Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
43244272 by Moritz Muehlenhoff at 2019-04-07T20:22:52Z
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1847,6 +1847,7 @@ CVE-2019-1000031 (A disk space or quota exhaustion issue
exists in article2pdf_g
CVE-2018-20815 [device_tree: heap buffer overflow while loading device tree
blob]
RESERVED
- qemu 1:3.1+dfsg-7
+ [stretch] - qemu <postponed> (Minor issue)
- qemu-kvm <removed>
NOTE:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=da885fe1ee8b4589047484bd7fa05a4905b52b17
NOTE: https://www.openwall.com/lists/oss-security/2019/03/27/1
@@ -5081,18 +5082,22 @@ CVE-2019-9088
CVE-2019-9087
RESERVED
- hoteldruid 2.3.2-1
+ [stretch] - hoteldruid <no-dsa> (Minor issue)
[jessie] - hoteldruid <no-dsa> (low popcon, not used by any sponsor)
CVE-2019-9086
RESERVED
- hoteldruid 2.3.2-1
+ [stretch] - hoteldruid <no-dsa> (Minor issue)
[jessie] - hoteldruid <no-dsa> (low popcon, not used by any sponsor)
CVE-2019-9085
RESERVED
- hoteldruid 2.3.2-1
+ [stretch] - hoteldruid <no-dsa> (Minor issue)
[jessie] - hoteldruid <no-dsa> (low popcon, not used by any sponsor)
CVE-2019-9084
RESERVED
- hoteldruid 2.3.2-1
+ [stretch] - hoteldruid <no-dsa> (Minor issue)
[jessie] - hoteldruid <no-dsa> (low popcon, not used by any sponsor)
CVE-2019-9083 (SQLiteManager 1.20 and 1.24 allows SQL injection via the
/sqlitemanage ...)
NOT-FOR-US: SQLiteManager
@@ -14036,6 +14041,7 @@ CVE-2019-5422 (XSS in buttle npm package version 0.2.0
causes execution of attac
TODO: check
CVE-2019-5421 (Plataformatec Devise version 4.5.0 and earlier, using the
lockable mod ...)
- ruby-devise <unfixed> (bug #926348)
+ [stretch] - ruby-devise <no-dsa> (Minor issue)
NOTE: https://github.com/plataformatec/devise/issues/4981
NOTE: https://github.com/plataformatec/devise/pull/4996
CVE-2019-5420 (A remote code execution vulnerability in development mode Rails
<5. ...)
@@ -17158,7 +17164,8 @@ CVE-2019-3888
CVE-2019-3887
RESERVED
CVE-2019-3886 (An incorrect permissions check was discovered in libvirt 4.8.0
and abo ...)
- - libvirt 5.0.0-2 (bug #926418)
+ - libvirt 5.0.0-2 (low; bug #926418)
+ [stretch] - libvirt <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1694880
NOTE:
https://www.redhat.com/archives/libvir-list/2019-April/msg00339.html
NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1131595#c3
@@ -17376,6 +17383,7 @@ CVE-2019-3828 (Ansible fetch module before versions
2.5.15, 2.6.14, 2.7.8 has a
NOTE: https://github.com/ansible/ansible/pull/52133
CVE-2019-3827 (An incorrect permission check in the admin backend in gvfs
before vers ...)
- gvfs 1.38.1-3 (bug #921816)
+ [stretch] - gvfs <no-dsa> (Minor issue)
[jessie] - gvfs <not-affected> (Vulnerable code not present)
NOTE: https://gitlab.gnome.org/GNOME/gvfs/issues/355
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1665578
@@ -29122,12 +29130,14 @@ CVE-2019-0163
CVE-2019-0162
RESERVED
CVE-2019-0161 (Stack overflow in XHCI for EDK II may allow an unauthenticated
user to ...)
