Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e1ed8c71 by Moritz Muehlenhoff at 2020-03-10T20:50:08+01:00
buster/stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1022,6 +1022,7 @@ CVE-2020-10019
RESERVED
CVE-2020-10018 (accessibility/AXObjectCache.cpp in WebKit, as used in
WebKitGTK throug ...)
- webkit2gtk <unfixed>
+ [buster] - webkit2gtk <postponed> (Hold back until next update round)
[stretch] - webkit2gtk <ignored> (Not covered by security support in
stretch)
[jessie] - webkit2gtk <ignored> (Not covered by security support in
jessie)
CVE-2020-10017
@@ -1662,7 +1663,9 @@ CVE-2020-9479
CVE-2019-20485 [potential DoS by holding a monitor job while querying QEMU
guest-agent]
RESERVED
[experimental] - libvirt 6.0.0-1
- - libvirt <unfixed> (bug #953078)
+ - libvirt <unfixed> (low; bug #953078)
+ [buster] - libvirt <no-dsa> (Minor issue)
+ [stretch] - libvirt <no-dsa> (Minor issue)
[jessie] - libvirt <not-affected> (Vulnerable code not present)
NOTE:
https://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=a663a860819287e041c3de672aad1d8543098ecc
(v6.0.0-rc1)
CVE-2013-7487
@@ -1938,7 +1941,8 @@ CVE-2020-9371 (Stored XSS exists in the Appointment
Booking Calendar plugin befo
CVE-2020-9370 (HUMAX HGA12R-02 BRGCAA 1.1.53 devices allow Session Hijacking.
...)
NOT-FOR-US: HUMAX HGA12R-02 BRGCAA devices
CVE-2020-9369 (Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a
denial ...)
- - sympa 6.2.40~dfsg-4 (bug #952428)
+ - sympa 6.2.40~dfsg-4 (low; bug #952428)
+ [buster] - sympa <no-dsa> (Minor issue)
[stretch] - sympa <not-affected> (Vulnerability introduced later in
6.2.38)
[jessie] - sympa <not-affected> (Vulnerability introduced later in
6.2.38)
NOTE: https://github.com/sympa-community/sympa/issues/886
@@ -2176,6 +2180,8 @@ CVE-2020-9275
CVE-2020-9274 (An issue was discovered in Pure-FTPd 1.0.49. An uninitialized
pointer ...)
{DLA-2123-1}
- pure-ftpd 1.0.49-4 (bug #952666)
+ [buster] - pure-ftpd <no-dsa> (Minor issue)
+ [stretch] - pure-ftpd <no-dsa> (Minor issue)
NOTE:
https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa
NOTE: though the CVE description does not specifically say, the issue
seems to be an
NOTE: out-of-bounds memory read which may result in information
disclosure;
@@ -3229,7 +3235,8 @@ CVE-2018-21034
RESERVED
CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext
HTTP, a ...)
- lxc-templates <unfixed>
- - lxc 1:3.0.3-1
+ - lxc 1:3.0.3-1 (low)
+ [stretch] - lxc <no-dsa> (Minor issue)
[jessie] - lxc <ignored>
(https://lists.debian.org/debian-lts/2020/02/msg00102.html)
NOTE: LXC 3.0.2 split the templates out to separate lxc-templates.
NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447
@@ -5002,7 +5009,7 @@ CVE-2020-8015
CVE-2020-8014
RESERVED
CVE-2020-8013 (A UNIX Symbolic Link (Symlink) Following vulnerability in
chkstat of S ...)
- TODO: check
+ NOT-FOR-US: chkstat
CVE-2020-8012 (CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and
below cont ...)
NOT-FOR-US: CA Unified Infrastructure Management (Nimsoft/UIM)
CVE-2020-8011 (CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and
below cont ...)
@@ -6774,6 +6781,8 @@ CVE-2019-20383
RESERVED
CVE-2019-20382 (QEMU 4.1.0 has a memory leak in zrle_compress_data in
ui/vnc-enc-zrle. ...)
- qemu 1:4.2-1
+ [buster] - qemu <postponed> (Minor, can be fixed along in future DSA)
+ [stretch] - qemu <postponed> (Minor, can be fixed along in future DSA)
- qemu-kvm <removed>
NOTE: https://www.openwall.com/lists/oss-security/2020/03/05/1
NOTE:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0
@@ -7169,14 +7178,18 @@ CVE-2020-7064
CVE-2020-7063 (In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and
7.4.x below ...)
- php7.4 7.4.3-1
- php7.3 7.3.15-1
+ [buster] - php7.3 <postponed> (Minor issue, can be fixed along in a
future DSA)
- php7.0 <removed>
+ [stretch] - php7.0 <postponed> (Minor issue, can be fixed along in a
future DSA)
- php5 <removed>
NOTE: Fixed in PHP 7.4.3, 7.3.15, 7.2.28
NOTE: PHP Bug: http://bugs.php.net/79082
CVE-2020-7062 (In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and
7.4.x below ...)
