Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c7983a12 by Moritz Muehlenhoff at 2018-12-07T18:33:56Z
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1035,7 +1035,8 @@ CVE-2018-19870 [Check for QImage allocation failure in
qgifhandler]
TODO: check for completeness
CVE-2018-19869 [Fix crash when parsing malformed url reference]
RESERVED
- - qtsvg-opensource-src <unfixed>
+ - qtsvg-opensource-src <unfixed> (low)
+ [stretch] - qtsvg-opensource-src <no-dsa> (Minor issue)
NOTE:
https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/
NOTE: https://codereview.qt-project.org/#/c/234142/
TODO: check for completeness, possibly as well qt4-x11
@@ -1098,11 +1099,13 @@ CVE-2018-19845
CVE-2018-19844
RESERVED
CVE-2018-19843 (opmov in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0
allows ...)
- - radare2 3.1.0+dfsg-1
+ - radare2 3.1.0+dfsg-1 (low)
+ [stretch] - radare2 <no-dsa> (Minor issue)
NOTE:
https://github.com/radare/radare2/commit/f17bfd9f1da05f30f23a4dd05e9d2363e1406948
NOTE: https://github.com/radare/radare2/issues/12242
CVE-2018-19842 (getToken in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0
allows ...)
- - radare2 3.1.0+dfsg-1
+ - radare2 3.1.0+dfsg-1 (low)
+ [stretch] - radare2 <no-dsa> (Minor issue)
NOTE:
https://github.com/radare/radare2/commit/66191f780863ea8c66ace4040d0d04a8842e8432
NOTE: https://github.com/radare/radare2/issues/12239
CVE-2018-19841 (The function WavpackVerifySingleBlock in open_utils.c in
libwavpack.a ...)
@@ -1251,6 +1254,7 @@ CVE-2018-19788 (A flaw was found in PolicyKit (aka
polkit) 0.115 that allows a u
NOTE:
https://gitlab.freedesktop.org/polkit/polkit/commit/b534a10727455409acd54018a9c91000e7626126
CVE-2018-19787 (An issue was discovered in lxml before 4.2.5.
lxml/html/clean.py in the ...)
- lxml 4.2.5-1
+ [stretch] - lxml <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109
(lxml-4.2.5)
CVE-2018-19786 (HashiCorp Vault before 1.0.0 writes the master key to the
server log in ...)
NOT-FOR-US: HashiCorp Vault
@@ -4629,18 +4633,21 @@ CVE-2018-19492 (An issue was discovered in cairo.trm in
Gnuplot 5.2.5. This issu
NOTE: https://sourceforge.net/p/gnuplot/bugs/2089/
NOTE:
https://sourceforge.net/p/gnuplot/gnuplot-main/ci/d5020716834582b20a5e12cdd49f39ee4f9dd949/
NOTE: No security impact, neutralised by toolchain hardening
+ NOTE: No security impact, gnuplot can execute arbitrary commands and
need to come from a trusted source
CVE-2018-19491 (An issue was discovered in post.trm in Gnuplot 5.2.5. This
issue allows ...)
{DLA-1597-1 DLA-1595-1}
- - gnuplot <unfixed>
- - gnuplot5 <removed>
+ - gnuplot <unfixed> (unimportant)
+ - gnuplot5 <removed> (unimportant)
NOTE: https://sourceforge.net/p/gnuplot/bugs/2094/
NOTE:
https://sourceforge.net/p/gnuplot/gnuplot-main/ci/d5020716834582b20a5e12cdd49f39ee4f9dd949/
+ NOTE: No security impact, gnuplot can execute arbitrary commands and
need to come from a trusted source
CVE-2018-19490 (An issue was discovered in datafile.c in Gnuplot 5.2.5. This
issue ...)