- - edk2 0~20180803.dd4cae4d-1
+ - edk2 0~20180803.dd4cae4d-1 (low)
+ [stretch] - edk2 <no-dsa> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free, not used by any sponsor)
NOTE:
https://github.com/tianocore/edk2/commit/acebdf14c985c5c9f50b37ece0b15ada87767359
NOTE:
https://github.com/tianocore/edk2/commit/72750e3bf9174f15c17e78f0f117b5e7311bb49f
CVE-2019-0160 (Buffer overflow in system firmware for EDK II may allow
unauthenticate ...)
- - edk2 0~20181115.85588389-1
+ - edk2 0~20181115.85588389-1 (low)
+ [stretch] - edk2 <no-dsa> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free, not used by any sponsor)
NOTE:
https://github.com/tianocore/edk2/commit/4df8f5bfa28b8b881e506437e8f08d92c1a00370
NOTE:
https://github.com/tianocore/edk2/commit/b9ae1705adfdd43668027a25a2b03c2e81960219
@@ -46812,6 +46822,7 @@ CVE-2018-12480 (Mitigates an XSS issue in NetIQ Access
Manager versions prior to
NOT-FOR-US: NetIQ Access Manager
CVE-2018-12479 (A Improper Input Validation vulnerability in Open Build
Service allows ...)
- open-build-service 2.9.4-1 (bug #911797)
+ [stretch] - open-build-service <no-dsa> (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1108435
NOTE: https://github.com/openSUSE/open-build-service/pull/5880
NOTE:
https://github.com/openSUSE/open-build-service/commit/01b015ca2a320afc4fae823465d1e72da8bd60df
@@ -46842,12 +46853,14 @@ CVE-2018-12468 (A vulnerability in the administration
console of Micro Focus Gro
NOT-FOR-US: Micro Focus
CVE-2018-12467 (Authorized users of the openbuildservice before 2.9.4 could
delete pac ...)
- open-build-service 2.9.4-1 (bug #911797)
+ [stretch] - open-build-service <no-dsa> (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1100217
NOTE: Fixed by:
https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063
NOTE: Introduced by:
https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b
TODO: check if introducing commit is right and fix status
CVE-2018-12466 (openSUSE openbuildservice before 9.2.4 allowed authenticated
users to ...)
- open-build-service <unfixed> (bug #911797)
+ [stretch] - open-build-service <no-dsa> (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1098934
NOTE: Fixed by:
https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063
NOTE: Introduced by:
https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b
@@ -47798,9 +47811,10 @@ CVE-2018-12183 (Stack overflow in DxeCore for EDK II
may allow an unauthenticate
[jessie] - edk2 <end-of-life> (non-free, not used by any sponsor)
NOTE:
https://github.com/tianocore/edk2/commit/0a0d5296e448fc350de1594c49b9c0deff7fad60
CVE-2018-12182 (Insufficient memory write check in SMM service for EDK II may
allow an ...)
- - edk2 <undetermined>
+ - edk2 <unfixed> (low)
+ [stretch] - edk2 <no-dsa> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free is not supported, not used by
any sponsor)
- NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1136 (restricted)
+ NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1136
CVE-2018-12181 (Stack overflow in corrupted bmp for EDK II may allow
unprivileged user ...)
- edk2 0~20181115.85588389-3 (bug #924615)
[stretch] - edk2 <no-dsa> (Minor issue, will be fixed via point update)
@@ -47816,9 +47830,10 @@ CVE-2018-12180 (Buffer overflow in BlockIo service for
EDK II may allow an unaut
NOTE:
https://github.com/tianocore/edk2/commit/38c9fbdcaa0219eb86fe82d90e3f8cfb5a54be9f
NOTE:
https://github.com/tianocore/edk2/commit/fccdb88022c1f6d85c773fce506b10c879063f1d
CVE-2018-12179 (Improper configuration in system firmware for EDK II may allow
unauthe ...)
- - edk2 <undetermined>
+ - edk2 <unfixed> (low)
+ [stretch] - edk2 <no-dsa> (Minor issue)
[jessie] - edk2 <end-of-life> (non-free is not supported, not used by
any sponsor)
- NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1133 (restricted)
+ NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1133
CVE-2018-12178 (Buffer overflow in network stack for EDK II may allow
unprivileged use ...)
