Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2030c0cd by Thorsten Alteholz at 2019-08-04T20:44:37Z
update note
- - - - -
9cf69ffa by Thorsten Alteholz at 2019-08-04T20:44:38Z
mark vlc as EOL
- - - - -
08b03435 by Thorsten Alteholz at 2019-08-04T20:44:39Z
follow security team with no-dsa for CVE-2019-5057 in Jessie
- - - - -
b95b855c by Thorsten Alteholz at 2019-08-04T20:44:41Z
follow security team with no-dsa for CVE-2019-5058 in Jessie
- - - - -
cd70d1d8 by Thorsten Alteholz at 2019-08-04T20:44:42Z
follow security team with no-dsa for CVE-2019-5059 in Jessie
- - - - -
3da09f57 by Thorsten Alteholz at 2019-08-04T20:44:43Z
follow security team with no-dsa for CVE-2019-5060 in Jessie
- - - - -
33a30ea1 by Thorsten Alteholz at 2019-08-04T20:44:45Z
follow security team with no-dsa for CVE-2019-14494 in Jessie
- - - - -
5c14f80c by Thorsten Alteholz at 2019-08-04T20:44:45Z
add wireshark
- - - - -
0edbfd14 by Thorsten Alteholz at 2019-08-04T20:44:45Z
add dnsmasq
- - - - -
6a005287 by Thorsten Alteholz at 2019-08-04T20:44:46Z
add pytghon3.4
- - - - -
feac19d3 by Thorsten Alteholz at 2019-08-04T20:44:46Z
add tika
- - - - -
f8dde30b by Thorsten Alteholz at 2019-08-04T20:44:46Z
add yara
- - - - -
ac16aa99 by Thorsten Alteholz at 2019-08-04T20:44:47Z
mark CVE-2018-20839 as no-dsa
- - - - -
00768d5e by Thorsten Alteholz at 2019-08-04T20:44:49Z
mark CVEss for schism as no-dsa
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -277,9 +277,11 @@ CVE-2019-14525
RESERVED
CVE-2019-14524 (An issue was discovered in Schism Tracker through 20190722.
There is a ...)
- schism <unfixed> (bug #933808)
+ [jessie] - schism <no-dsa> (Minor issue)
NOTE: https://github.com/schismtracker/schismtracker/issues/201
CVE-2019-14523 (An issue was discovered in Schism Tracker through 20190722.
There is a ...)
- schism <unfixed> (bug #933809)
+ [jessie] - schism <no-dsa> (Minor issue)
NOTE: https://github.com/schismtracker/schismtracker/issues/202
CVE-2019-14522
RESERVED
@@ -343,6 +345,7 @@ CVE-2019-14494 (An issue was discovered in Poppler through
0.78.0. There is a di
- poppler <unfixed> (bug #933812)
[buster] - poppler <no-dsa> (Minor issue)
[stretch] - poppler <no-dsa> (Minor issue)
+ [jessie] - poppler <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/802
NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/317
CVE-2019-14493 (An issue was discovered in OpenCV before 4.1.1. There is a
NULL pointe ...)
@@ -411,6 +414,7 @@ CVE-2019-14466
RESERVED
CVE-2019-14465 (fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has
a heap-b ...)
- schism <unfixed> (bug #933807)
+ [jessie] - schism <no-dsa> (Minor issue)
NOTE: https://github.com/schismtracker/schismtracker/issues/198
NOTE:
https://github.com/schismtracker/schismtracker/commit/b78e8d32883f8a865035436af4fa6d541b6ebb42
CVE-2019-14464 (XMFile::read in XMFile.cpp in milkyplay in MilkyTracker
1.02.00 has a ...)
@@ -7781,6 +7785,7 @@ CVE-2018-20839 (systemd 242 changes the VT1 mode upon a
logout, which allows att
[stretch] - systemd <no-dsa> (Minor issue)
[jessie] - systemd <no-dsa> (Not reproducible without Ubuntu-style
persistant VT1 greeter; too invasive to fix)
- xorg-server <unfixed>
+ [jessie] - xorg-server <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993
NOTE:
https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f
NOTE: https://github.com/systemd/systemd/pull/12378
@@ -25782,10 +25787,12 @@ CVE-2019-5461 [GitHub Integration SSRF]
CVE-2019-5460 (Double Free in VLC versions <= 3.0.6 leads to a crash. ...)