{DLA-1597-1 DLA-1595-1}
- - gnuplot <unfixed>
- - gnuplot5 <removed>
+ - gnuplot <unfixed> (unimportant)
+ - gnuplot5 <removed> (unimportant)
NOTE: https://sourceforge.net/p/gnuplot/bugs/2093/
NOTE:
https://sourceforge.net/p/gnuplot/gnuplot-main/ci/d5020716834582b20a5e12cdd49f39ee4f9dd949/
+ NOTE: No security impact, gnuplot can execute arbitrary commands and
need to come from a trusted source
CVE-2018-19489 [9pfs: crash due to race condition in renaming files]
RESERVED
- qemu <unfixed> (bug #914727)
@@ -5001,14 +5008,16 @@ CVE-2018-19359 [Unauthorized service template creation]
- gitlab 11.3.10+dfsg-2 (bug #914166)
NOTE:
https://about.gitlab.com/2018/11/19/critical-security-release-gitlab-11-dot-4-dot-6-released/
CVE-2018-19358 (GNOME Keyring through 3.28.2 allows local users to retrieve
login ...)
- - gnome-keyring <unfixed> (bug #914154)
- [jessie] - gnome-keyring <no-dsa> (The current design works as expected)
+ - gnome-keyring <unfixed> (unimportant; bug #914154)
NOTE:
https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365
NOTE: https://github.com/sungjungk/keyring_crack
NOTE: The default keyring is automatically unlocked upon successful
login.
NOTE: The current behavior to access passwords via DBus is expected but
NOTE: cannot be compromised by another user on the system. Users can
choose
NOTE: to use a separate keyring if they prefer to be prompted.
+ NOTE: Non issue
+ NOTE: https://wiki.gnome.org/Projects/GnomeKeyring/SecurityFAQ
+ NOTE: https://gitlab.gnome.org/GNOME/gnome-keyring/issues/5
CVE-2018-19357
RESERVED
CVE-2018-19356
@@ -9148,23 +9157,23 @@ CVE-2018-17850
CVE-2018-17849 (Navigate CMS 2.8 has Stored XSS via a navigate_upload.php (aka
File ...)
NOT-FOR-US: Navigate CMS
CVE-2018-17848 (The html package (aka x/net/html) through 2018-09-25 in Go
mishandles ...)
- - golang-golang-x-net-dev <unfixed> (bug #911795)
+ - golang-golang-x-net-dev <unfixed> (low; bug #911795)
+ [stretch] - golang-golang-x-net-dev <not-affected> (Vulnerable code not
present)
- golang-go.net-dev <removed>
[jessie] - golang-go.net-dev <ignored> (Minor issue)
NOTE: https://github.com/golang/go/issues/27846
- TODO: check, possibly introduced in later versions
CVE-2018-17847 (The html package (aka x/net/html) through 2018-09-25 in Go
mishandles ...)
- - golang-golang-x-net-dev <unfixed> (bug #911795)
+ - golang-golang-x-net-dev <unfixed> (low; bug #911795)
+ [stretch] - golang-golang-x-net-dev <not-affected> (Vulnerable code not
present)
- golang-go.net-dev <removed>
[jessie] - golang-go.net-dev <ignored> (Minor issue)
NOTE: https://github.com/golang/go/issues/27846
- TODO: check, possibly introduced in later versions
CVE-2018-17846 (The html package (aka x/net/html) through 2018-09-25 in Go
mishandles ...)
- golang-golang-x-net-dev <unfixed> (bug #911795)
+ [stretch] - golang-golang-x-net-dev <not-affected> (Vulnerable code not
present)
- golang-go.net-dev <removed>
[jessie] - golang-go.net-dev <ignored> (Minor issue)
NOTE: https://github.com/golang/go/issues/27842
- TODO: check, possibly introduced in later versions
CVE-2018-17845
RESERVED
CVE-2018-17844
=====================================
data/dsa-needed.txt
=====================================
@@ -34,10 +34,14 @@ libspring-java
linux
Wait until more issues have piled up
--
+mbedtls
+--
mercurial
--
openjpeg2 (luciano)
--
+openssl1.0
+--
passenger
--
php7.0
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7983a12d54d7e8d18e335ac6c3ce19672219088
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7983a12d54d7e8d18e335ac6c3ce19672219088
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
