Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5bbc0c04 by Moritz Muehlenhoff at 2019-07-08T19:19:54Z
buster/stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -29,7 +29,9 @@ CVE-2019-13391 (In ImageMagick 7.0.8-50 Q16, ComplexImages in
MagickCore/fourier
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1588
NOTE:
https://github.com/ImageMagick/ImageMagick6/commit/f6ffc702c6eecd963587273a429dcd608c648984
CVE-2019-13390 (In FFmpeg 4.1.3, there is a division by zero at
adx_write_trailer in l ...)
- TODO: check
+ - ffmpeg <unfixed> (low)
+ [buster] - ffmpeg <postponed> (Minor issue, wait until fixed in 4.1.x
branch)
+ [stretch] - ffmpeg <postponed> (Minor issue, wait until fixed in 3.2.x
branch)
CVE-2019-13389
RESERVED
CVE-2019-13388
@@ -569,6 +571,8 @@ CVE-2019-13165
RESERVED
CVE-2019-13164 (qemu-bridge-helper.c in QEMU 4.0.0 does not ensure that a
network inte ...)
- qemu <unfixed> (bug #931351)
+ [buster] - qemu <postponed> (Minor issue, can be fixed along in future
DSA)
+ [stretch] - qemu <postponed> (Minor issue, can be fixed along in future
DSA)
- qemu-kvm <removed>
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg00245.html
CVE-2019-13163
@@ -742,6 +746,8 @@ CVE-2019-13108 (An integer overflow in Exiv2 through 0.27.1
allows an attacker t
NOTE: https://github.com/Exiv2/exiv2/issues/789
CVE-2019-13107 (Multiple integer overflows exist in MATIO before 1.5.16,
related to ma ...)
- libmatio <unfixed> (bug #931323)
+ [buster] - libmatio <no-dsa> (Minor issue)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: Several commits between 1.5.15..1.5.16:
https://github.com/tbeu/matio/compare/f8cd397...fabac6c
CVE-2019-13106
RESERVED
@@ -902,7 +908,9 @@ CVE-2019-13034
CVE-2016-10761 (Logitech Unifying devices before 2016-02-26 allow keystroke
injection, ...)
NOT-FOR-US: Logitech
CVE-2019-13045 (Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before
1.2.1, when S ...)
- - irssi 1.2.1-1 (bug #931264)
+ - irssi 1.2.1-1 (low; bug #931264)
+ [buster] - irssi <no-dsa> (Minor issue)
+ [stretch] - irssi <no-dsa> (Minor issue)
[jessie] - irssi <not-affected> (vulnerable sasl code is not present)
NOTE: https://irssi.org/security/irssi_sa_2019_06.txt
NOTE: https://github.com/irssi/irssi/pull/1058
@@ -3020,7 +3028,6 @@ CVE-2019-12218 (An issue was discovered in libSDL2.a in
Simple DirectMedia Layer
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
[jessie] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4620
- TODO: check details and correct vulnerability location
CVE-2019-12217 (An issue was discovered in libSDL2.a in Simple DirectMedia
Layer (SDL) ...)
- libsdl2-image <unfixed>
[buster] - libsdl2-image <no-dsa> (Minor issue)
@@ -3041,7 +3048,6 @@ CVE-2019-12216 (An issue was discovered in libSDL2.a in
Simple DirectMedia Layer
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
[jessie] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4619
- TODO: check details and correct vulnerability location
CVE-2019-12215 (** DISPUTED ** A full path disclosure vulnerability was
discovered in ...)
- matomo <itp> (bug #448532)
CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of
mishand ...)
@@ -21746,12 +21752,20 @@ CVE-2019-5053
RESERVED
CVE-2019-5052 (An exploitable integer overflow vulnerability exists when
loading a PC ...)
- libsdl2-image <unfixed>
+ [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 <unfixed>
+ [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0821
NOTE: https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6
CVE-2019-5051 (An exploitable heap-based buffer overflow vulnerability exists
when lo ...)
- libsdl2-image <unfixed>
+ [buster] - libsdl2-image <no-dsa> (Minor issue)
+ [stretch] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 <unfixed>
+ [buster] - sdl-image1.2 <no-dsa> (Minor issue)
+ [stretch] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0820
TODO: isolate fixing commit
CVE-2019-5050
=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ bzip2
--
chromium
--
+dosbox (jmm)
+--
faad2
not yet fixed upstream
--
@@ -29,7 +31,7 @@ glusterfs
--
graphicsmagick
--
-jruby
+jruby/oldstable
--
koji
--
@@ -55,7 +57,7 @@ python3.5 (jmm)
--
redis
--
-simplesamlphp
+simplesamlphp/oldstable
--
smarty3
--
@@ -64,7 +66,7 @@ sox
sssd
Maintainer prepared an update and proposed debdiff, acked for upload, but
update needs further testing before release.
--
-teeworlds
+teeworlds/oldstable
--
wordpress
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5bbc0c046062f1612de394ec2bf3d3b5263b92a7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/5bbc0c046062f1612de394ec2bf3d3b5263b92a7
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
