Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7ae96d6a by Moritz Muehlenhoff at 2019-04-24T17:46:45Z
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -61,7 +61,9 @@ CVE-2019-11473 (coders/xwd.c in GraphicsMagick 1.3.31 allows
attackers to cause
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd
NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8
CVE-2019-11472 (ReadXWDImage in coders/xwd.c in the XWD image parsing
component of Ima ...)
- - imagemagick <unfixed> (bug #927828)
+ - imagemagick <unfixed> (low; bug #927828)
+ [buster] - imagemagick <ignored> (Minor issue)
+ [stretch] - imagemagick <ignored> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1546
NOTE:
https://github.com/ImageMagick/ImageMagick6/commit/f663dfb8431c97d95682a2b533cca1c8233d21b4
CVE-2019-11471 (libheif 1.4.0 has a use-after-free in
heif::HeifContext::Image::set_al ...)
@@ -69,7 +71,9 @@ CVE-2019-11471 (libheif 1.4.0 has a use-after-free in
heif::HeifContext::Image::
NOTE:
https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014
NOTE: https://github.com/strukturag/libheif/issues/123
CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16
allows attack ...)
- - imagemagick <unfixed> (bug #927830)
+ - imagemagick <unfixed> (low; bug #927830)
+ [buster] - imagemagick <ignored> (Minor issue)
+ [stretch] - imagemagick <ignored> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1472
NOTE:
https://github.com/ImageMagick/ImageMagick6/commit/a0473b29add9521ffd4c74f6f623b418811762b0
CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service
(uncontrol ...)
@@ -298,10 +302,12 @@ CVE-2019-11374 (74CMS v5.0.1 has a CSRF vulnerability to
add a new admin user vi
NOT-FOR-US: 74CMS
CVE-2019-11373 (An out-of-bounds read in File__Analyze::Get_L8 in
File__Analyze_Buffer ...)
- libmediainfo <unfixed> (low; bug #927672)
+ [stretch] - libmediainfo <no-dsa> (Minor issue)
NOTE: https://github.com/MediaArea/MediaInfoLib/pull/1111
NOTE: https://sourceforge.net/p/mediainfo/bugs/1101/
CVE-2019-11372 (An out-of-bounds read in
MediaInfoLib::File__Tags_Helper::Synched_Test ...)
- libmediainfo <unfixed> (low; bug #927672)
+ [stretch] - libmediainfo <no-dsa> (Minor issue)
NOTE: https://github.com/MediaArea/MediaInfoLib/pull/1111
NOTE: https://sourceforge.net/p/mediainfo/bugs/1101/
CVE-2019-11371 (BWA (aka Burrow-Wheeler Aligner) 0.7.17 r1198 has a Buffer
Overflow vi ...)
@@ -1055,12 +1061,14 @@ CVE-2019-11036
CVE-2019-11035 (When processing certain files, PHP EXIF extension in versions
7.1.x be ...)
- php7.3 7.3.4-1
- php7.0 <removed>
+ [stretch] - php7.0 <postponed> (Fix along in future update)
- php5 <removed>
NOTE: Fixed in 7.1.28, 7.2.17, 7.3.4
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77831
CVE-2019-11034 (When processing certain files, PHP EXIF extension in versions
7.1.x be ...)
- php7.3 7.3.4-1
- php7.0 <removed>
+ [stretch] - php7.0 <postponed> (Fix along in future update)
- php5 <removed>
NOTE: Fixed in 7.1.28, 7.2.17, 7.3.4
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77753
@@ -1094,10 +1102,10 @@ CVE-2019-11024 (The load_pnm function in frompnm.c in
libsixel.a in libsixel 1.8
NOTE: https://github.com/saitoha/libsixel/issues/85
NOTE: Negligible security impact
CVE-2019-11023 (The agroot() function in cgraph\obj.c in libcgraph.a in
Graphviz 2.39. ...)
- - graphviz <unfixed> (bug #926724)
- [jessie] - graphviz <postponed> (Minor issue; clean crash / DoS)
+ - graphviz <unfixed> (unimportant; bug #926724)
NOTE: https://gitlab.com/graphviz/graphviz/issues/1517
NOTE:
https://gitlab.com/graphviz/graphviz/commit/839085f8026afd6f6920a0c31ad2a9d880d97932
+ NOTE: Crash in CLI tool, no security impact
CVE-2019-11022
RESERVED
CVE-2019-11021
@@ -1950,6 +1958,8 @@ CVE-2019-10715
RESERVED
CVE-2019-10714 (LocaleLowercase in MagickCore/locale.c in ImageMagick before
7.0.8-32 ...)
