[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Fri, 20 Sep 2019 08:32:52 -0700 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
66258cf5 by Moritz Muehlenhoff at 2019-09-20T15:32:21Z
buster/stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1026,11 +1026,13 @@ CVE-2019-16167 (sysstat before 12.1.6 has memory 
corruption due to an Integer Ov
        NOTE: Introduced after: 
https://github.com/sysstat/sysstat/commit/65ac30359e49ee717397e39950d7c24a6610d57c
 (v11.7.1)
        NOTE: Fixed by: 
https://github.com/sysstat/sysstat/commit/edbf507678bf10914e9804ff8a06737fdcb2e781
 CVE-2019-16166 (GNU cflow through 1.6 has a heap-based buffer over-read in the 
nexttok ...)
-       - cflow <unfixed> (bug #939916)
+       - cflow <unfixed> (unimportant; bug #939916)
        NOTE: https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00000.html
+       NOTE: Crash in CLI tool, no security impact
 CVE-2019-16165 (GNU cflow through 1.6 has a use-after-free in the reference 
function i ...)
-       - cflow <unfixed> (bug #939915)
+       - cflow <unfixed> (unimportant; bug #939915)
        NOTE: https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00001.html
+       NOTE: Crash in CLI tool, no security impact
 CVE-2019-16164 (MyHTML through 4.0.5 has a NULL pointer dereference in 
myhtml_tree_nod ...)
        NOT-FOR-US: MyHTML
 CVE-2019-16163 (Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c 
because of ...)
@@ -1109,6 +1111,7 @@ CVE-2019-16138 (An issue was discovered in the image 
crate before 0.21.3 for Rus
        NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0014.html
 CVE-2019-16137 (An issue was discovered in the spin crate before 0.5.2 for 
Rust, when  ...)
        - rust-spin 0.5.2-1
+       [buster] - rust-spin <no-dsa> (Minor issue)
        NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0013.html
 CVE-2019-16136
        RESERVED
@@ -1292,6 +1295,8 @@ CVE-2019-16059 (Sentrifugo 3.2 lacks CSRF protection. 
This could lead to an atta
        NOT-FOR-US: Sentrifugo
 CVE-2019-16058 (An issue was discovered in the pam_p11 component 0.2.0 and 
0.3.0 for O ...)
        - pam-p11 <unfixed> (bug #939664)
+       [buster] - pam-p11 <no-dsa> (Minor issue)
+       [stretch] - pam-p11 <no-dsa> (Minor issue)
        NOTE: 
https://github.com/OpenSC/pam_p11/commit/d150b60e1e14c261b113f55681419ad1dfa8a76c
 CVE-2019-16057 (The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is 
vulnera ...)
        NOT-FOR-US: D-Link
@@ -2617,6 +2622,7 @@ CVE-2019-15553 (An issue was discovered in the memoffset 
crate before 0.5.0 for
        NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0011.html
 CVE-2019-15552 (An issue was discovered in the libflate crate before 0.1.25 
for Rust.  ...)
        - rust-libflate 0.1.25-1
+       [buster] - rust-libflate <no-dsa> (Minor issue)
        NOTE: https://github.com/sile/libflate/issues/35
        NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0010.html
 CVE-2019-15551 (An issue was discovered in the smallvec crate before 0.6.10 
for Rust.  ...)
@@ -3342,8 +3348,9 @@ CVE-2019-15299
 CVE-2019-15298
        RESERVED
 CVE-2019-15297 (res_pjsip_t38 in Sangoma Asterisk 13.21-cert4, 15.7.3, and 
16.5.0 allo ...)
-       - asterisk <unfixed> (bug #940060)
-       [jessie] - asterisk <not-affected> (The vulnerable code is not present)
+       - asterisk <unfixed> (low; bug #940060)
+       [buster] - asterisk <no-dsa> (Minor issue)
+       [stretch] - asterisk <no-dsa> (Minor issue)
        NOTE: https://downloads.asterisk.org/pub/security/AST-2019-004.html
        NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28495
 CVE-2019-15296 (An issue was discovered in Freeware Advanced Audio Decoder 2 
(FAAD2) 2 ...)
@@ -5706,13 +5713,14 @@ CVE-2019-14513 (Improper bounds checking in Dnsmasq 
before 2.76 allows an attack
 CVE-2019-14512
        RESERVED
 CVE-2019-14511 (Sphinx Technologies Sphinx 3.1.1 by default has no 
authentication and  ...)
-       - sphinxsearch <unfixed> (bug #939762)
+       - sphinxsearch <unfixed> (unimportant; bug #939762)
        NOTE: Issue is just with the default configuration, but can be easily 
reconfigured
        NOTE: to listen on localhost only. sphinxsearch will not be started 
automatically
        NOTE: and an admin needs first to create anyway a 
/etc/sphinxsearch/sphinx.conf
        NOTE: starting from a sample.
        NOTE: sphinxsearch should ideally update the defaults in sample configs 
to bind
        NOTE: listeners to localhost.
+       NOTE: This is not treated as a vulnerability, subject to design choices 
for deployment
 CVE-2019-14510
        RESERVED
 CVE-2019-14509
@@ -6666,6 +6674,7 @@ CVE-2018-20862 (cPanel before 76.0.8 unsafely performs 
PostgreSQL password chang
        NOT-FOR-US: cPanel
 CVE-2018-20861 (libopenmpt before 0.3.11 allows a crash with certain malformed 
custom  ...)
