Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2f06c1f1 by Moritz Muehlenhoff at 2019-12-16T19:43:23Z
buster/stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -12667,7 +12667,9 @@ CVE-2019-17546 (tif_getimage.c in LibTIFF through
4.0.10, as used in GDAL throug
NOTE: gdal uses system libtiff libraries since 2.0.1+dfsg-1~exp1
(#684233)
CVE-2019-17545 (GDAL through 3.0.1 has a poolDestroy double free in
OGRExpatRealloc in ...)
{DLA-1984-1}
- - gdal 2.4.2+dfsg-2
+ - gdal 2.4.2+dfsg-2 (low)
+ [buster] - gdal <no-dsa> (Minor issue)
+ [stretch] - gdal <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16178
NOTE:
https://github.com/OSGeo/gdal/commit/148115fcc40f1651a5d15fa34c9a8c528e7147bb
CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based
buffer over- ...)
@@ -14400,6 +14402,8 @@ CVE-2019-16885 (In OkayCMS through 2.3.4, an
unauthenticated attacker can achiev
NOT-FOR-US: OkayCMS
CVE-2019-16884 (runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce
and other ...)
- runc 1.0.0~rc9+dfsg1-1 (bug #942026)
+ [buster] - runc <no-dsa> (Minor issue)
+ [stretch] - runc <no-dsa> (Minor issue)
- golang-github-opencontainers-selinux <unfixed> (bug #942027)
NOTE: https://github.com/opencontainers/runc/issues/2128
CVE-2019-16883
@@ -15762,6 +15766,8 @@ CVE-2019-16371 (LogMeIn LastPass before 4.33.0 allows
attackers to construct a c
NOT-FOR-US: LogMeIn LastPass
CVE-2019-16370 (The PGP signing plugin in Gradle before 6.0 relies on the
SHA-1 algori ...)
- gradle <unfixed> (low; bug #941186)
+ [buster] - gradle <no-dsa> (Minor issue)
+ [stretch] - gradle <no-dsa> (Minor issue)
[jessie] - gradle <postponed> (Minor issue, old gradle mainly used for
building Debian packages with apt signatures)
NOTE:
https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2f
CVE-2019-16369
@@ -19000,7 +19006,9 @@ CVE-2019-15239 (In the Linux kernel, a certain
net/ipv4/tcp_output.c change, whi
CVE-2019-15238 (The cforms2 plugin before 15.0.2 for WordPress has CSRF
related to the ...)
NOT-FOR-US: Wordpress plugin
CVE-2019-15237 (Roundcube Webmail through 1.3.9 mishandles Punycode xn--
domain names, ...)
- - roundcube <unfixed>
+ - roundcube <unfixed> (low)
+ [buster] - roundcube <no-dsa> (Minor issue)
+ [stretch] - roundcube <no-dsa> (Minor issue)
NOTE: https://github.com/roundcube/roundcubemail/issues/6891
CVE-2019-15236
RESERVED
@@ -19761,6 +19769,8 @@ CVE-2019-15053 (The "HTML Include and replace macro"
plugin before 1.5.0 for Con
NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence
Server
CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication
credentials ...)
- gradle <unfixed> (low; bug #941187)
+ [buster] - gradle <no-dsa> (Minor issue)
+ [stretch] - gradle <no-dsa> (Minor issue)
[jessie] - gradle <postponed> (Minor issue, old gradle mainly used for
building Debian packages with system libraries)
NOTE: https://github.com/gradle/gradle/issues/10278
NOTE: https://github.com/gradle/gradle/pull/10176
@@ -21533,6 +21543,8 @@ CVE-2019-14494 (An issue was discovered in Poppler
through 0.78.0. There is a di
CVE-2019-14493 (An issue was discovered in OpenCV before 4.1.1. There is a
NULL pointe ...)
[experimental] - opencv 4.1.1+dfsg-1
- opencv 4.1.2+dfsg-3
+ [buster] - opencv <no-dsa> (Minor issue)
+ [stretch] - opencv <no-dsa> (Minor issue)
[jessie] - opencv <postponed> (Minor issue, DoS, PoC not crashing)
NOTE: https://github.com/opencv/opencv/issues/15127
NOTE:
https://github.com/opencv/opencv/commit/5691d998ead1d9b0542bcfced36c2dceb3a59023
@@ -26948,7 +26960,9 @@ CVE-2019-13040
CVE-2019-13039
RESERVED
CVE-2019-13038 (mod_auth_mellon through 0.14.2 has an Open Redirect via the
login?Retu ...)
- - libapache2-mod-auth-mellon <unfixed> (bug #931265)
+ - libapache2-mod-auth-mellon <unfixed> (low; bug #931265)
+ [buster] - libapache2-mod-auth-mellon <no-dsa> (Minor issue)
+ [stretch] - libapache2-mod-auth-mellon <no-dsa> (Minor issue)
[jessie] - libapache2-mod-auth-mellon <ignored> (Open Redirect
protection not implemented yet)
NOTE:
https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885
CVE-2019-13037
@@ -57760,6 +57774,7 @@ CVE-2019-2213 (In binder_free_transaction of binder.c,
there is a possible use-a
NOTE: https://lore.kernel.org/patchwork/patch/1087916/
CVE-2019-2212 (In poisson_distribution of random, there is an out of bounds
read. Thi ...)
- libc++ <removed>
+ [stretch] - libc++ <no-dsa> (Minor issue)
[jessie] - libc++ <no-dsa> (Minor issue, Jessie versions of software
that uses poisson distribution have low popcon)
- llvm-toolchain-6.0 <unfixed>
[jessie] - llvm-toolchain-6.0 <no-dsa> (Minor issue, Jessie versions of
software that uses poisson distribution have low popcon)
@@ -57794,6 +57809,7 @@ CVE-2019-2201 (In generate_jsimd_ycc_rgb_convert_neon
of jsimd_arm64_neon.S, the
NOTE:
https://android.googlesource.com/platform/external/libjpeg-turbo/+/d3db2a2634c422286f75c4b38af98837f3d2f0ff
NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361
NOTE:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884
+ NOTE:
https://github.com/clearlinux-pkgs/libjpeg-turbo/commit/0a5d06c3dd4a64754d7e6ffa081fd9132714f74c
CVE-2019-2200
RESERVED
CVE-2019-2199 (In createSessionInternal of PackageInstallerService.java, there
is a p ...)
@@ -60275,6 +60291,7 @@ CVE-2019-1551 (There is an overflow bug in the x64_64
Montgomery squaring proced
[stretch] - openssl <postponed> (Wait until next upstream security
release)
[jessie] - openssl <not-affected> (Affected modules are not present in
Jessie)
- openssl1.0 <removed> (low)
+ [buster] - openssl1.0 <postponed> (Wait until next upstream security
release)
NOTE: https://www.openssl.org/news/secadv/20191206.txt
NOTE: OpenSSL_1_1_1-stable:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f
NOTE: OpenSSL_1_0_2-stable:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98
=====================================
data/dsa-needed.txt
=====================================
@@ -21,7 +21,7 @@ chromium
--
curl (ghedo)
--
-cyrus-imapd
+cyrus-imapd (jmm)
--
evince/oldstable
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f06c1f12824e635bf58cd15b9cffe4aadba3a5b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f06c1f12824e635bf58cd15b9cffe4aadba3a5b
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