- imagemagick <unfixed>
+ [buster] - imagemagick <ignored> (Minor issue)
+ [stretch] - imagemagick <ignored> (Minor issue)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1495
NOTE: ImageMagick6:
https://github.com/ImageMagick/ImageMagick6/commit/aa6a769bd85f6750c26e53e53dcd8a2678745501
TODO: check, potentially only introduced in later versions than present
in unstable as LocaleLowercase not present, but check if present before
refactoring
@@ -9711,6 +9721,7 @@ CVE-2019-7722 (PMD 5.8.1 and earlier processes XML
external entities in ruleset
NOT-FOR-US: PMD
CVE-2019-XXXX [fuse mount exposes backup to unauthorized users]
- borgbackup 1.1.9-1 (bug #922080)
+ [stretch] - borgbackup <no-dsa> (Minor issue)
NOTE: https://github.com/borgbackup/borg/issues/3903
CVE-2019-7721 (lib/NCCms.class.php in nc-cms 3.5 allows upload of .php files
via the ...)
NOT-FOR-US: nc-cms
@@ -30570,6 +30581,7 @@ CVE-2019-0223 (While investigating bug PROTON-2014, we
discovered that under som
TODO: check details
CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT
frame ca ...)
- activemq <unfixed> (bug #925964)
+ [stretch] - activemq <no-dsa> (Minor issue)
[jessie] - activemq <not-affected> (MQTT support not enabled)
NOTE:
http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt
CVE-2019-0221
@@ -54878,6 +54890,7 @@ CVE-2018-10245 (A Full Path Disclosure vulnerability in
AWStats through 7.6 allo
NOTE: Path disclosure for awstats negligible within Debian
CVE-2018-10244 (Suricata version 4.0.4 incorrectly handles the parsing of an
EtherNet/ ...)
- suricata 1:4.0.5-1
+ [stretch] - suricata <no-dsa> (Minor issue)
[jessie] - suricata <not-affected> (EtherNet/IP and CIP support
introduced in 3.2beta1)
NOTE: https://redmine.openinfosecfoundation.org/issues/2545
NOTE: https://redmine.openinfosecfoundation.org/issues/2543
@@ -54887,6 +54900,7 @@ CVE-2018-10243 (htp_parse_authorization_digest in
htp_parsers.c in LibHTP 0.5.26
{DLA-1751-1}
- libhtp 1:0.5.28-1
- suricata 1:4.0.0-1
+ [stretch] - suricata <no-dsa> (Minor issue)
NOTE: suricata used the embedded copy of libhtp up to before 1:4.0.0-1.
NOTE: https://github.com/OISF/libhtp/issues/169
NOTE:
https://github.com/OISF/libhtp/commit/eefd4b7d2be663f6067362f29c81e6edf909145a
@@ -54894,6 +54908,7 @@ CVE-2018-10243 (htp_parse_authorization_digest in
htp_parsers.c in LibHTP 0.5.26
CVE-2018-10242 (Suricata version 4.0.4 incorrectly handles the parsing of the
SSH bann ...)
{DLA-1751-1}
- suricata 1:4.0.5-1
+ [stretch] - suricata <no-dsa> (Minor issue)
NOTE: https://redmine.openinfosecfoundation.org/issues/2544
NOTE: https://redmine.openinfosecfoundation.org/issues/2542
NOTE:
https://github.com/OISF/suricata/commit/9ba89a31efc89ec5cb72326dbcb9166b098f3ea0
@@ -87453,7 +87468,7 @@ CVE-2017-16120 (liyujing is a static file server.
liyujing is vulnerable to a di
NOT-FOR-US: liyujing
CVE-2017-16119 (Fresh is a module used by the Express.js framework for HTTP
response f ...)
- node-fresh <unfixed> (bug #927715)
- [stretch] - node-braces <ignored> (Nodejs in stretch not covered by
security support)
+ [stretch] - node-fresh <ignored> (Nodejs in stretch not covered by
security support)
NOTE: https://nodesecurity.io/advisories/526
CVE-2017-16118 (The forwarded module is used by the Express.js framework to
handle the ...)
NOT-FOR-US: forwarded nodejs module
=====================================
data/dsa-needed.txt
=====================================
@@ -24,6 +24,8 @@ glusterfs
--
graphicsmagick
--
+imagemagick (jmm)
+--
koji
--
libidn
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ae96d6ab56a4670967ddc11845de990020a84ff
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ae96d6ab56a4670967ddc11845de990020a84ff
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
