Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9c3d4031 by Moritz Muehlenhoff at 2019-02-02T05:06:10Z
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -352,12 +352,14 @@ CVE-2019-7151 (A NULL pointer dereference was discovered
in ...)
NOTE:
https://github.com/WebAssembly/binaryen/commit/2127e64f42da55bb5b9b0ab1995b3ca7fc4e0d0b
NOTE:
https://github.com/WebAssembly/binaryen/commit/85e95e315a8023c46eb804fe80ebc244bcfdae3e
CVE-2019-7150 (An issue was discovered in elfutils 0.175. A segmentation fault
can ...)
- - elfutils <unfixed> (bug #920909)
+ - elfutils <unfixed> (low; bug #920909)
+ [stretch] - elfutils <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24103
NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html
NOTE:
https://sourceware.org/git/?p=elfutils.git;a=commit;h=da5c5336a1eaf519de246f7d9f0f5585e1d4ac59
CVE-2019-7149 (A heap-based buffer over-read was discovered in the function
...)
- - elfutils <unfixed> (bug #920910)
+ - elfutils <unfixed> (low; bug #920910)
+ [stretch] - elfutils <no-dsa> (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24102
NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html
NOTE:
https://sourceware.org/git/?p=elfutils.git;a=commit;h=2562759d6fe5b364fe224852e64e8bda39eb2e35
@@ -1200,7 +1202,8 @@ CVE-2017-18360 (In change_port_settings in
drivers/usb/serial/io_ti.c in the Lin
NOTE: Fixed by:
https://git.kernel.org/linus/6aeb75e6adfaed16e58780309613a578fe1ee90b
CVE-2017-18359 (PostGIS 2.x before 2.3.3, as used with PostgreSQL, allows
remote ...)
{DLA-1653-1}
- - postgis 2.3.3+dfsg-1
+ - postgis 2.3.3+dfsg-1 (low)
+ [stretch] - postgis <no-dsa> (Minor issue)
NOTE: https://trac.osgeo.org/postgis/ticket/3704
NOTE: https://trac.osgeo.org/postgis/changeset/15444
NOTE: https://trac.osgeo.org/postgis/changeset/15445
@@ -2034,7 +2037,8 @@ CVE-2019-6439 (examples/benchmark/tls_bench.c in a
benchmark tool in wolfSSL thr
NOTE: https://github.com/wolfSSL/wolfssl/issues/2032
NOTE: Issue only in example code
CVE-2019-6438 (SchedMD Slurm before 17.11.13 and 18.x before 18.08.5
mishandles 32-bit ...)
- - slurm-llnl <unfixed> (bug #920997)
+ - slurm-llnl <unfixed> (low; bug #920997)
+ [stretch] - slurm-llnl <no-dsa> (Minor issue)
NOTE: https://www.schedmd.com/news.php?id=213
NOTE:
https://lists.schedmd.com/pipermail/slurm-announce/2019/000018.html
CVE-2019-6437
@@ -8838,12 +8842,14 @@ CVE-2018-20555
CVE-2018-20554
RESERVED
CVE-2018-20553 (Tcpreplay before 4.3.1 has a heap-based buffer over-read in
get_l2len ...)
- - tcpreplay <unfixed> (bug #917574)
+ - tcpreplay <unfixed> (low; bug #917574)
+ [stretch] - tcpreplay <no-dsa> (Minor issue)
[jessie] - tcpreplay <no-dsa> (not used by any sponsor, hard to exploit)
NOTE: https://github.com/appneta/tcpreplay/issues/530
NOTE:
https://github.com/appneta/tcpreplay/pull/532/commits/6b830a1640ca20528032c89a4fdd8291a4d2d8b2
CVE-2018-20552 (Tcpreplay before 4.3.1 has a heap-based buffer over-read in
packet2tree ...)
- - tcpreplay <unfixed> (bug #917574)
+ - tcpreplay <unfixed> (low; bug #917574)
+ [stretch] - tcpreplay <no-dsa> (Minor issue)
[jessie] - tcpreplay <no-dsa> (not used by any sponsor, hard to exploit)
NOTE: https://github.com/appneta/tcpreplay/issues/530
NOTE:
https://github.com/appneta/tcpreplay/pull/532/commits/6b830a1640ca20528032c89a4fdd8291a4d2d8b2
@@ -18492,6 +18498,7 @@ CVE-2018-19518 (University of Washington IMAP Toolkit
2007f on UNIX, as used in
- php7.0 <removed> (bug #913836)
- php5 <removed>
- uw-imap <unfixed> (bug #914632)
+ [stretch] - uw-imap <no-dsa> (Minor issue)
NOTE: Fixed in 5.6.39, 7.0.33, 7.1.25, 7.2.13, 7.3.0
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76428
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77153
@@ -24537,7 +24544,8 @@ CVE-2018-17200
RESERVED
CVE-2018-17199 (In Apache HTTP Server 2.4 release 2.4.37 and prior,
mod_session checks ...)
{DLA-1647-1}
- - apache2 2.4.38-1 (bug #920303)
+ - apache2 2.4.38-1 (low; bug #920303)
+ [stretch] - apache2 <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2019/01/22/3
NOTE: 2.4.x http://svn.apache.org/r1851409
NOTE: 2.5.x http://svn.apache.org/r1850947
@@ -24566,7 +24574,8 @@ CVE-2018-17191 (Apache NetBeans (incubating) 9.0
NetBeans Proxy Auto-Configurati
CVE-2018-17190 (In all versions of Apache Spark, its standalone resource
manager ...)
NOT-FOR-US: Apache Spark
CVE-2018-17189 (In Apache HTTP server versions 2.4.37 and prior, by sending
request ...)
- - apache2 2.4.38-1 (bug #920302)
+ - apache2 2.4.38-1 (low; bug #920302)
+ [stretch] - apache2 <no-dsa> (Minor issue)
[jessie] - apache2 <not-affected> (Vulnerable code not present)
NOTE: HTTP/2 support introduced in 2.4.17
NOTE: https://www.openwall.com/lists/oss-security/2019/01/22/2
=====================================
data/dsa-needed.txt
=====================================
@@ -46,6 +46,8 @@ mbedtls
--
mercurial
--
+mumble
+--
mysql-connector-python
Proposed to update to 2.1.9 via stretch-security
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c3d40319ee7b84b427f772a0d70c90e51d3a539
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c3d40319ee7b84b427f772a0d70c90e51d3a539
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
