Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d55a0584 by Moritz Muehlenhoff at 2020-01-17T11:29:46+01:00
buster/stretch triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -22093,10 +22093,9 @@ CVE-2019-17402 (Exiv2 0.27.2 allows attackers to
trigger a crash in Exiv2::getUL
NOTE:
https://github.com/Exiv2/exiv2/commit/50e9dd964a439da357798344ed1dd86edcadf0ec
(0.27-branch)
NOTE: Follow-up: https://github.com/Exiv2/exiv2/issues/1026
CVE-2019-17401 (** DISPUTED ** libyal liblnk 20191006 has a heap-based buffer
over-rea ...)
- - liblnk <unfixed> (low)
- [buster] - liblnk <no-dsa> (Minor issue)
- [stretch] - liblnk <no-dsa> (Minor issue)
+ - liblnk <unfixed> (unimportant)
NOTE: https://github.com/libyal/liblnk/issues/40
+ NOTE: Negligible/questionable security impact
CVE-2019-17400 (The unoconv package before 0.9 mishandles untrusted pathnames,
leading ...)
- unoconv 0.7-2 (low; bug #943561)
[buster] - unoconv <no-dsa> (Minor issue)
@@ -22167,12 +22166,10 @@ CVE-2019-17373 (Certain NETGEAR devices allow
unauthenticated access to critical
CVE-2019-17372 (Certain NETGEAR devices allow remote attackers to disable all
authenti ...)
NOT-FOR-US: NETGEAR
CVE-2019-17371 (libpng 1.6.37 has memory leaks in png_malloc_warn and
png_create_info_ ...)
- - libpng1.6 <unfixed> (low)
- [buster] - libpng1.6 <no-dsa> (Minor issue)
- [stretch] - libpng1.6 <no-dsa> (Minor issue)
- - libpng <removed>
- [jessie] - libpng <no-dsa> (Minor issue)
+ - gif2png <removed> (unimportant)
NOTE: https://github.com/glennrp/libpng/issues/307
+ NOTE: Initially filed for libpng, but the bug is actually in gif2png
+ NOTE: Memory leak in CLI tool, no security impact
CVE-2019-17370 (OTCMS v3.85 allows arbitrary PHP Code Execution because
admin/sysCheck ...)
NOT-FOR-US: OTCMS
CVE-2019-17369 (OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel
page, le ...)
@@ -22386,20 +22383,16 @@ CVE-2019-17266 (libsoup from versions 2.65.1 until
2.68.1 have a heap-based buff
CVE-2019-17265
RESERVED
CVE-2019-17264 (** DISPUTED ** In libyal liblnk before 20191006,
liblnk_location_infor ...)
- - liblnk <unfixed> (low)
- [buster] - liblnk <no-dsa> (Minor issue)
- [stretch] - liblnk <no-dsa> (Minor issue)
+ - liblnk <unfixed> (unimportant)
NOTE: https://github.com/libyal/liblnk/issues/38
NOTE:
https://github.com/libyal/liblnk/commit/c4d04de2c76f62129677c90a616d049be9c52482
+ NOTE: Negligible/questionable security impact
CVE-2019-17263 (** DISPUTED ** In libyal libfwsi before 20191006,
libfwsi_extension_bl ...)
- - liblnk <unfixed> (low)
- [buster] - liblnk <no-dsa> (Minor issue)
- [stretch] - liblnk <no-dsa> (Minor issue)
- - libfwsi <unfixed> (low)
- [buster] - libfwsi <no-dsa> (Minor issue)
- [stretch] - libfwsi <no-dsa> (Minor issue)
+ - liblnk <unfixed> (unimportant)
+ - libfwsi <unfixed> (unimportant)
NOTE: https://github.com/libyal/libfwsi/issues/13
NOTE:
https://github.com/libyal/libfwsi/commit/54afa5c71d6c795a555dbcb1e160fea393b98fb3
+ NOTE: Negligible/questionable security impact
CVE-2019-17262 (XnView Classic 2.49.1 allows a User Mode Write AV starting at
Xwsq+0x0 ...)
