[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff Fri, 15 Mar 2019 00:02:22 -0700

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
ed21bb0c by Moritz Muehlenhoff at 2019-03-15T07:01:14Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -510,8 +510,9 @@ CVE-2019-9626 (PHPSHE 1.7 allows module/index/cart.php 
pintuan_id SQL Injection
        NOT-FOR-US: PHPSHE
 CVE-2019-9625 (JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN 
URI to ...)
        NOT-FOR-US: JBMC DirectAdmin
-CVE-2019-XXXX [high memory usage with long running sessions]
+CVE-2019-XXXX [high memory usage with some long running sessions]
        - proftpd-dfsg 1.3.5d-1 (bug #923926)
+       [stretch] - proftpd-dfsg <no-dsa> (Minor issue)
        NOTE: 
https://github.com/proftpd/proftpd/issues/330#issuecomment-276891713
        NOTE: 
https://forum.armbian.com/topic/9692-nanopi-neo-2-memory-leak-in-proftpd-even-worse-if-ssl-encrypted/?do=findComment&comment=73069
 CVE-2019-9624 (Webmin 1.900 allows remote attackers to execute arbitrary code 
by ...)
@@ -46875,10 +46876,7 @@ CVE-2018-11206 (An out of bounds read was discovered 
in H5O_fill_new_decode and
        [jessie] - hdf5 <no-dsa> (Minor issue)
        [wheezy] - hdf5 <no-dsa> (Minor issue)
 CVE-2018-11205 (A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c 
in the ...)
-       - hdf5 <unfixed> (low)
-       [stretch] - hdf5 <no-dsa> (Minor issue)
-       [jessie] - hdf5 <no-dsa> (Minor issue)
-       [wheezy] - hdf5 <no-dsa> (Minor issue)
+       - hdf5 <undetermined>
 CVE-2018-11204 (A NULL pointer dereference was discovered in 
H5O__chunk_deserialize in ...)
        - hdf5 1.10.4+repack-1 (low)
        [stretch] - hdf5 <no-dsa> (Minor issue)
@@ -68282,9 +68280,8 @@ CVE-2018-3631
 CVE-2018-3630 [Logic error in FV parsing in 
MdeModulePkg\Core\Pei\FwVol\FwVol.c]
        RESERVED
        - edk2 <unfixed> (unimportant)
-       [jessie] - edk2 <end-of-life> (non-free is not supported)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1683653
-       NOTE: No security impact
+       NOTE: Non issue, no security impact
 CVE-2018-3629 (Buffer overflow in event handler in Intel Active Management 
Technology ...)
        NOT-FOR-US: Intel
 CVE-2018-3628 (Buffer overflow in HTTP handler in Intel Active Management 
Technology ...)
@@ -72277,8 +72274,7 @@ CVE-2017-17690
        RESERVED
 CVE-2017-17689 (The S/MIME specification allows a Cipher Block Chaining (CBC) 
...)
        - evolution <unfixed> (bug #898633; unimportant)
-       - kmail <unfixed> (bug #898634)
-       - kf5-messagelib <unfixed> (bug #899127)
+       - kf5-messagelib 4:18.08.1-1 (bug #899127)
        [stretch] - kf5-messagelib <no-dsa> (Defaults to secure handling, 
change to disable it entirely can be fixed via spu)
        - kdepim <removed> (bug #899128)
        [stretch] - kdepim <no-dsa> (Defaults to secure handling, change to 
disable it entirely can be fixed via spu)
@@ -72287,6 +72283,7 @@ CVE-2017-17689 (The S/MIME specification allows a 
Cipher Block Chaining (CBC) ..
        NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=796135
        NOTE: https://dot.kde.org/2018/05/15/efail-and-kmail
        NOTE: protocol vulnerability can't be fixed in implementations but they 
can prevent exploitation by disabling loading of remote content
+       NOTE: kmail bug is #898634, but src:kmail is not affected, the code in 
question is in kf5-messagelib
 CVE-2017-17688 (** DISPUTED ** The OpenPGP specification allows a Cipher 
Feedback Mode ...)
