[Git][security-tracker-team/security-tracker][master] 6 commits: Mark CVE-2019-11191 as unimportant

[Salvatore Bonaccorso]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
aa913c31 by Salvatore Bonaccorso at 2019-04-25T21:19:43Z
Mark CVE-2019-11191 as unimportant

Maybe the CVE should be rejected. Triage in kernel-sec showed that it's
basically a non-issue as only ELF support ASLR.

- - - - -
2df2d85f by Salvatore Bonaccorso at 2019-04-25T21:19:43Z
Mark CVE-2019-10124 as not-affected for jessie

- - - - -
b5bdd77d by Salvatore Bonaccorso at 2019-04-25T21:19:44Z
Mark CVE-2019-8980 as not-affected for jessie

- - - - -
0d6df073 by Salvatore Bonaccorso at 2019-04-25T21:19:44Z
Mark CVE-2019-3887/linux as not-affected for stretch and jessie

The vulnerability was introduced in later versions only.

- - - - -
74fd191a by Salvatore Bonaccorso at 2019-04-25T21:19:45Z
Ignore CVE-2019-3874/linux for stretch and jessie

- - - - -
09ac9b14 by Salvatore Bonaccorso at 2019-04-25T21:19:45Z
Ignore CVe-2019-2025/linux for stretch and jessie

Binder was not enabled in those versions.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -819,7 +819,7 @@ CVE-2019-11192
 CVE-2019-11189
        RESERVED
 CVE-2019-11191 (The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is 
enabled and i ...)
-       - linux <unfixed>
+       - linux <unfixed> (unimportant)
        NOTE: https://www.openwall.com/lists/oss-security/2019/04/03/4
 CVE-2019-11190 (The Linux kernel before 4.8 allows local users to bypass ASLR 
on setui ...)
        - linux 4.8.5-1
@@ -3314,6 +3314,7 @@ CVE-2019-10125 (An issue was discovered in aio_poll() in 
fs/aio.c in the Linux k
        NOTE: 
https://git.kernel.org/linus/84c4e1f89fefe70554da0ab33be72c9be7994379
 CVE-2019-10124 (An issue was discovered in the hwpoison implementation in 
mm/memory-fa ...)
        - linux <unfixed>
+       [jessie] - linux <not-affected> (Vulnerable code not present)
        NOTE: 
https://git.kernel.org/linus/46612b751c4941c5c0472ddf04027e877ae5990f
 CVE-2019-10123
        RESERVED
@@ -7065,6 +7066,7 @@ CVE-2018-1002161 [SQL injection in multiple remote calls]
        NOTE: https://pagure.io/koji/issue/1183
 CVE-2019-8980 (A memory leak in the kernel_read_file function in fs/exec.c in 
the Lin ...)
        - linux 4.19.28-1
+       [jessie] - linux <not-affected> (Vulnerable code not present)
        NOTE: 
https://lore.kernel.org/lkml/20190219021038.11340-1-yuehaib...@huawei.com/
        NOTE: 
https://lore.kernel.org/lkml/20190219022512.gw2...@zeniv.linux.org.uk/
 CVE-2019-8979 (Kohana through 3.3.6 has SQL Injection when the order_by() 
parameter c ...)
@@ -18850,6 +18852,8 @@ CVE-2019-3888
        RESERVED
 CVE-2019-3887 (A flaw was found in the way KVM hypervisor handled x2APIC 
Machine Spec ...)
        - linux <unfixed>
+       [stretch] - linux <not-affected> (Vulnerability introduced later)
+       [jessie] - linux <not-affected> (Vulnerability introduced later)
        NOTE: Fixed by: 
https://git.kernel.org/linus/acff78477b9b4f26ecdf65733a4ed77fe837e9dc
        NOTE: Fixed by: 
https://git.kernel.org/linus/c73f4c998e1fd4249b9edfa39e23f4fda2b9b041
 CVE-2016-10746 (libvirt-domain.c in libvirt before 1.3.1 supports 
virDomainGetTime API ...)
@@ -18910,6 +18914,8 @@ CVE-2019-3875
        RESERVED
 CVE-2019-3874 (The SCTP socket buffer used by a userspace application is not 
accounte ...)
        - linux <unfixed>
+       [stretch] - linux <ignored> (Minor issue)
+       [jessie] - linux <ignored> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1686373
 CVE-2019-3873
        RESERVED
@@ -24900,6 +24906,8 @@ CVE-2019-2026 (In updateAssistMenuItems of Editor.java, 
there is a possible esca
 CVE-2019-2025 [binder: fix race that allows malicious free of live buffer]
        RESERVED
        - linux 4.19.9-1
+       [stretch] - linux <ignored> (Binder is not enabled)
+       [jessie] - linux <ignored> (Binder is not enabled)
        NOTE: Fixed by: 
https://git.kernel.org/linus/7bada55ab50697861eee6bb7d60b41e68a961a9c (4.20-rc5)
 CVE-2019-2024 [media: em28xx: Fix use-after-free when disconnecting]
        RESERVED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/765cccb6f469bd3121c6e6a88566edd5c697e8f6...09ac9b1401e2fa0d779731e22921bb000062a047

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/compare/765cccb6f469bd3121c6e6a88566edd5c697e8f6...09ac9b1401e2fa0d779731e22921bb000062a047
You're receiving this email because of your account on salsa.debian.org.


_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits