Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b565d010 by Moritz Muehlenhoff at 2019-02-10T13:31:12Z
buster triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -13676,6 +13676,7 @@ CVE-2018-20030 [Input validation issue resulting in a
denial of service]
[stretch] - libexif <no-dsa> (Minor issue)
[jessie] - libexif <no-dsa> (Minor issue)
NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2018-28/
+ NOTE:
https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89
CVE-2018-20029 (The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine
before ...)
NOT-FOR-US: nxfs.sys driver in the DokanFS library in NoMachine on
Windows
CVE-2019-2394
@@ -26408,7 +26409,7 @@ CVE-2018-16890 (libcurl versions from 7.36.0 to before
7.64.0 is vulnerable to a
NOTE: Introduced by:
https://github.com/curl/curl/commit/86724581b6c02d160b52f817550cfdfc9c93af62
CVE-2018-16889 (Ceph does not properly sanitize encryption keys in debug
logging for ...)
- ceph <unfixed> (low; bug #918969)
- [stretch] - ceph <no-dsa> (Minor issue)
+ [stretch] - ceph <postponed> (Minor issue)
[jessie] - ceph <not-affected> (Vulnerable code not present)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1665334
NOTE: http://tracker.ceph.com/issues/37847
@@ -26630,7 +26631,7 @@ CVE-2018-16847 (An OOB heap buffer r/w access issue was
found in the NVM Express
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg00200.html
NOTE:
https://git.qemu.org/?p=qemu.git;a=commit;h=87ad860c622cc8f8916b5232bd8728c08f938fce
CVE-2018-16846 (It was found in Ceph versions before 13.2.4 that authenticated
ceph ...)
- - ceph <unfixed>
+ - ceph <unfixed> (bug #921947)
NOTE: http://tracker.ceph.com/issues/35994
NOTE:
https://github.com/ceph/ceph/commit/ab29bed2fc9f961fe895de1086a8208e21ddaddc
NOTE: Backport to 12.2.11: https://tracker.ceph.com/issues/37831
@@ -32113,7 +32114,7 @@ CVE-2018-14663 (An issue has been found in PowerDNS
DNSDist before 1.3.3 allowin
[stretch] - dnsdist <no-dsa> (Minor issue)
NOTE:
https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2018-08.html
CVE-2018-14662 (It was found Ceph versions before 13.2.4 that authenticated
ceph users ...)
- - ceph <unfixed>
+ - ceph <unfixed> (bug #921948)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1637327
NOTE:
https://github.com/ceph/ceph/commit/a2acedd2a7e12d58af6db35edbd8a9d29c557578
CVE-2018-14661 (It was found that usage of snprintf function in feature/locks
...)
@@ -47713,12 +47714,14 @@ CVE-2018-8832 (enhavo 0.4.0 has XSS via a user-group
that contains executable ..
NOT-FOR-US: enhavo
CVE-2018-8831 (A Persistent XSS vulnerability exists in Kodi (formerly XBMC)
through ...)
- kodi <unfixed> (low)
+ [buster] - kodi <no-dsa> (Minor issue)
[stretch] - kodi <no-dsa> (Minor issue)
- xbmc <removed>
[jessie] - xbmc <no-dsa> (Minor issue)
[wheezy] - xbmc <no-dsa> (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2018/Apr/36
NOTE: https://trac.kodi.tv/ticket/17814
+ NOTE: Fixed in v18
CVE-2018-8830
RESERVED
CVE-2018-8829
@@ -98924,6 +98927,7 @@ CVE-2017-8872 (The htmlParseTryOrFinish function in
HTMLparser.c in libxml2 2.9.
NOTE:
https://gitlab.gnome.org/GNOME/libxml2/commit/123234f2cfcd9e9b9f83047eee1dc17b4c3f4407
CVE-2017-8871 (The cr_parser_parse_selector_core function in cr-parser.c in
libcroco ...)
- libcroco <unfixed> (bug #864666; low)
+ [buster] - libcroco <no-dsa> (Minor issue)
[stretch] - libcroco <no-dsa> (Minor issue)
[jessie] - libcroco <no-dsa> (Minor issue)
[wheezy] - libcroco <not-affected> (Vulnerable code not present)
@@ -99051,6 +99055,7 @@ CVE-2016-10369 (unixsocket.c in lxterminal through
0.3.0 insecurely uses /tmp fo
NOTE: Fixed by:
https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
CVE-2017-8834 (The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco
0.6.12 ...)