NOT-FOR-US: XnView
CVE-2019-17261 (XnView Classic 2.49.1 allows a User Mode Write AV starting at
Xwsq+0x0 ...)
@@ -37511,8 +37504,8 @@ CVE-2019-12496 (An issue was discovered in Hybrid Group
Gobot before 1.13.0. The
NOT-FOR-US: Hybrid Group Gobot
CVE-2019-12495 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC)
0.9.27. ...)
- tcc <unfixed> (bug #929872)
- [buster] - tcc <no-dsa> (Minor issue)
- [stretch] - tcc <no-dsa> (Minor issue)
+ [buster] - tcc <ignored> (Minor issue)
+ [stretch] - tcc <ignored> (Minor issue)
[jessie] - tcc <no-dsa> (Minor issue)
NOTE:
https://lists.nongnu.org/archive/html/tinycc-devel/2019-05/msg00044.html
NOTE:
https://repo.or.cz/tinycc.git/commit/d04ce7772c2bc2781ab2502e0b1f1964488814b5
@@ -46232,8 +46225,8 @@ CVE-2019-9755 (An integer underflow issue exists in
ntfs-3g 2017.3.23. A local a
NOTE:
https://sourceforge.net/p/ntfs-3g/ntfs-3g/ci/85c1634a26faa572d3c558d4cf8aaaca5202d4e9/
CVE-2019-9754 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC)
0.9.27. ...)
- tcc <unfixed> (low; bug #925127)
- [buster] - tcc <no-dsa> (Minor issue)
- [stretch] - tcc <no-dsa> (Minor issue)
+ [buster] - tcc <ignored> (Minor issue)
+ [stretch] - tcc <ignored> (Minor issue)
[jessie] - tcc <no-dsa> (Minor issue)
NOTE:
https://lists.nongnu.org/archive/html/tinycc-devel/2019-03/msg00038.html
CVE-2019-9753 (An issue was discovered in Open Ticket Request System (OTRS)
7.x befor ...)
@@ -101412,8 +101405,8 @@ CVE-2018-8832 (enhavo 0.4.0 has XSS via a user-group
that contains executable Ja
NOT-FOR-US: enhavo
CVE-2018-8831 (A Persistent XSS vulnerability exists in Kodi (formerly XBMC)
through ...)
- kodi <unfixed> (low)
- [buster] - kodi <no-dsa> (Minor issue)
- [stretch] - kodi <no-dsa> (Minor issue)
+ [buster] - kodi <ignored> (Minor issue)
+ [stretch] - kodi <ignored> (Minor issue)
- xbmc <removed>
[jessie] - xbmc <no-dsa> (Minor issue)
[wheezy] - xbmc <no-dsa> (Minor issue)
@@ -239167,8 +239160,8 @@ CVE-2014-XXXX [rsync collision attack]
CVE-2014-8242 (librsync before 1.0.0 uses a truncated MD4 checksum to match
blocks, w ...)
[experimental] - librsync 1.0.0-1~exp1
- librsync 2.0.2-1 (low; bug #776246)
- [buster] - librsync <no-dsa> (Minor issue, too instrusive to backport)
- [stretch] - librsync <no-dsa> (Minor issue, too instrusive to backport)
+ [buster] - librsync <ignored> (Minor issue, too instrusive to backport)
+ [stretch] - librsync <ignored> (Minor issue, too instrusive to backport)
[jessie] - librsync <no-dsa> (Minor issue, too instrusive to backport)
[wheezy] - librsync <no-dsa> (Minor issue, too instrusive to backport)
[squeeze] - librsync <no-dsa> (Minor issue, too instrusive to backport)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d55a0584c3d3d13b0da4a1bc0c7278ae67bdfd8d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/d55a0584c3d3d13b0da4a1bc0c7278ae67bdfd8d
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
