/libtomcrypt/issues/407
CVE-2018-12436 (wolfcrypt/src/ecc.c in wolfSSL before 3.15.1.patch allows a
...)
- wolfssl <unfixed> (bug #901627)
@@ -1444,10 +1445,12 @@ CVE-2018-12037
CVE-2018-12036 (OWASP Dependency-Check before 3.2.0 allows attackers to write
to ...)
NOT-FOR-US: OWASP Dependency-Check
CVE-2018-12035 (In YARA 3.7.1 and prior, parsing a specially crafted compiled
rule ...)
- - yara 3.7.1-3
+ - yara 3.7.1-3 (low)
+ [stretch] - yara <no-dsa> (Minor issue)
NOTE: https://github.com/VirusTotal/yara/issues/891
CVE-2018-12034 (In YARA 3.7.1 and prior, parsing a specially crafted compiled
rule ...)
- - yara 3.7.1-3
+ - yara 3.7.1-3 (low)
+ [stretch] - yara <no-dsa> (Minor issue)
NOTE: https://github.com/VirusTotal/yara/issues/891
CVE-2018-12033
RESERVED
@@ -12285,11 +12288,13 @@ CVE-2018-7691
CVE-2018-7690
RESERVED
CVE-2018-7689 (Lack of permission checks in the InitializeDevelPackage
function in ...)
- - open-build-service <unfixed>
+ - open-build-service <unfixed> (low)
+ [stretch] - open-build-service <no-dsa> (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1094819
NOTE:
https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b
CVE-2018-7688 (A missing permission check in the review handling of openSUSE
Open ...)
- - open-build-service <unfixed>
+ - open-build-service <unfixed> (low)
+ [stretch] - open-build-service <no-dsa> (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1094820
NOTE:
https://github.com/openSUSE/open-build-service/commit/b15cf19e9e01115f653c76ffdc8f54cd97566553
CVE-2018-7687 (The Micro Focus Client for OES before version 2 SP4 IR8a has a
...)
@@ -18429,15 +18434,18 @@ CVE-2018-5807
RESERVED
CVE-2018-5806 [NULL pointer dereference in leaf_hdr_load_raw() function in
internal/dcraw_common.cpp]
RESERVED
- - libraw 0.18.8-1
+ - libraw 0.18.8-1 (low)
+ [stretch] - libraw <no-dsa> (Minor issue)
NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03
CVE-2018-5805 [Stack-based buffer overflow in quicktake_100_load_raw()
function in internal/dcraw_common.cpp]
RESERVED
- - libraw 0.18.8-1
+ - libraw 0.18.8-1 (low)
+ [stretch] - libraw <no-dsa> (Minor issue)
NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03
CVE-2018-5804 [type confusion error in identify() function in
internal/dcraw_common.cpp]
RESERVED
- - libraw 0.18.8-1
+ - libraw 0.18.8-1 (low)
+ [stretch] - libraw <no-dsa> (Minor issue)
NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03
CVE-2018-5803 (In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87,
4.4.121, ...)
{DSA-4188-1 DSA-4187-1 DLA-1369-1}
=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -44,6 +44,8 @@ lava-server
libidn
santiago proposed debdiffs for jessie and stretch
--
+libspring-java
+--
linux
Wait until more issues have piled up
--
@@ -55,6 +57,9 @@ mercurial
mosquitto (seb)
2018-02-27: Roger Light provided a debdiff targetting stretch, needs review
--
+mupdf
+ leaf package, might be a candidate for simply moving to 1.13 in stretch
+--
openjpeg2 (luciano)
--
passenger
@@ -67,6 +72,10 @@ ruby2.3
Santiago will prepare an update
work-in-progress:
https://salsa.debian.org/ruby-team/ruby/tree/stretch-security-wip
--
+ruby-rack-protection (jmm)
+-
+ruby-sprockets
+--
sssd
Maintainer prepared an update and proposed debdiff, acked for upload, but
update needs further testing before release.
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/918cff8e407e264a4dd7edbc191da68e20f08539
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/918cff8e407e264a4dd7edbc191da68e20f08539
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
