Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2906ee00 by Moritz Muehlenhoff at 2018-07-20T08:08:26+02:00
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -307,6 +307,7 @@ CVE-2018-14338 (samples/geotag.cpp in the example code of
Exiv2 0.26 misuses the
NOTE: Issue in example code of Exiv2
CVE-2018-14337 (The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in
mruby 1.4.1 ...)
- mruby <unfixed> (bug #903985)
+ [stretch] - mruby <no-dsa> (Minor issue)
NOTE: https://github.com/mruby/mruby/issues/4062
NOTE:
https://github.com/mruby/mruby/commit/695f29cd604787f43be1af16e38d13610bf8312b
NOTE:
https://github.com/mruby/mruby/commit/adb1eae912659d680a9c5b7832e22cf73d36a69a
@@ -328,11 +329,9 @@ CVE-2018-14331 (An issue was discovered in XiaoCms X1
v20140305. There is a CSRF
CVE-2018-14330
RESERVED
CVE-2018-14329 (In HTSlib 1.8, a race condition in cram/cram_io.c might allow
local ...)
- - htslib <unfixed>
- [jessie] - htslib <no-dsa> (Minor issue, ignored by upstream)
+ - htslib <unfixed> (unimportant)
NOTE: https://github.com/samtools/htslib/issues/736
- NOTE: Upstream closed the issue, reasoning that fixing the issue would
- NOTE: cause another set of problems.
+ NOTE: Neutralised by kernel hardening
CVE-2018-14328
RESERVED
CVE-2018-14327
@@ -4386,6 +4385,7 @@ CVE-2018-12582 (An issue was discovered in AKCMS 6.1.
CSRF can add an admin acco
NOT-FOR-US: AKCMS
CVE-2018-12581 (An issue was discovered in js/designer/move.js in phpMyAdmin
before ...)
- phpmyadmin <unfixed> (low)
+ [stretch] - phpmyadmin <not-affected> (Vulnerable code not present)
[jessie] - phpmyadmin <not-affected> (vulnerable code not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2018-3/
NOTE:
https://github.com/phpmyadmin/phpmyadmin/commit/6943fff87324bd54c3a37a5160a5fb77498c355e
@@ -7249,11 +7249,13 @@ CVE-2018-11491
RESERVED
CVE-2018-11490 (The DGifDecompressLine function in dgif_lib.c in GIFLIB
(possibly ...)
- giflib <unfixed> (bug #904114)
+ [stretch] - giflib <no-dsa> (Minor issue)
NOTE: https://github.com/pts/sam2p/issues/38
NOTE: https://sourceforge.net/p/giflib/bugs/113/
NOTE: Issue was reported against sam2p but issue is in dgif_lib.c from
giflib.
CVE-2018-11489 (The DGifDecompressLine function in dgif_lib.c in GIFLIB
(possibly ...)
- giflib <unfixed> (bug #904113)
+ [stretch] - giflib <no-dsa> (Minor issue)
NOTE: https://github.com/pts/sam2p/issues/37
NOTE: https://sourceforge.net/p/giflib/bugs/112/
NOTE: Issue was reported against sam2p but issue is in dgif_lib.c from
giflib.
@@ -10672,6 +10674,7 @@ CVE-2018-10189 (An issue was discovered in Mautic 1.x
and 2.x before 2.13.0. It
NOT-FOR-US: Mautic
CVE-2018-10188 (phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker
to ...)
- phpmyadmin <unfixed> (bug #896490)
+ [stretch] - phpmyadmin <not-affected> (Only affects 4.8.x)
[jessie] - phpmyadmin <not-affected> (vulnerable code not present)
[wheezy] - phpmyadmin <not-affected> (vulnerable code not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2018-2/
@@ -32090,6 +32093,7 @@ CVE-2018-2599 (Vulnerability in the Java SE, Java SE
Embedded, JRockit component
[wheezy] - openjdk-6 <end-of-life>
CVE-2018-2598 (Vulnerability in the MySQL Workbench component of Oracle MySQL
...)
- mysql-workbench <unfixed> (bug #904112)
+ [stretch] - mysql-workbench <no-dsa> (Exact details undisclosed, but
marginal CVSS score)
CVE-2018-2597 (Vulnerability in the Oracle Hospitality Cruise Dining Room
Management ...)
NOT-FOR-US: Oracle
CVE-2018-2596 (Vulnerability in the Oracle WebCenter Content component of
Oracle ...)
@@ -46081,6 +46085,7 @@ CVE-2017-14989 (A use-after-free in RenderFreetype in
MagickCore/annotate.c in .
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/28bad01242898d7f863deedbfa8502c348293093
CVE-2017-14988 (Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0
allows remote ...)
- openexr <unfixed> (bug #878551)
+ [stretch] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr <postponed> (Should be fixed along in future update)
NOTE: https://github.com/openexr/openexr/issues/248
CVE-2017-14987
@@ -53432,7 +53437,7 @@ CVE-2017-12597 (OpenCV (Open Source Computer Vision
Library) through 3.3 has an
NOTE: https://github.com/opencv/opencv/issues/9309
CVE-2017-12596 (In OpenEXR 2.2.0, a crafted image causes a heap-based buffer
over-read ...)
- openexr 2.2.0-11.1 (bug #877352)
- [stretch] - opencv <no-dsa> (Minor issue)
+ [stretch] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr 1.6.1-6+deb7u1
NOTE: https://github.com/openexr/openexr/issues/238
NOTE: Upstream fix
https://github.com/openexr/openexr/commit/f09f5f26c1924c4f7e183428ca79c9881afaf53c
@@ -63833,36 +63838,43 @@ CVE-2017-9117 (In LibTIFF 4.0.7, the program
processes BMP images without verify
CVE-2017-9116 (In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress
function ...)
{DLA-1083-1}
- openexr 2.2.0-11.1 (bug #864078)
+ [stretch] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9115 (In OpenEXR 2.2.0, an invalid write of size 2 in the = operator
function ...)
- openexr <unfixed> (bug #873885)
+ [stretch] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9114 (In OpenEXR 2.2.0, an invalid read of size 1 in the refill
function in ...)
- openexr <unfixed> (bug #873885)
+ [stretch] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9113 (In OpenEXR 2.2.0, an invalid write of size 1 in the
bufferedReadPixels ...)
- openexr <unfixed> (bug #873885)
+ [stretch] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9112 (In OpenEXR 2.2.0, an invalid read of size 1 in the getBits
function in ...)
{DLA-1083-1}
- openexr 2.2.0-11.1 (bug #864078)
+ [stretch] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9111 (In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE
function ...)
- openexr <unfixed> (bug #873885)
+ [stretch] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9110 (In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode
function ...)
{DLA-1083-1}
- openexr 2.2.0-11.1 (bug #864078)
+ [stretch] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9109
=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -31,6 +31,8 @@ graphicsmagick
intel-microcode
wait for regressions in unstable before releasing to stretch
--
+jetty9 (jmm)
+--
knot-resolver
--
libidn
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2906ee00712bb63ed15949f4bbc8b252ea453699
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2906ee00712bb63ed15949f4bbc8b252ea453699
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
