Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0891eec1 by Moritz Muehlenhoff at 2019-07-11T07:20:26Z
buster/stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -272,7 +272,9 @@ CVE-2019-13353
CVE-2019-13352 (WolfVision Cynap before 1.30j uses a static, hard-coded
cryptographic ...)
NOT-FOR-US: WolfVision Cynap
CVE-2019-13351 (posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12
(as dist ...)
- - jackd2 <unfixed> (bug #931488)
+ - jackd2 <unfixed> (low; bug #931488)
+ [buster] - jackd2 <no-dsa> (Minor issue)
+ [stretch] - jackd2 <no-dsa> (Minor issue)
[jessie] - jackd2 <postponed> (Minor issue, hard to reproduce crash
with theoretically possible file corruption, no sensitive data to leak)
NOTE: https://github.com/jackaudio/jack2/pull/480
NOTE:
https://github.com/jackaudio/jack2/commit/994e225bbb07a89f56147f7ce7d59beb49f8cfba
@@ -568,10 +570,12 @@ CVE-2019-13234
RESERVED
CVE-2019-13232 (Info-ZIP UnZip 6.0 mishandles the overlapping of files inside
a ZIP co ...)
{DLA-1846-1}
- - unzip <unfixed> (bug #931433)
+ - unzip <unfixed> (unimportant; bug #931433)
NOTE: https://www.bamsoftware.com/hacks/zipbomb/
NOTE: Fixed by:
https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
NOTE: Fix depends on:
https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
+ NOTE: No security impact, crash in CLI tool, any server implementing
automatic extraction needs
+ NOTE: to apply resource limits anyway
CVE-2019-13231
RESERVED
CVE-2019-13230
@@ -9012,6 +9016,7 @@ CVE-2019-9949 (Western Digital My Cloud Cloud, Mirror
Gen2, EX2 Ultra, EX2100, E
CVE-2019-9948 (urllib in Python 2.x through 2.7.16 supports the local_file:
scheme, w ...)
{DLA-1852-1 DLA-1834-1}
- python3.7 3.7.4~rc2-2
+ [stretch] - python3.7 <no-dsa> (Minor issue)
- python3.6 <removed>
- python3.5 <removed>
- python3.4 <removed>
@@ -32242,6 +32247,7 @@ CVE-2018-19798
RESERVED
CVE-2018-19797 (In LibSass 3.5.5, a NULL Pointer Dereference in the function
Sass::Sel ...)
- libsass <unfixed>
+ [buster] - libsass <no-dsa> (Minor issue)
[stretch] - libsass <no-dsa> (Minor issue)
NOTE: https://github.com/sass/libsass/issues/2779
CVE-2018-19796 (An open redirect in the Ninja Forms plugin before 3.3.19.1 for
WordPre ...)
@@ -56703,10 +56709,12 @@ CVE-2018-11699
RESERVED
CVE-2018-11698 (An issue was discovered in LibSass through 3.5.4. An
out-of-bounds rea ...)
- libsass <unfixed>
+ [buster] - libsass <no-dsa> (Minor issue)
[stretch] - libsass <no-dsa> (Minor issue)
NOTE: https://github.com/sass/libsass/issues/2662
CVE-2018-11697 (An issue was discovered in LibSass through 3.5.4. An
out-of-bounds rea ...)
- libsass <unfixed>
+ [buster] - libsass <no-dsa> (Minor issue)
[stretch] - libsass <no-dsa> (Minor issue)
NOTE: https://github.com/sass/libsass/issues/2656
NOTE:
https://github.com/sass/libsass/commit/eb15533b07773c30dc03c9d742865604f47120ef
@@ -74605,17 +74613,17 @@ CVE-2018-5433 (The TIBCO Administrator server
component of TIBCO Software Inc.'s
CVE-2018-5432 (The TIBCO Administrator server component of of TIBCO Software
Inc.'s T ...)
NOT-FOR-US: TIBCO Administrator
CVE-2018-5431 (The domain designer component of TIBCO Software Inc.'s TIBCO
JasperRep ...)
- - jasperreports <removed>
+ - jasperreports <undetermined>
[jessie] - jasperreports <end-of-life> (not supported in Jessie)
[wheezy] - jasperreports <end-of-life> (not supported in Wheezy)
NOTE:
https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5431
CVE-2018-5430 (The Spring web flows of TIBCO Software Inc.'s TIBCO
JasperReports Serv ...)
- - jasperreports <removed>
+ - jasperreports <undetermined>
[jessie] - jasperreports <end-of-life> (not supported in Jessie)
[wheezy] - jasperreports <end-of-life> (not supported in Wheezy)
NOTE:
https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430
CVE-2018-5429 (A vulnerability in the report scripting component of TIBCO
Software In ...)
- - jasperreports <removed>
+ - jasperreports <undetermined>
[jessie] - jasperreports <end-of-life> (not supported in Jessie)
[wheezy] - jasperreports <end-of-life> (not supported in Wheezy)
NOTE:
https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429
@@ -97185,7 +97193,7 @@ CVE-2017-14943 (Trapeze TransitMaster is vulnerable to
information disclosure (e
CVE-2017-14942 (Intelbras WRN 150 devices allow remote attackers to read the
configura ...)
NOT-FOR-US: Intelbras WRN 150 devices
CVE-2017-14941 (Jaspersoft JasperReports 4.7 suffers from a saved credential
disclosur ...)
- - jasperreports <removed> (bug #880467; bug #884131)
+ - jasperreports <undetermined> (bug #880467; bug #884131)
[jessie] - jasperreports <ignored> (no detailed information available,
only needed as build-dependency for Spring)
[wheezy] - jasperreports <end-of-life> (cannot be supported due to lack
of information)
NOTE:
https://github.com/binary1985/VulnerabilityDisclosure/blob/master/JasperSoft%20JasperReports%20-%204.7%20-%20CVE-2017-14941
=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ chromium
faad2
not yet fixed upstream
--
+firefox-esr (jmm)
+--
freeimage
--
glusterfs/oldstable
@@ -41,7 +43,7 @@ mercurial/oldstable
neovim/oldstable
Maintainer will prepare updates
--
-nss/oldstable
+nss (jmm)
Roberto proposed an update including fixes for CVE-2018-12404 and
CVE-2018-18508
--
poppler (jmm)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0891eec1447b20c9f45d18754f733df2081bbda3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/0891eec1447b20c9f45d18754f733df2081bbda3
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