        - libopenmpt 0.3.11-1
+       [stretch] - libopenmpt <no-dsa> (Minor issue)
        NOTE: 
https://lib.openmpt.org/libopenmpt/2018/07/28/security-updates-0.3.11-0.2.10635-beta34-0.2.7561-beta20.5-p10-0.2.7386-beta20.3-p13/
        NOTE: 
https://source.openmpt.org/browse/openmpt/trunk/?op=revision&rev=10615 (0.3.11)
        NOTE: 
https://source.openmpt.org/browse/openmpt/trunk/?op=revision&rev=10616 
(0.2.10635-beta34)
@@ -6807,6 +6816,8 @@ CVE-2019-14319 (The TikTok (formerly Musical.ly) 
application 12.2.0 for Android
 CVE-2019-14318 (Crypto++ 8.3.0 and earlier contains a timing side channel in 
ECDSA sig ...)
        [experimental] - libcrypto++ 8.2.0-2
        - libcrypto++ 5.6.4-9 (low; bug #934326)
+       [buster] - libcrypto++ <no-dsa> (Minor issue)
+       [stretch] - libcrypto++ <no-dsa> (Minor issue)
        NOTE: https://github.com/weidai11/cryptopp/issues/869
 CVE-2019-14317
        RESERVED
@@ -13361,7 +13372,9 @@ CVE-2019-12177 (Privilege escalation due to insecure 
directory permissions affec
 CVE-2019-12176 (Privilege escalation in the "HTC Account Service" and 
"ViveportDesktop ...)
        NOT-FOR-US: HTC VIVEPORT
 CVE-2019-12175 (In Zeek Network Security Monitor (formerly known as Bro) 
before 2.6.2, ...)
-       - bro 2.6.4+ds1-1
+       - bro 2.6.4+ds1-1 (low)
+       [buster] - bro <no-dsa> (Minor issue)
+       [stretch] - bro <no-dsa> (Minor issue)
 CVE-2019-12174 (hide.me before 2.4.4 on macOS suffers from a privilege 
escalation vuln ...)
        NOT-FOR-US: hide.me
 CVE-2019-12173 (MacDown 0.7.1 (870) allows remote code execution via a 
file:\\\ URI, w ...)
@@ -19013,6 +19026,7 @@ CVE-2019-10094 (A carefully crafted package/compressed 
file that, when unzipped/
        NOTE: 
https://github.com/apache/tika/commit/c4e63c9be8665cccea8b680c59a6f5cfbc03e0fc
 CVE-2019-10093 (In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 
2006ml file ...)
        - tika 1.22-1 (bug #933745)
+       [buster] - tika <no-dsa> (Minor issue)
        NOTE: https://www.openwall.com/lists/oss-security/2019/08/02/3
        NOTE: 
https://github.com/apache/tika/commit/81c21ab0aac6b3e4102a1a8906c8c7eab6f96dae
 CVE-2019-10092 [Limited cross-site scripting in mod_proxy]
@@ -19033,6 +19047,7 @@ CVE-2019-10089
        - jspwiki <removed>
 CVE-2019-10088 (A carefully crafted or corrupt zip file can cause an OOM in 
Apache Tik ...)
        - tika 1.22-1 (bug #933744)
+       [buster] - tika <no-dsa> (Minor issue)
        [jessie] - tika <not-affected> (Vulnerable feature introduced in 1.7)
        NOTE: https://www.openwall.com/lists/oss-security/2019/08/02/2
        NOTE: 
https://github.com/apache/tika/commit/426be73b9e7500fa3d441231fa4e473de34743f6
@@ -19161,11 +19176,15 @@ CVE-2019-10053 (An issue was discovered in Suricata 
4.1.x before 4.1.4. If the i
        NOTE: 
https://github.com/OISF/suricata/commit/51790d3824bc381e24aaeef20338dd6b8bd4e453
 CVE-2019-10052 (An issue was discovered in Suricata 4.1.3. If the network 
packet does  ...)
        - suricata 1:4.1.4-1
+       [buster] - suricata <no-dsa> (Minor issue)
+       [stretch] - suricata <no-dsa> (Minor issue)
        [jessie] - suricata <not-affected> (Vulnerable code not present)
        NOTE: https://redmine.openinfosecfoundation.org/issues/2902
        NOTE: https://redmine.openinfosecfoundation.org/issues/2947
 CVE-2019-10051 (An issue was discovered in Suricata 4.1.3. If the function 
filetracker ...)
        - suricata 1:4.1.4-1
+       [buster] - suricata <no-dsa> (Minor issue)
+       [stretch] - suricata <no-dsa> (Minor issue)
        [jessie] - suricata <not-affected> (Vulnerable code not present)
        NOTE: https://github.com/OISF/suricata/pull/3734
        NOTE: https://redmine.openinfosecfoundation.org/issues/2896


=====================================
data/dsa-needed.txt
=====================================
@@ -50,10 +50,14 @@ nodejs
 nss/oldstable (jmm)
   Roberto proposed an update including fixes for CVE-2018-12404 and 
CVE-2018-18508
 --
+openjpeg2
+--
 openssl1.0/oldstable
 --
 openssl
 --
+php7.0/oldstable (jmm)
+--
 poppler (jmm)
 --
 python2.7 (jmm)
@@ -62,6 +66,8 @@ python3.5 (jmm)
 --
 simplesamlphp/oldstable
 --
+slurm-llnl (jmm)
+--
 smarty3/oldstable
 --
 spip



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/66258cf5d79509f6524df632fb9d4a2213c0be3c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/66258cf5d79509f6524df632fb9d4a2213c0be3c
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to