- libcroco <unfixed> (bug #864666; low)
+ [buster] - libcroco <no-dsa> (Minor issue)
[stretch] - libcroco <no-dsa> (Minor issue)
[jessie] - libcroco <no-dsa> (Minor issue)
[wheezy] - libcroco <not-affected> (Vulnerable code not present)
@@ -108047,6 +108052,7 @@ CVE-2017-5983 (The JIRA Workflow Designer Plugin in
Atlassian JIRA Server before
NOT-FOR-US: JIRA Workflow Designer Plugin
CVE-2017-5982 (Directory traversal vulnerability in the Chorus2 2.4.2 add-on
for Kodi ...)
- kodi <unfixed> (bug #855225)
+ [buster] - kodi <ignored> (Minor issue)
[stretch] - kodi <ignored> (Minor issue)
[jessie] - kodi <ignored> (Minor issue)
- xbmc <removed> (bug #861274)
@@ -129835,7 +129841,8 @@ CVE-2016-7965 (DokuWiki 2016-06-26a and older uses
$_SERVER[HTTP_HOST] instead o
NOTE: Can be adresesd by properly configure dokuwiki as per
NOTE:
https://github.com/splitbrain/dokuwiki/issues/1709#issuecomment-262337572
CVE-2016-7964 (The sendRequest method in HTTPClient Class in file
/inc/HTTPClient.php ...)
- - dokuwiki <unfixed> (bug #844731)
+ - dokuwiki <unfixed> (low; bug #844731)
+ [buster] - dokuwiki <ignored> (Minor issue)
[jessie] - dokuwiki <no-dsa> (Minor issue)
[wheezy] - dokuwiki <no-dsa> (Minor issue)
NOTE: https://github.com/splitbrain/dokuwiki/issues/1708
@@ -137786,6 +137793,7 @@ CVE-2016-5417 (Memory leak in the __res_vinit
function in the IPv6 name server .
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19257
CVE-2016-5416 (389 Directory Server in Red Hat Enterprise Linux Desktop 6
through 7, ...)
- 389-ds-base <unfixed> (bug #834233)
+ [buster] - 389-ds-base <no-dsa> (Minor issue)
[stretch] - 389-ds-base <no-dsa> (Minor issue)
[jessie] - 389-ds-base <no-dsa> (Minor issue)
NOTE: https://fedorahosted.org/389/ticket/48852
@@ -148557,7 +148565,8 @@ CVE-2016-2142 (Red Hat OpenShift Enterprise 3.1 uses
world-readable permissions
NOT-FOR-US: OpenShift
CVE-2016-2141 (JGroups before 4.0 does not require the proper headers for the
ENCRYPT ...)
- libjgroups-java <unfixed> (low; bug #867493)
- [stretch] - libjgroups-java <no-dsa> (Minor issue)
+ [buster] - libjgroups-java <ignored> (Minor issue, only used as build
dep)
+ [stretch] - libjgroups-java <ignored> (Minor issue, only used as build
dep)
[jessie] - libjgroups-java <no-dsa> (Minor issue)
[wheezy] - libjgroups-java <no-dsa> (Minor issue, only used as build
dependency)
CVE-2016-2140 (The libvirt driver in OpenStack Compute (Nova) before 2015.1.4
(kilo) ...)
@@ -192049,6 +192058,7 @@ CVE-2012-6656 (iconvdata/ibm930.c in GNU C Library
(aka glibc) before 2.16 allow
CVE-2012-6655 [passes (encrypted) passwords as commandline arguments]
RESERVED
- accountsservice <unfixed> (low; bug #757912)
+ [buster] - accountsservice <ignored> (Minor issue)
[stretch] - accountsservice <ignored> (Minor issue)
[jessie] - accountsservice <ignored> (Minor issue)
[wheezy] - accountsservice <ignored> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b565d0104bc0324a585ae86d8c19f73f8e71823a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/b565d0104bc0324a585ae86d8c19f73f8e71823a
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