        - enigmail 2:2.0.6.1-4 (bug #898630)
        [jessie] - enigmail <end-of-life> (see 
https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html)
@@ -74837,7 +74834,8 @@ CVE-2017-17508 (In HDF5 1.10.1, there is a 
divide-by-zero vulnerability in the f
        NOTE: POC: 
https://github.com/xiaoqx/pocs/blob/master/hdf5/1-hdf5-divbyzero-H5T_set_loc
        NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md
 CVE-2017-17507 (In HDF5 1.10.1, there is an out of bounds read vulnerability 
in the ...)
-       - hdf5 <unfixed> (bug #915807)
+       - hdf5 <unfixed> (low; bug #915807)
+       [buster] - hdf5 <no-dsa> (Minor issue, requires ABI change)
        [stretch] - hdf5 <no-dsa> (Minor issue)
        [jessie] - hdf5 <no-dsa> (Minor issue)
        [wheezy] - hdf5 <no-dsa> (Minor issue)
@@ -75992,10 +75990,12 @@ CVE-2018-1100 (zsh through version 5.4.2 is 
vulnerable to a stack-based buffer .
        NOTE: 
https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/
 CVE-2018-1099 (DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An 
...)
        - etcd <unfixed> (low; bug #921156)
+       [buster] - etcd <no-dsa> (Minor issue)
        NOTE: https://github.com/coreos/etcd/issues/9353
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1552717
 CVE-2018-1098 (A cross-site request forgery flaw was found in etcd 3.3.1 and 
earlier. ...)
        - etcd <unfixed> (low; bug #921156)
+       [buster] - etcd <no-dsa> (Minor issue)
        NOTE: https://github.com/coreos/etcd/issues/9353
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1552714
 CVE-2018-1097 (A flaw was found in foreman before 1.16.1. The issue allows 
users with ...)
@@ -94373,9 +94373,10 @@ CVE-2017-12171 (A regression was found in the Red Hat 
Enterprise Linux 6.9 versi
 CVE-2017-12170 (Downstream version 1.0.46-1 of pure-ftpd as shipped in Fedora 
was ...)
        - pure-ftpd <not-affected> (Fedora specific packaging error)
 CVE-2017-12169 (It was found that FreeIPA 4.2.0 and later could disclose 
password ...)
-       - freeipa <unfixed> (low; bug #895950)
+       - freeipa <unfixed> (unimportant; bug #895950)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1487697
        NOTE: Proposed patch: 
https://bugzilla.redhat.com/attachment.cgi?id=1331008
+       NOTE: Negligible security impact
 CVE-2017-12168 (The access_pmu_evcntr function in arch/arm64/kvm/sys_regs.c in 
the ...)
        - linux 4.8.11-1
        [jessie] - linux <not-affected> (Vulnerable code not present)
@@ -170830,8 +170831,9 @@ CVE-2015-5180 (res_query in libresolv in glibc before 
2.25 allows remote attacke
        NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18784
        NOTE: Originally proposed for jessie 8.8, but breaks the NSS ABI so was 
retracted
 CVE-2015-5179 (FreeIPA might display user data improperly via vectors 
involving ...)
-       - freeipa <unfixed> (bug #795399)
+       - freeipa <unfixed> (unimportant; bug #795399)
        NOTE: https://fedorahosted.org/freeipa/ticket/5153
+       NOTE: Negligible security impact
 CVE-2015-5178 (The Management Console in Red Hat Enterprise Application 
Platform ...)
        NOT-FOR-US: JBoss EAP
 CVE-2015-5177 (Double free vulnerability in the SLPDKnownDAAdd function in ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed21bb0c20a2272745fb959f4c1da58a44ce32e7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed21bb0c20a2272745fb959f4c1da58a44ce32e7
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] buster triage

Reply via email to