Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2a09b65c by Moritz Muehlenhoff at 2019-03-11T21:59:09Z
buster triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1987,6 +1987,7 @@ CVE-2019-8936 [Crafted null dereference attack in
authenticated mode 6 packet]
CVE-2019-8934 [ppc64: sPAPR emulator leaks the host hardware identity]
RESERVED
- qemu <unfixed> (bug #922923)
+ [buster] - qemu <ignored> (Too intrusive to backport, marginal impact)
- qemu-kvm <removed>
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg04821.html
CVE-2019-8933 (In DedeCMS 5.7SP2, attackers can upload a .php file to the
uploads/ ...)
@@ -3052,6 +3053,7 @@ CVE-2019-8414
RESERVED
CVE-2013-7469 (Seafile through 6.2.11 always uses the same Initialization
Vector (IV) ...)
- seafile <unfixed> (bug #923009)
+ [buster] - seafile <ignored> (Minor issue)
NOTE: https://github.com/haiwen/seafile/issues/350
CVE-2019-8413 (On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer
...)
NOT-FOR-US: Xiaomi
@@ -14606,6 +14608,7 @@ CVE-2018-20594 (An issue was discovered in hsweb 3.0.4.
It is a reflected XSS ..
NOT-FOR-US: hsweb
CVE-2018-20593 (In Mini-XML (aka mxml) v2.12, there is stack-based buffer
overflow in ...)
- mxml <unfixed>
+ [buster] - mxml <ignored> (Minor issue)
[stretch] - mxml <ignored> (Minor issue)
[jessie] - mxml <no-dsa> (Minor issue, only affects the mxmldoc tool)
NOTE:
https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/so_mxmldoc.c:2971_1.txt
@@ -14616,6 +14619,7 @@ CVE-2018-20593 (In Mini-XML (aka mxml) v2.12, there is
stack-based buffer overfl
NOTE: upstream tagged the issue with 'wontfix' and removed mxmldoc code
completely
CVE-2018-20592 (In Mini-XML (aka mxml) v2.12, there is a use-after-free in the
mxmlAdd ...)
- mxml <unfixed>
+ [buster] - mxml <ignored> (Minor issue)
[stretch] - mxml <ignored> (Minor issue)
[jessie] - mxml <no-dsa> (Minor issue, only affected the mxmldoc tool)
NOTE:
https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/uaf_mxml-node.c:128_1.txt
@@ -18398,7 +18402,8 @@ CVE-2018-20074
RESERVED
CVE-2018-20073 [chromium stores download meta data in extended attributes]
RESERVED
- - chromium <unfixed>
+ - chromium <unfixed> (low)
+ [buster] - chromium <postponed> (Wait until fixed upstream)
[stretch] - chromium <postponed> (Wait until fixed upstream)
CVE-2018-20072
RESERVED
@@ -32866,6 +32871,7 @@ CVE-2018-16385 (ThinkPHP before 5.1.23 allows SQL
Injection via the ...)
NOT-FOR-US: ThinkPHP
CVE-2018-16384 (A SQL injection bypass (aka PL1 bypass) exists in OWASP
ModSecurity ...)
- modsecurity-crs <unfixed> (low)
+ [buster] - modsecurity-crs <no-dsa> (Minor issue)
[stretch] - modsecurity-crs <no-dsa> (Minor issue)
[jessie] - modsecurity-crs <no-dsa> (Minor issue)
NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1167
@@ -86595,6 +86601,7 @@ CVE-2017-14611 (SSRF (Server Side Request Forgery) in
Cockpit 0.13.0 allows remo
NOT-FOR-US: Cockpit CMS (different from src:cockpit)
CVE-2017-14610 (bareos-dir, bareos-fd, and bareos-sd in bareos-core in Bareos
16.2.6 ...)
- bareos <unfixed> (bug #877334)
+ [buster] - bareos <no-dsa> (Minor issue)
[stretch] - bareos <no-dsa> (Minor issue)
[jessie] - bareos <no-dsa> (Minor issue)
NOTE: https://bugs.bareos.org/view.php?id=847
@@ -121756,6 +121763,7 @@ CVE-2017-3225 (Das U-Boot is a device bootloader that
can read its configuration
NOTE: Negligible security impact
CVE-2017-3224 (Open Shortest Path First (OSPF) protocol implementations may
...)
- quagga <unfixed> (low; bug #871617)
+ [buster] - quagga <no-dsa> (Minor issue)
[stretch] - quagga <no-dsa> (Minor issue)
[jessie] - quagga <no-dsa> (Minor issue)
[wheezy] - quagga <no-dsa> (Minor issue)
@@ -140684,6 +140692,7 @@ CVE-2016-6185 (The XSLoader::load method in XSLoader
in Perl does not properly l
- perl 5.22.2-2 (bug #829578)
CVE-2016-6175 (Eval injection vulnerability in php-gettext 1.0.12 and earlier
allows ...)
- php-gettext <unfixed> (bug #851771)
+ [buster] - php-gettext <no-dsa> (Minor issue)
[stretch] - php-gettext <no-dsa> (Minor issue)
[jessie] - php-gettext <no-dsa> (Minor issue)
[wheezy] - php-gettext <no-dsa> (Minor issue)
@@ -148156,7 +148165,8 @@ CVE-2016-3993 (Off-by-one error in the
__imlib_MergeUpdate function in lib/updat
NOTE:
https://git.enlightenment.org/legacy/imlib2.git/commit/?id=ce94edca1ccfbe314cb7cd9453433fad404ec7ef
NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/5
CVE-2012-XXXX [Option -localhost seems to fail to restrict ipv6 access]
- - x11vnc <unfixed> (bug #672435)
+ - x11vnc <unfixed> (low; bug #672435)
+ [buster] - x11vnc <ignored> (Minor issue; workaround exits)
[stretch] - x11vnc <ignored> (Minor issue; workaround exits)
[jessie] - x11vnc <ignored> (Minor issue; workaround exits)
[wheezy] - x11vnc <ignored> (Minor issue; workaround exits)
@@ -185181,6 +185191,7 @@ CVE-2015-XXXX [Zoo directory traversal]
NOTE: CVE Request:
https://marc.info/?l=oss-security&m=142024361327375&w=2
CVE-2015-XXXX [buffer over-read]
- arc <unfixed> (low; bug #774439)
+ [buster] - arc <ignored> (Minor issue)
[stretch] - arc <ignored> (Minor issue)
[jessie] - arc <ignored> (Minor issue)
[wheezy] - arc <no-dsa> (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2a09b65c1a055cdb4f19d78dc865e686ad0d9c95
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2a09b65c1a055cdb4f19d78dc865e686ad0d9c95
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