- php7.4 7.4.3-1
- php7.3 7.3.15-1
+ [buster] - php7.3 <postponed> (Minor issue, can be fixed along in a
future DSA)
- php7.0 <removed>
+ [stretch] - php7.0 <postponed> (Minor issue, can be fixed along in a
future DSA)
- php5 <removed>
NOTE: Fixed in PHP 7.4.3, 7.3.15, 7.2.28
NOTE: PHP Bug: http://bugs.php.net/79221
@@ -7253,15 +7266,18 @@ CVE-2020-7044 (In Wireshark 3.2.x before 3.2.1, the
WASSP dissector could crash.
NOTE:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f90a3720b73ca140403315126e2a478c4f70ca03
NOTE: https://www.wireshark.org/security/wnpa-sec-2020-01.html
CVE-2020-7043 (An issue was discovered in openfortivpn 1.11.0 when used with
OpenSSL ...)
- - openfortivpn 1.12.0-1
+ - openfortivpn 1.12.0-1 (unimportant)
NOTE: https://github.com/adrienverge/openfortivpn/issues/536
NOTE:
https://github.com/adrienverge/openfortivpn/commit/6328a070ddaab16faaf008cb9a8a62439c30f2a8
+ NOTE: No version of openfortivpn was shipped with OpenSSL < 1.0.2,
marking as unimportant
CVE-2020-7042 (An issue was discovered in openfortivpn 1.11.0 when used with
OpenSSL ...)
- openfortivpn 1.12.0-1
+ [buster] - openfortivpn <no-dsa> (Minor issue)
NOTE: https://github.com/adrienverge/openfortivpn/issues/536
NOTE:
https://github.com/adrienverge/openfortivpn/commit/9eee997d599a89492281fc7ffdd79d88cd61afc3
CVE-2020-7041 (An issue was discovered in openfortivpn 1.11.0 when used with
OpenSSL ...)
- openfortivpn 1.12.0-1
+ [buster] - openfortivpn <no-dsa> (Minor issue)
NOTE: https://github.com/adrienverge/openfortivpn/issues/536
NOTE:
https://github.com/adrienverge/openfortivpn/commit/60660e00b80bad0fadcf39aee86f6f8756c94f91
CVE-2020-7040 (storeBackup.pl in storeBackup through 3.5 relies on the
/tmp/storeBack ...)
@@ -9652,7 +9668,7 @@ CVE-2020-5959
CVE-2020-5958
RESERVED
CVE-2020-5957 (NVIDIA Windows GPU Display Driver, all versions, contains a
vulnerabil ...)
- TODO: check
+ NOT-FOR-US: Nvidia driver for Windows
CVE-2019-20358 (Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218
and below ...)
NOT-FOR-US: Trend Micro
CVE-2019-20357 (A Persistent Arbitrary Code Execution vulnerability exists in
the Tren ...)
@@ -11193,6 +11209,7 @@ CVE-2020-5244 (In BuddyPress before 5.1.2, requests to
a certain REST API endpoi
NOT-FOR-US: BuddyPress
CVE-2020-5243 (uap-core before 0.7.3 is vulnerable to a denial of service
attack when ...)
- uap-core <unfixed> (bug #952649)
+ [buster] - uap-core <no-dsa> (Minor issue)
NOTE:
https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
NOTE:
https://github.com/ua-parser/uap-core/commit/a679b131697e7371f0441f4799940779efa2f27e
NOTE:
https://github.com/ua-parser/uap-core/commit/dd279cff09546dbd4174bd05d29c0e90c2cffa7c
@@ -11245,7 +11262,9 @@ CVE-2020-5226 (Cross-site scripting in SimpleSAMLphp
before version 1.18.4. The
NOTE:
https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-mj9p-v2r8-wf8w
NOTE: https://simplesamlphp.org/security/202001-01
CVE-2020-5225 (Log injection in SimpleSAMLphp before version 1.18.4. The
www/errorepo ...)
- - simplesamlphp 1.18.4-1
+ - simplesamlphp 1.18.4-1 (low)
+ [buster] - simplesamlphp <no-dsa> (Minor issue)
+ [stretch] - simplesamlphp <no-dsa> (Minor issue)
[jessie] - simplesamlphp <no-dsa> (Minor issue)
NOTE:
https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-6gc6-m364-85ww
NOTE: https://simplesamlphp.org/security/202001-02
@@ -22402,12 +22421,12 @@ CVE-2019-18934 (Unbound 1.6.4 through 1.9.4 contain a
vulnerability in the ipsec
CVE-2019-18933 (In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in
the new ...)
NOT-FOR-US: Zulip
CVE-2019-18932 (log.c in Squid Analysis Report Generator (sarg) through 2.3.11
allows ...)
- - sarg 2.4.0-1 (bug #951390)
- [jessie] - sarg <no-dsa> (Minor issue)
+ - sarg 2.4.0-1 (unimportant; bug #951390)
NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/6
NOTE: The sarg-reports as shipped in Debian has already safe use of
mktemp for
NOTE: use of temporary files and directories.
