[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff Tue, 29 Jan 2019 04:56:34 -0800

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
a3b8fdb8 by Moritz Muehlenhoff at 2019-01-29T12:55:49Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -11974,6 +11974,7 @@ CVE-2018-20074
 CVE-2018-20073 [chromium stores download meta data in extended attributes]
        RESERVED
        - chromium <unfixed>
+       [stretch] - chromium <postponed> (Wait until fixed upstream)
 CVE-2018-20072
        RESERVED
 CVE-2018-20071 (Insufficiently strict origin checks during JIT payment app ...)
@@ -38943,6 +38944,7 @@ CVE-2018-11491 (ASUS HG100 devices with firmware before 
1.05.12 allow unauthenti
        NOT-FOR-US: ASUS HG100 devices
 CVE-2018-11490 (The DGifDecompressLine function in dgif_lib.c in GIFLIB 
(possibly ...)
        - giflib <unfixed> (bug #904114)
+       [buster] - giflib <no-dsa> (Minor issue)
        [stretch] - giflib <no-dsa> (Minor issue)
        [jessie] - giflib <no-dsa> (Minor issue)
        NOTE: https://github.com/pts/sam2p/issues/38
@@ -38950,6 +38952,7 @@ CVE-2018-11490 (The DGifDecompressLine function in 
dgif_lib.c in GIFLIB (possibl
        NOTE: Issue was reported against sam2p but issue is in dgif_lib.c from 
giflib.
 CVE-2018-11489 (The DGifDecompressLine function in dgif_lib.c in GIFLIB 
(possibly ...)
        - giflib <unfixed> (bug #904113)
+       [buster] - giflib <no-dsa> (Minor issue)
        [stretch] - giflib <no-dsa> (Minor issue)
        [jessie] - giflib <no-dsa> (Minor issue)
        NOTE: https://github.com/pts/sam2p/issues/37
@@ -49252,6 +49255,7 @@ CVE-2018-7588 (An issue was discovered in CImg v.220. A 
heap-based buffer over-r
        NOTE: 
https://github.com/dtschump/CImg/commit/8447076ef22322a14a0ce130837e44c5ba8095f4
 CVE-2018-7587 (An issue was discovered in CImg v.220. DoS occurs when loading 
a ...)
        - cimg <unfixed> (low; bug #892780)
+       [buster] - cimg <no-dsa> (Minor issue)
        [stretch] - cimg <no-dsa> (Minor issue)
        [jessie] - cimg <no-dsa> (Minor issue)
        [wheezy] - cimg <no-dsa> (Minor issue)
@@ -49694,6 +49698,7 @@ CVE-2018-1000098 (Teluu PJSIP version 2.7.1 and earlier 
contains a Integer Overf
        NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, 
STUN and TURN)
 CVE-2018-1000101 (Mingw-w64 version 5.0.3 and earlier contains an Improper 
Null ...)
        - mingw-w64 <unfixed> (low; bug #897196)
+       [buster] - mingw-w64 <ignored> (Minor issue)
        [stretch] - mingw-w64 <ignored> (Minor issue)
        [jessie] - mingw-w64 <ignored> (Minor issue)
        [wheezy] - mingw-w64 <ignored> (Minor issue)
@@ -89044,11 +89049,9 @@ CVE-2017-11549 (The play_midi function in playmidi.c 
in TiMidity++ 2.14.0 allows
        NOTE: 
https://sourceforge.net/p/timidity/discussion/217458/thread/9a1c9620/
        NOTE: Crash in CLI tool, no security impact
 CVE-2017-11548 (The _tokenize_matrix function in audio_out.c in Xiph.Org libao 
1.2.0 ...)
-       - libao <unfixed> (low; bug #870608)
-       [stretch] - libao <no-dsa> (Minor issue)
-       [jessie] - libao <no-dsa> (Minor issue)
-       [wheezy] - libao <no-dsa> (Minor issue)
+       - libao <unfixed> (unimportant; bug #870608)
        NOTE: http://seclists.org/fulldisclosure/2017/Jul/84
+       NOTE: Not a security issue in ao, needs to be validated in applications 
using it, see #870608
 CVE-2017-11547 (The resample_gauss function in resample.c in TiMidity++ 2.14.0 
allows ...)
        - timidity 2.14.0-4 (unimportant; bug #870338)
        NOTE: http://seclists.org/fulldisclosure/2017/Jul/83
@@ -106045,7 +106048,8 @@ CVE-2017-6078 (FastStone MaxView 3.0 and 3.1 allows 
user-assisted attackers to c
 CVE-2017-6077 (ping.cgi on NETGEAR DGN2200 devices with firmware through 
10.0.0.50 ...)
        NOT-FOR-US: NETGEAR
 CVE-2016-10228 (The iconv program in the GNU C Library (aka glibc or libc6) 
2.25 and ...)
-       - glibc <unfixed> (bug #856503)
+       - glibc <unfixed> (low; bug #856503)
+       [buster] - glibc <no-dsa> (Minor issue)
        [stretch] - glibc <no-dsa> (Minor issue)
        [jessie] - glibc <no-dsa> (Minor issue)
        - eglibc <removed>
@@ -145052,7 +145056,8 @@ CVE-2016-2782 (The treo_attach function in 
drivers/usb/serial/visor.c in the Lin
        - linux-2.6 <removed>
        NOTE: Upstream commit: 
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cac9b50b0d75a1d50d6c056ff65c005f3224c8e0
 (v4.5-rc2)
 CVE-2016-2781 (chroot in GNU coreutils, when used with --userspec, allows 
local users ...)
-       - coreutils <unfixed> (bug #816320)
+       - coreutils <unfixed> (low; bug #816320)
+       [buster] - coreutils <ignored> (Minor issue)
        [stretch] - coreutils <ignored> (Minor issue)
        [jessie] - coreutils <ignored> (Minor issue)
        [wheezy] - coreutils <ignored> (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3b8fdb83b0c8e931ae82b8054ef74a584151577

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3b8fdb83b0c8e931ae82b8054ef74a584151577
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] buster triage

Reply via email to