{DSA-4459-1}
- vlc 3.0.7-1
+ [jessie] - vlc <end-of-life>
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE: https://hackerone.com/reports/503208
CVE-2019-5459 (An Integer underflow in VLC Media Player versions < 3.0.7
leads to ...)
{DSA-4459-1}
- vlc 3.0.7-1
+ [jessie] - vlc <end-of-life>
(https://lists.debian.org/debian-security-announce/2018/msg00130.html)
NOTE: https://hackerone.com/reports/502816
CVE-2019-5458 (Cross-site scripting (XSS) vulnerability in http-file-server
(all vers ...)
TODO: check
@@ -26619,36 +26626,44 @@ CVE-2019-5060 (An exploitable code execution
vulnerability exists in the XPM ima
- libsdl2-image 2.0.5+dfsg1-1
[buster] - libsdl2-image <no-dsa> (Minor issue)
[stretch] - libsdl2-image <no-dsa> (Minor issue)
+ [jessie] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 <unfixed>
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
+ [jessie] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0844
NOTE: https://hg.libsdl.org/SDL_image/rev/26061e601c81
CVE-2019-5059 (An exploitable code execution vulnerability exists in the XPM
image re ...)
- libsdl2-image 2.0.5+dfsg1-1
[buster] - libsdl2-image <no-dsa> (Minor issue)
[stretch] - libsdl2-image <no-dsa> (Minor issue)
+ [jessie] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 <unfixed>
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
+ [jessie] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0843
NOTE: https://hg.libsdl.org/SDL_image/rev/95fc7da55247
CVE-2019-5058 (An exploitable code execution vulnerability exists in the XCF
image re ...)
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[stretch] - libsdl2-image <no-dsa> (Minor issue)
+ [jessie] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 <unfixed> (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
+ [jessie] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0842
NOTE: https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
CVE-2019-5057 (An exploitable code execution vulnerability exists in the PCX
image-re ...)
- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
[buster] - libsdl2-image <no-dsa> (Minor issue)
[stretch] - libsdl2-image <no-dsa> (Minor issue)
+ [jessie] - libsdl2-image <no-dsa> (Minor issue)
- sdl-image1.2 <unfixed> (bug #932755)
[buster] - sdl-image1.2 <no-dsa> (Minor issue)
[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
+ [jessie] - sdl-image1.2 <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0841
NOTE: https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
CVE-2019-5056
=====================================
data/dla-needed.txt
=====================================
@@ -9,6 +9,8 @@ To pick an issue, simply add your name behind it. To learn more
about how
this list is updated have a look at
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
+--
+dnsmasq
--
faad2 (Hugo Lefeuvre)
NOTE: 20190519: I have a few patches pending for open issues. Will be PR-ed
soon.
@@ -87,6 +89,9 @@ proftpd-dfsg (Markus Koschany)
NOTE: Stable update was released today.
--
python2.7 (Thorsten Alteholz)
+ NOTE: 20190804: need to check fails with test suite unrelated to this patch
+--
+python3.4 (Thorsten Alteholz)
--
qemu
NOTE: 20190528: An upload candidate is waiting for being tested on real
hardware.
@@ -97,6 +102,7 @@ qemu
NOTE: 20190529: More testing needed.
--
ruby-mini-magick (Thorsten Alteholz)
+ NOTE: 20190805: package does not build in Jessie
--
ruby-openid
NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding
what the issue actually *is*. (lamby)
@@ -124,12 +130,16 @@ sqlite3
subversion
NOTE: 20190804: For (at least) CVE-2018-11782 the svn_err_trace that is in
the diff has not been added yet. (lamby)
--
+tika
+--
tomcat8
NOTE: 20190522: FTBFS
NOTE: Test SSL certificate expired, see
https://bz.apache.org/bugzilla/show_bug.cgi?id=57655
NOTE: Attempt to solve this by using certificates from latest tomcat8
package failed (Brian).
NOTE: 20190701: New CVE just piled up.
--
+wireshark (Thorsten Alteholz)
+--
wordpress
NOTE: 20190614: No upstream fix yet. (apo)
--
@@ -138,3 +148,5 @@ xen
--
xymon (Thorsten alteholz)
--
+yara
+--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/d5173322a76b1d71e305198af82c38a9dd4f60f8...00768d5e7d12aa1b678b4892545b9e8bc107a42a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/compare/d5173322a76b1d71e305198af82c38a9dd4f60f8...00768d5e7d12aa1b678b4892545b9e8bc107a42a
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