NOTE: Fixed by:
https://sourceforge.net/p/sarg/code/ci/8ec6d20be8c0da3c885aba78e63251f2e5080748
+ NOTE: Neutralised by kernel hardening
CVE-2019-18931 (Western Digital My Cloud EX2 Ultra firmware 2.31.195 allows a
Buffer O ...)
NOT-FOR-US: Western Digital My Cloud EX2 Ultra firmware
CVE-2019-18930 (Western Digital My Cloud EX2 Ultra firmware 2.31.183 allows
web users ...)
@@ -41461,6 +41480,7 @@ CVE-2019-13612 (MDaemon Email Server 19 skips
SpamAssassin checks by default for
NOT-FOR-US: MDaemon Email Server
CVE-2019-13611 (An issue was discovered in python-engineio through 3.8.2.
There is a C ...)
- python-engineio 3.11.1-1 (bug #932538)
+ [buster] - python-engineio <no-dsa> (Minor issue)
NOTE: https://github.com/miguelgrinberg/python-engineio/issues/128
NOTE:
https://github.com/miguelgrinberg/python-engineio/security/advisories/GHSA-j3jp-gvr5-7hwq
CVE-2019-13610
@@ -48900,6 +48920,8 @@ CVE-2019-11323 (HAProxy before 1.9.7 mishandles a
reload with rotated keys, whic
NOTE: Fixed by:
https://git.haproxy.org/?p=haproxy.git;a=commit;h=8ef706502aa2000531d36e4ac56dbdc7c30f718d
CVE-2019-11324 (The urllib3 library before 1.24.2 for Python mishandles
certain cases ...)
- python-urllib3 <unfixed> (bug #927412)
+ [buster] - python-urllib3 <no-dsa> (Minor issue)
+ [stretch] - python-urllib3 <no-dsa> (Minor issue)
[jessie] - python-urllib3 <not-affected> (Vulnerable code introduced
later)
NOTE: https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4
NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/3
@@ -49125,6 +49147,8 @@ CVE-2019-11236 (In the urllib3 library through 1.24.1
for Python, CRLF injection
{DLA-1828-1}
[experimental] - python-urllib3 1.25.6-1
- python-urllib3 <unfixed> (bug #927172)
+ [buster] - python-urllib3 <no-dsa> (Minor issue)
+ [stretch] - python-urllib3 <no-dsa> (Minor issue)
NOTE: https://github.com/urllib3/urllib3/issues/1553
NOTE:
https://github.com/urllib3/urllib3/commit/9b76785331243689a9d52cef3db05ef7462cb02d
NOTE:
https://github.com/urllib3/urllib3/commit/efddd7e7bad26188c3b692d1090cba768afa9162
@@ -50374,6 +50398,8 @@ CVE-2019-10785 (dojox is vulnerable to Cross-site
Scripting in all versions befo
NOTE: https://github.com/dojo/dojox/pull/315
CVE-2019-10784 (phppgadmin through 7.12.1 allows sensitive actions to be
performed wit ...)
- phppgadmin <unfixed>
+ [buster] - phppgadmin <no-dsa> (Minor issue)
+ [stretch] - phppgadmin <no-dsa> (Minor issue)
NOTE: https://snyk.io/vuln/SNYK-PHP-PHPPGADMINPHPPGADMIN-543885
NOTE: https://github.com/phppgadmin/phppgadmin/issues/94
CVE-2019-10783 (All versions including 0.0.4 of lsof npm module are vulnerable
to Comm ...)
@@ -66210,12 +66236,16 @@ CVE-2019-5165 (An exploitable authentication bypass
vulnerability exists in the
NOT-FOR-US: Moxa
CVE-2019-5164 (An exploitable code execution vulnerability exists in the
ss-manager b ...)
- shadowsocks-libev 3.3.3+ds-2
+ [buster] - shadowsocks-libev <no-dsa> (Minor issue)
+ [stretch] - shadowsocks-libev <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0958
NOTE: https://github.com/shadowsocks/shadowsocks-libev/issues/2537
NOTE: Mitigation: Using a unix socket with ss-manager via
--manager-socket.
NOTE: Exposing ss-manager to pubic is always dangerous.
CVE-2019-5163 (An exploitable denial-of-service vulnerability exists in the
UDPRelay ...)
- shadowsocks-libev 3.3.3+ds-2
+ [buster] - shadowsocks-libev <no-dsa> (Minor issue)
+ [stretch] - shadowsocks-libev <no-dsa> (Minor issue)
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0956
NOTE: https://github.com/shadowsocks/shadowsocks-libev/issues/2536
CVE-2019-5162 (An exploitable improper access control vulnerability exists in
the iw_ ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -31,6 +31,10 @@ linux (carnil)
--
mercurial/oldstable
--
+netkit-telnet
+--
+netkit-telnet-ssl
+--
nodejs
--
nss/oldstable (jmm)
@@ -40,6 +44,8 @@ poppler (jmm)
--
python-reportlab (hle)
--
+qbittorrent
+--
smarty3/oldstable
--
squid/stable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1ed8c71230b58e2a454a53ffc45c5115d8a2c19
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1ed8c71230b58e2a454a53ffc45c5115d8a2c19
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
