[Git][security-tracker-team/security-tracker][master] stretch triage

Moritz Muehlenhoff Fri, 28 Dec 2018 15:12:42 -0800

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
b7e957b2 by Moritz Muehlenhoff at 2018-12-28T23:10:59Z
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -543,22 +543,28 @@ CVE-2018-20363 (LibRaw::raw2image in libraw_cxx.cpp in 
LibRaw 0.19.1 has a NULL
        NOTE: 
https://github.com/LibRaw/LibRaw/commit/7e29b9f29449fde30cc878fbb137d61c14bba3a4
        NOTE: CVE-2018-20363, CVE-2018-20364 and CVE-2018-20365 have same root 
cause
 CVE-2018-20362 (A NULL pointer dereference was discovered in ifilter_bank of 
...)
-       - faad2 <unfixed>
+       - faad2 <unfixed> (low)
+       [stretch] - faad2 <no-dsa> (Minor issue)
        NOTE: https://github.com/knik0/faad2/issues/26
 CVE-2018-20361 (An invalid memory address dereference was discovered in the 
hf_assembly ...)
-       - faad2 <unfixed>
+       - faad2 <unfixed> (low)
+       [stretch] - faad2 <no-dsa> (Minor issue)
        NOTE: https://github.com/knik0/faad2/issues/30
 CVE-2018-20360 (An invalid memory address dereference was discovered in the 
...)
-       - faad2 <unfixed>
+       - faad2 <unfixed> (low)
+       [stretch] - faad2 <no-dsa> (Minor issue)
        NOTE: https://github.com/knik0/faad2/issues/32
 CVE-2018-20359 (An invalid memory address dereference was discovered in the 
...)
-       - faad2 <unfixed>
+       - faad2 <unfixed> (low)
+       [stretch] - faad2 <no-dsa> (Minor issue)
        NOTE: https://github.com/knik0/faad2/issues/29
 CVE-2018-20358 (An invalid memory address dereference was discovered in the 
...)
-       - faad2 <unfixed>
+       - faad2 <unfixed> (low)
+       [stretch] - faad2 <no-dsa> (Minor issue)
        NOTE: https://github.com/knik0/faad2/issues/31
 CVE-2018-20357 (A NULL pointer dereference was discovered in 
sbr_process_channel of ...)
-       - faad2 <unfixed>
+       - faad2 <unfixed> (low)
+       [stretch] - faad2 <no-dsa> (Minor issue)
        NOTE: https://github.com/knik0/faad2/issues/28
 CVE-2018-20356
        RESERVED
@@ -9290,7 +9296,8 @@ CVE-2018-19506 (Zurmo 3.2.4 has XSS via an admin's use of 
the name parameter in
 CVE-2018-19505
        RESERVED
 CVE-2018-19504 (An issue was discovered in Freeware Advanced Audio Decoder 2 
(FAAD2) ...)
-       - faad2 <unfixed> (bug #914641)
+       - faad2 <unfixed> (low; bug #914641)
+       [stretch] - faad2 <no-dsa> (Minor issue)
        [jessie] - faad2 <postponed> (Minor issue)
        NOTE: https://sourceforge.net/p/faac/bugs/240/
 CVE-2018-19503 (An issue was discovered in Freeware Advanced Audio Decoder 2 
(FAAD2) ...)
@@ -20678,8 +20685,7 @@ CVE-2018-15127 (LibVNC before commit 
502821828ed00b4a2c4bef90683d0fd88ce495de co
        NOTE: 
https://github.com/LibVNC/libvncserver/commit/502821828ed00b4a2c4bef90683d0fd88ce495de
        NOTE: 
https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-028-libvnc-heap-out-of-bound-write/
 CVE-2018-15126 (LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b 
contains ...)
-       - libvncserver <unfixed> (bug #916941)
-       [jessie] - libvncserver <not-affected> (Vulnerable code not present)
+       - libvncserver <not-affected> (Vulnerable code introduced after 0.9.11 
release)
        NOTE: https://github.com/LibVNC/libvncserver/issues/242
        NOTE: 
https://github.com/LibVNC/libvncserver/commit/73cb96fec028a576a5a24417b57723b55854ad7b
        NOTE: 
https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-027-libvnc-heap-use-after-free/


=====================================
data/dsa-needed.txt
=====================================
@@ -19,6 +19,7 @@ ansible
   Maintainer is preparing updates
 --
 faad2
+  not yet fixed upstream
 --
 glusterfs
 --
@@ -30,6 +31,8 @@ libidn
 --
 libspring-java
 --
+libvncserver (jmm)
+--
 linux
   Wait until more issues have piled up
 --
@@ -48,6 +51,8 @@ smarty3
 sssd
   Maintainer prepared an update and proposed debdiff, acked for upload, but 
update needs further testing before release.
 --
+thunderbird (jmm)
+--
 vlc (jmm)
   Maintainer proposed to wait for 3.0.5 and release a DSA based on 3.0.5
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b7e957b2a9683e5dad951168524f7b2bfe5e2dde

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b7e957b2a9683e5dad951168524f7b2bfe5e2dde
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] stretch triage

Reply via email to