Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ce1ca2d8 by Emilio Pozuelo Monfort at 2019-06-18T10:26:55Z
CVE-2019-10735/claws-mail postponed on jessie
- - - - -
9d5182bb by Emilio Pozuelo Monfort at 2019-06-18T10:30:30Z
CVE-2018-19608/polarssl no-dsa on jessie
- - - - -
334d73d8 by Emilio Pozuelo Monfort at 2019-06-18T10:57:33Z
CVE-2015-9284/ruby-omniauth no-dsa on jessie
So far it looks like the fix needs to happen in omniauth users, which
need to ensure requests are done using HTTP POST and include a CSRF
token. For the rails omniauth users a new gem is available that helps
with this. However since there are no omniauth users in jessie that
we would need to address and since there's no fix in omniauth itself
(at least for now), let's mark this as no-dsa. We can revisit it later
if a better fix gets implemented in omniauth itself.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -4575,6 +4575,7 @@ CVE-2019-11028 (GAT-Ship Web Module before 1.40 suffers
from a vulnerability all
NOT-FOR-US: GAT-Ship Web Module
CVE-2015-9284 (The request phase of the OmniAuth Ruby gem is vulnerable to
Cross-Site ...)
- ruby-omniauth <unfixed>
+ [jessie] - ruby-omniauth <no-dsa> (Fix is in additional gem and needs
CSRF protection in apps)
NOTE: https://github.com/omniauth/omniauth/pull/809
NOTE: https://www.openwall.com/lists/oss-security/2015/05/26/11
CVE-2019-11027 (Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely
exploitable ...)
@@ -5316,6 +5317,7 @@ CVE-2019-10735 (In Claws Mail 3.14.1, an attacker in
possession of S/MIME or PGP
- claws-mail <unfixed> (low; bug #926705)
[buster] - claws-mail <postponed> (Revisit when fixed upstream)
[stretch] - claws-mail <postponed> (Revisit when fixed upstream)
+ [jessie] - claws-mail <postponed> (Revisit when fixed upstream)
NOTE:
https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4159
CVE-2019-10734 (In KDE Trojita 0.7, an attacker in possession of S/MIME or PGP
encrypt ...)
- trojita <itp> (bug #795701)
@@ -30990,6 +30992,7 @@ CVE-2018-19608 (Arm Mbed TLS before 2.14.1, before
2.7.8, and before 2.1.17 allo
- mbedtls 2.14.1-1 (bug #915796)
[stretch] - mbedtls <no-dsa> (Minor issue)
- polarssl <removed>
+ [jessie] - polarssl <no-dsa> (Minor issue)
NOTE: http://cat.eyalro.net/
NOTE:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released
NOTE:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-03
=====================================
data/dla-needed.txt
=====================================
@@ -17,9 +17,6 @@ bind9 (Thorsten Alteholz)
NOTE: 20190526: test package failed, probably not vulnerable
NOTE: 20190609: upstream patches do not seem to work
--
-claws-mail
- NOTE: 20190408: patch not yet available
---
faad2 (Hugo Lefeuvre)
NOTE: 20190519: I have a few patches pending for open issues. Will be PR-ed
soon.
NOTE: 20190525: see https://github.com/knik0/faad2/pull/36
@@ -89,9 +86,6 @@ mupdf
NOTE: 20190529: Upload candidate:
http://packages.sunweavers.net/debian/pool/main/m/mupdf/mupdf_1.5-1+deb8u5.dsc
NOTE: 20190529: Not yet fully tested.
--
-polarssl
- NOTE: 20181207: Not 100% sure if vulnerable. Upstream would prefer us to
move to latest version, etc. (!). (lamby)
---
python-urllib3 (Roberto C. Sánchez)
NOTE: 20190601: Packages built. (roberto)
--
@@ -109,13 +103,6 @@ qemu
NOTE: 20190529: Upload candidate:
http://packages.sunweavers.net/debian/pool/main/q/qemu/qemu_2.1+dfsg-12+deb8u12.dsc
NOTE: 20190529: More testing needed.
--
-ruby-omniauth
- NOTE: CVE-2015-9284: The vulnerability is rathar bad, especially in
combination with other
- NOTE: CVE-2015-9284: known vulnerabilities. However the issue is rather old
and the impact
- NOTE: CVE-2015-9284: may be rather large. When fixing this needs to be
further investigated.
- NOTE: CVE-2015-9284: This issue fixed in rails community by introducing a
new gem called omniauth-
- NOTE: CVE-2015-9284: rails.
---
sdl-image1.2
NOTE: see libsdl2 entry.
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/2cf9813d021dff397e05aed1d34584b6cec9a691...334d73d86d6fd760ad90d7f38fb2cd7031d7f14f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/2cf9813d021dff397e05aed1d34584b6cec9a691...334d73d86d6fd760ad90d7f38fb2cd7031d7f14f
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
