[Git][security-tracker-team/security-tracker][master] stretch triage

Moritz Muehlenhoff Thu, 09 May 2019 13:12:42 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
c51aa39a by Moritz Muehlenhoff at 2019-05-09T20:12:06Z
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -570,11 +570,15 @@ CVE-2019-11599 (The coredump implementation in the Linux 
kernel before 5.0.10 do
        NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1790
 CVE-2019-11598 (In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer 
over-read in ...)
        - imagemagick <unfixed> (bug #928206)
+       [stretch] - imagemagick <postponed> (Fix along in next DSA)
        NOTE: https://github.com/ImageMagick/ImageMagick/issues/1540
        NOTE: 
https://github.com/ImageMagick/ImageMagick6/commit/e2a21735e3a3f3930bd431585ec36334c4c2eb77
 CVE-2019-11597 (In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer 
over-read in ...)
        - imagemagick <unfixed> (bug #928207)
+       [stretch] - imagemagick <postponed> (Fix along in next DSA)
        NOTE: https://github.com/ImageMagick/ImageMagick/issues/1555
+       NOTE: 
https://github.com/ImageMagick/ImageMagick6/commit/1d6c036f0388d7857c725342f7212b60e39a14c1
+       NOTE: 
https://github.com/ImageMagick/ImageMagick6/commit/c979b348d64a25a04f12ea7fe7888b2b23f230a7
 CVE-2019-11596 (In memcached before 1.5.14, a NULL pointer dereference was 
found in th ...)
        - memcached <unfixed> (bug #928205)
        [stretch] - memcached <not-affected> (Vulnerable code introduced later)
@@ -794,10 +798,12 @@ CVE-2019-11505 (In GraphicsMagick from version 1.3.8 to 
1.4 snapshot-20190403 Q8
 CVE-2019-11504 (Zotonic before version 0.47 has mod_admin XSS. ...)
        NOT-FOR-US: Zotonic
 CVE-2019-11503 (snap-confine as included in snapd before 2.39 did not guard 
against sy ...)
-       - snapd <unfixed> (bug #928052)
+       - snapd <unfixed> (low; bug #928052)
+       [stretch] - snapd <no-dsa> (Minor issue)
        NOTE: https://github.com/snapcore/snapd/pull/6642
 CVE-2019-11502 (snap-confine in snapd before 2.38 incorrectly set the 
ownership of a s ...)
-       - snapd <unfixed> (bug #928052)
+       - snapd <unfixed> (low; bug #928052)
+       [stretch] - snapd <no-dsa> (Minor issue)
        NOTE: 
https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1
 CVE-2017-18367 (libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs 
that OR ...)
        - golang-github-seccomp-libseccomp-golang 0.9.0-2 (bug #927981)
@@ -1910,6 +1916,7 @@ CVE-2019-11037 (In PHP imagick extension in versions 
between 3.3.0 and 3.4.4, wr
 CVE-2019-11036 (When processing certain files, PHP EXIF extension in versions 
7.1.x be ...)
        - php7.3 <unfixed> (bug #928421)
        - php7.0 <removed>
+       [stretch] - php7.0 <postponed> (Fix along in future update)
        - php5 <removed>
        NOTE: Fixed in 7.1.29, 7.2.18, 7.3.5
        NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77950
@@ -6083,6 +6090,7 @@ CVE-2019-9636 (Python 2.7.x through 2.7.16 and 3.x 
through 3.7.2 is affected by:
        NOTE: 
https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
        NOTE: 
https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be
 (3.7.x)
        NOTE: 
https://github.com/python/cpython/commit/e37ef41289b77e0f0bb9a6aedb0360664c55bdd5
 (2.7.x)
+       NOTE: Regression fix: https://bugs.python.org/issue36742
 CVE-2019-9635 (NULL pointer dereference in Google TensorFlow before 1.12.2 
could caus ...)
        - tensorflow <itp> (bug #804612)
 CVE-2019-1003039 (An insufficiently protected credentials vulnerability exists 
in Jenkin ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -17,14 +17,18 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 --
 bind9
 --
+drupal7
+--
 evolution
 --
 faad2
   not yet fixed upstream
 --
-ffmpeg
+ffmpeg (jmm)
   ping upstream for 3.2.14 release catching up with recent issues  
 --
+ghostscript
+--
 glusterfs
 --
 graphicsmagick
@@ -44,6 +48,10 @@ nss
 --
 openjdk-8
 --
+python2.7 (jmm)
+--
+python3.5 (jmm)
+--
 simplesamlphp
 --
 smarty3



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c51aa39a4eb35afae9bf815ba255a48f0a23ecf5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/c51aa39a4eb35afae9bf815ba255a48f0a23ecf5
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] stretch triage

Reply via email to