Ben Hutchings pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0cf66397 by Ben Hutchings at 2018-07-14T01:04:24+01:00
Mark Linux kernel issues as unfixed/ignored in linux-4.9
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1436,6 +1436,7 @@ CVE-2018-13406 (An integer overflow in the
uvesafb_setcmap function in ...)
NOTE:
https://git.kernel.org/linus/9f645bcc566a1e9f921bdae7528a01ced5bc3713
CVE-2018-13405 (The inode_init_owner function in fs/inode.c in the Linux
kernel through ...)
- linux 4.17.6-1
+ [jessie] - linux-4.9 <unfixed>
NOTE:
https://git.kernel.org/linus/0fa3ecd87848c9c93c2c828ef4c3a8ca36ce46c7
NOTE: http://www.openwall.com/lists/oss-security/2018/07/13/2
CVE-2018-13404
@@ -2077,6 +2078,7 @@ CVE-2018-13100 (An issue was discovered in
fs/f2fs/super.c in the Linux kernel t
NOTE:
https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=f2fs-dev&id=977f9bb558cb4a95d53b10301f5c739ed8867d4d
CVE-2018-13099 (An issue was discovered in fs/f2fs/inline.c in the Linux
kernel through ...)
- linux <unfixed>
+ [jessie] - linux-4.9 <unfixed>
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200179
NOTE:
https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=f2fs-dev&id=cc60e90f9bfab8d6a7fb826937e824333c3bf94a
NOTE: https://sourceforge.net/p/linux-f2fs/mailman/message/36356878/
@@ -2090,6 +2092,7 @@ CVE-2018-13097 (An issue was discovered in
fs/f2fs/super.c in the Linux kernel t
NOTE:
https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=f2fs-dev&id=78bbd741456e31e0acb983283a8d3993ba859c15
CVE-2018-13096 (An issue was discovered in fs/f2fs/super.c in the Linux kernel
through ...)
- linux <unfixed>
+ [jessie] - linux-4.9 <unfixed>
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200167
NOTE:
https://git.kernel.org/pub/scm/linux/kernel/git/chao/linux.git/commit/?h=f2fs-dev&id=e335cc683fd13882b9152937b06ff3c16c28aa34
CVE-2018-13095 (An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in
the Linux ...)
@@ -2098,6 +2101,7 @@ CVE-2018-13095 (An issue was discovered in
fs/xfs/libxfs/xfs_inode_buf.c in the
NOTE:
https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit/?h=for-next&id=23fcb3340d033d9f081e21e6c12c2db7eaa541d3
CVE-2018-13094 (An issue was discovered in fs/xfs/libxfs/xfs_attr_leaf.c in
the Linux ...)
- linux <unfixed>
+ [jessie] - linux-4.9 <unfixed>
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199969
NOTE:
https://git.kernel.org/pub/scm/fs/xfs/xfs-linux.git/commit/?h=for-next&id=bb3d48dcf86a97dc25fe9fc2c11938e19cb4399a
CVE-2018-13093 (An issue was discovered in fs/xfs/xfs_icache.c in the Linux
kernel ...)
@@ -2183,6 +2187,7 @@ CVE-2018-13055
RESERVED
CVE-2018-13053 (The alarm_timer_nsleep function in kernel/time/alarmtimer.c in
the ...)
- linux <unfixed>
+ [jessie] - linux-4.9 <unfixed>
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=200303
NOTE:
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/?id=5f936e19cc0ef97dbe3a56e9498922ad5ba1edef
CVE-2018-13052 (In CyberArk Endpoint Privilege Manager (formerly Viewfinity),
...)
@@ -2474,6 +2479,7 @@ CVE-2018-12929 (ntfs_read_locked_inode in the ntfs.ko
filesystem driver in the L
- linux <unfixed>
CVE-2018-12928 (In the Linux kernel 4.15.0, a NULL pointer dereference was
discovered ...)
- linux <unfixed> (low)
+ [jessie] - linux-4.9 <unfixed>
NOTE: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1763384
NOTE: https://marc.info/?l=linux-fsdevel&m=152407263325766&w=2
CVE-2018-12927 (Northern Electric & Power (NEP) inverter devices allow
remote attackers ...)
@@ -8457,6 +8463,7 @@ CVE-2018-10682 (** DISPUTED ** An issue was discovered in
WildFly 10.1.2.Final.
- wildfly <itp> (bug #752018)
CVE-2016-10723 (** DISPUTED ** An issue was discovered in the Linux kernel
through ...)
- linux <unfixed>
+ [jessie] - linux-4.9 <unfixed>
NOTE: https://patchwork.kernel.org/patch/10395909/
CVE-2016-10722 (partclone.fat in Partclone before 0.2.88 is prone to a
heap-based ...)
- partclone 0.2.88-1
@@ -9353,6 +9360,7 @@ CVE-2018-10323 (The xfs_bmap_extents_to_btree function in
fs/xfs/libxfs/xfs_bmap
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199423
CVE-2018-10322 (The xfs_dinode_verify function in
fs/xfs/libxfs/xfs_inode_buf.c in the ...)
- linux 4.16.5-1
+ [jessie] - linux-4.9 <unfixed>
[wheezy] - linux <ignored> (dinode verifier not implemented)
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=199377
CVE-2018-10321 (Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability
via ...)
@@ -12566,6 +12574,7 @@ CVE-2017-18250 (An issue was discovered in ImageMagick
7.0.7. A NULL pointer ...
NOTE:
https://github.com/ImageMagick/ImageMagick/commit/2f368e74a51ec7541b6595af712d17d6d1376534
CVE-2017-18249 (The add_free_nid function in fs/f2fs/node.c in the Linux
kernel before ...)
- linux 4.12.6-1
+ [jessie] - linux-4.9 <unfixed>
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: Fixed by:
https://git.kernel.org/linus/30a61ddf8117c26ac5b295e1233eaa9629a94ca3
CVE-2017-18248 (The add_job function in scheduler/ipp.c in CUPS before 2.2.6,
when ...)
@@ -13477,6 +13486,7 @@ CVE-2018-8718 (Cross-site request forgery (CSRF)
vulnerability in the Mailer Plu
CVE-2017-18232 (The Serial Attached SCSI (SAS) implementation in the Linux
kernel ...)
{DSA-4187-1}
- linux 4.15.17-1
+ [jessie] - linux-4.9 <unfixed>
[wheezy] - linux <not-affected> (Vulnerability introduced later)
NOTE: Fixed by:
https://git.kernel.org/linus/0558f33c06bb910e2879e355192227a8e8f0219d
CVE-2018-8717 (joyplus-cms 1.6.0 has CSRF, as demonstrated by adding an
administrator ...)
@@ -15655,6 +15665,7 @@ CVE-2018-7756 (RunExeFile.exe in the installer for
DEWESoft X3 SP1 (64-bit) devi
NOT-FOR-US: RunExeFile.exe in the installer for DEWESoft X3 SP1 devices
CVE-2018-7755 (An issue was discovered in the fd_locked_ioctl function in ...)
- linux <unfixed>
+ [jessie] - linux-4.9 <unfixed>
NOTE: https://lkml.org/lkml/2018/3/7/1116
CVE-2018-7754
RESERVED
@@ -17488,6 +17499,7 @@ CVE-2018-7274 (Yab Quarx through 2.4.3 is prone to
multiple persistent cross-sit
NOT-FOR-US: Yab Quarx
CVE-2018-7273 (In the Linux kernel through 4.15.4, the floppy driver reveals
the ...)
- linux 4.15.4-1
+ [jessie] - linux-4.9 <unfixed>
[wheezy] - linux <ignored> (Minor issue)
NOTE: https://lkml.org/lkml/2018/2/20/669
CVE-2018-7272 (The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs
as part ...)
@@ -20204,6 +20216,7 @@ CVE-2018-1000029 (mcholste Enterprise Log Search and
Archive (ELSA) version revi
NOT-FOR-US: mcholste Enterprise Log Search and Archive
CVE-2018-1000026 (Linux Linux kernel version at least v4.8 onwards, probably
well before ...)
- linux <unfixed>
+ [jessie] - linux-4.9 <unfixed>
NOTE: https://patchwork.ozlabs.org/patch/859410/
NOTE: http://lists.openwall.net/netdev/2018/01/16/40
NOTE: http://lists.openwall.net/netdev/2018/01/18/96
@@ -35207,6 +35220,7 @@ CVE-2018-1109
NOTE: nodejs not covered by security support
CVE-2018-1108 (kernel drivers before version 4.17-rc1 are vulnerable to a
weakness in ...)
- linux 4.16.5-1
+ [jessie] - linux-4.9 <unfixed>
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
NOTE: Fixed by:
https://git.kernel.org/linus/43838a23a05fbd13e47d750d3dfd77001536dd33
@@ -92134,6 +92148,7 @@ CVE-2016-8666 (The IP stack in the Linux kernel before
4.6 allows remote attacke
NOTE: http://www.openwall.com/lists/oss-security/2016/10/13/11
CVE-2016-8660 (The XFS subsystem in the Linux kernel through 4.8.2 allows
local users ...)
- linux <unfixed> (low)
+ [jessie] - linux-4.9 <unfixed> (low)
[jessie] - linux <not-affected> (Vulnerable code not present)
[wheezy] - linux <not-affected> (Vulnerable code not present)
CVE-2016-8659 (Bubblewrap before 0.1.3 sets the PR_SET_DUMPABLE flag, which
might ...)
@@ -122586,6 +122601,7 @@ CVE-2015-7812 (The hypercall_create_continuation
function in arch/arm/domain.c i
CVE-2013-7445 (The Direct Rendering Manager (DRM) subsystem in the Linux
kernel ...)
- linux <unfixed>
[stretch] - linux <ignored> (Minor issue, requires invasive changes)
+ [jessie] - linux-4.9 <ignored> (Minor issue, requires invasive changes)
[jessie] - linux <ignored> (Minor issue, requires invasive changes)
[wheezy] - linux <no-dsa> (Minor issue, requires invasive changes)
- linux-2.6 <removed>
=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -66,6 +66,8 @@ libspring-java (Abhijith PA)
--
linux (Ben Hutchings)
--
+linux-4.9 (Ben Hutchings)
+--
mailman (Markus Koschany)
--
mosquitto
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0cf66397cd33445cf4c83409ed0b8e0e37f44a14
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0cf66397cd33445cf4c83409ed0b8e0e37f44a14
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