- edk2 0~20181115.85588389-3 (bug #924615)
[stretch] - edk2 <no-dsa> (Minor issue, will be fixed via point update)
@@ -83203,6 +83218,7 @@ CVE-2017-16909 (An error related to the
"LibRaw::panasonic_load_raw()" function
NOTE:
https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e
CVE-2017-16908 (In Horde Groupware 5.2.19, there is XSS via the Name field
during crea ...)
- php-horde-kronolith 4.2.24-1 (bug #909738)
+ [stretch] - php-horde-kronolith <no-dsa> (Minor issue)
[jessie] - php-horde-kronolith <not-affected> (vulnerable code not
present)
NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html
NOTE: https://bugs.horde.org/ticket/14857
@@ -83210,7 +83226,9 @@ CVE-2017-16908 (In Horde Groupware 5.2.19, there is XSS
via the Name field durin
CVE-2017-16907 (In Horde Groupware 5.2.19 and 5.2.21, there is XSS via the
Color field ...)
{DLA-1536-1 DLA-1535-1}
- php-horde 5.2.18+debian0-1 (bug #909739)
+ [stretch] - php-horde <no-dsa> (Minor issue)
- php-horde-core 2.31.3+debian0-1 (bug #909800)
+ [stretch] - php-horde-core <no-dsa> (Minor issue)
NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html
NOTE: https://bugs.horde.org/ticket/14857
NOTE: php-horde:
https://github.com/horde/base/commit/fb2113bbcd04bd4a28c46aad0889fb0a3979a230
@@ -83218,6 +83236,7 @@ CVE-2017-16907 (In Horde Groupware 5.2.19 and 5.2.21,
there is XSS via the Color
CVE-2017-16906 (In Horde Groupware 5.2.19-5.2.22, there is XSS via the URL
field in a ...)
{DLA-1537-1}
- php-horde-kronolith 4.2.24-1 (bug #909737)
+ [stretch] - php-horde-kronolith <no-dsa> (Minor issue)
NOTE: http://code610.blogspot.com/2017/11/rce-via-xss-horde-5219.html
NOTE: https://bugs.horde.org/ticket/14857
NOTE:
https://github.com/horde/kronolith/commit/09d90141292f9ec516a7a2007bf828ce2bbdf60d
@@ -83351,8 +83370,9 @@ CVE-2017-1000221 (In Opencast 2.2.3 and older if user
names overlap, the Opencas
CVE-2017-1000217 (Opencast 2.3.2 and older versions are vulnerable to script
injections ...)
NOT-FOR-US: Opencast
CVE-2017-1000190 (SimpleXML (latest version 2.7.1) is vulnerable to an XXE
vulnerability ...)
- - simple-xml <unfixed> (bug #888547)
- [stretch] - simple-xml <no-dsa> (Minor issue)
+ - simple-xml <unfixed> (low; bug #888547)
+ [buster] - simple-xml <ignored> (Minor issue)
+ [stretch] - simple-xml <ignored> (Minor issue)
[jessie] - simple-xml <no-dsa> (Minor issue)
[wheezy] - simple-xml <no-dsa> (Minor issue)
NOTE: https://github.com/ngallagher/simplexml/issues/18
=====================================
data/dsa-needed.txt
=====================================
@@ -45,7 +45,9 @@ mercurial
nss
Roberto proposed an update including fixes for CVE-2018-12404 and
CVE-2018-18508
--
-ruby2.5
+rails
+--
+ruby2.3
--
simplesamlphp
--
@@ -56,7 +58,11 @@ sox
sssd
Maintainer prepared an update and proposed debdiff, acked for upload, but
update needs further testing before release.
--
+teeworlds
+--
wordpress
--
xen
--
+znc
+--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/432442727c210a01f3ba8a43a3c48e2d9a5c8a45
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/432442727c210a01f3ba8a43a3c48e2d9a5c8a45
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
