Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
44d451f2 by Moritz Muehlenhoff at 2020-04-28T21:35:53+02:00
buster/stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -5009,6 +5009,7 @@ CVE-2020-10704
CVE-2020-10703 [Potential denial of service via active pool without target
path]
RESERVED
- libvirt 6.0.0-2
+ [buster] - libvirt <no-dsa> (Minor issue)
[stretch] - libvirt <not-affected> (Vulnerable code introduced later)
[jessie] - libvirt <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1790725
@@ -5126,6 +5127,7 @@ CVE-2020-10676
RESERVED
CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows
attacker ...)
- golang-github-buger-jsonparser 0.0~git20200322.0.f7e751e-1 (bug
#954373)
+ [buster] - golang-github-buger-jsonparser <no-dsa> (Minor issue)
NOTE: https://github.com/buger/jsonparser/issues/188
NOTE:
https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717
CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the
interact ...)
@@ -5158,6 +5160,8 @@ CVE-2020-10666
RESERVED
CVE-2020-10674 (PerlSpeak through 2.01 allows attackers to execute arbitrary
OS comman ...)
- libperlspeak-perl <removed> (bug #954238)
+ [buster] - libperlspeak-perl <ignored> (Will be removed in next point
release)
+ [stretch] - libperlspeak-perl <ignored> (Will be removed in next point
release)
[jessie] - libperlspeak-perl <end-of-life> (Not supported in jessie LTS)
NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=132173
CVE-2020-10665 (Docker Desktop allows local privilege escalation to NT
AUTHORITY\SYSTE ...)
@@ -5170,7 +5174,9 @@ CVE-2020-10663 [Unsafe Object Creation Vulnerability in
JSON (Additional fix to
- ruby-json 2.3.0+dfsg-1
- ruby2.7 <not-affected> (Fixed before initial upload to Debian)
- ruby2.5 <unfixed>
+ [buster] - ruby2.5 <no-dsa> (Minor issue)
- ruby2.3 <removed>
+ [stretch] - ruby2.3 <no-dsa> (Minor issue)
- ruby2.1 <removed>
NOTE:
https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
NOTE: https://hackerone.com/reports/706934
@@ -5818,6 +5824,7 @@ CVE-2020-10381 (An issue was discovered in the MB CONNECT
LINE mymbCONNECT24 and
NOT-FOR-US: MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software
CVE-2020-10380 (RMySQL through 0.10.19 allows SQL Injection. ...)
- rmysql 0.10.20-1
+ [buster] - rmysql <no-dsa> (Minor issue)
[jessie] - rmysql <no-dsa> (Minor issue)
NOTE: Fixed by:
https://github.com/r-dbi/RMySQL/commit/c2467c466684b4733a7b0df4689987e1f9dcfc32
NOTE: Test:
https://github.com/r-dbi/RMySQL/commit/6137ce887c1e36b278f11656a9a9fc1cae6a5f40
@@ -6258,11 +6265,15 @@ CVE-2020-10186
CVE-2020-10185 (The sync endpoint in YubiKey Validation Server before 2.40
allows remo ...)
{DLA-2141-1}
- yubikey-val <removed>
+ [buster] - yubikey-val <no-dsa> (Minor issue)
+ [stretch] - yubikey-val <no-dsa> (Minor issue)
NOTE: https://www.yubico.com/support/security-advisories/ysa-2020-01/
NOTE:
https://github.com/Yubico/yubikey-val/commit/d0e4db3245deb5ce0c8d7d26069c78071a140286
CVE-2020-10184 (The verify endpoint in YubiKey Validation Server before 2.40
does not ...)
{DLA-2141-1}
- yubikey-val <removed>
+ [buster] - yubikey-val <no-dsa> (Minor issue)
+ [stretch] - yubikey-val <no-dsa> (Minor issue)
NOTE: https://www.yubico.com/support/security-advisories/ysa-2020-01/
NOTE:
https://github.com/Yubico/yubikey-val/commit/d0e4db3245deb5ce0c8d7d26069c78071a140286
CVE-2020-10183
@@ -11395,6 +11406,7 @@ CVE-2020-7956 (HashiCorp Nomad and Nomad Enterprise up
to 0.10.2 incorrectly val
NOTE: https://github.com/hashicorp/nomad/issues/7003
CVE-2020-7955 (HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did
not uni ...)
- consul 1.7.0+dfsg1-1 (bug #950736)
+ [buster] - consul <no-dsa> (Minor issue)
NOTE: https://github.com/hashicorp/consul/issues/7160
NOTE: Fixed in 1.6.3.
CVE-2020-7954 (An issue was discovered in OpServices OpMon 9.3.2. Starting
from the a ...)
@@ -13063,6 +13075,7 @@ CVE-2020-7220 (HashiCorp Vault Enterprise 0.11.0
through 1.3.1 fails, in certain
NOT-FOR-US: HashiCorp Vault
CVE-2020-7219 (HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC
services a ...)
- consul 1.7.0+dfsg1-1 (bug #950736)
+ [buster] - consul <no-dsa> (Minor issue)
NOTE: https://github.com/hashicorp/consul/issues/7159
NOTE: Fixed in 1.6.3.
CVE-2020-7218 (HashiCorp Nomad and Nomad Enterprise before 0.10.3 allow
unbounded res ...)
@@ -17822,6 +17835,8 @@ CVE-2020-5209 (In NetHack before 3.6.5, unknown options
starting with -de and -i
CVE-2020-5208 (It's been found that multiple functions in ipmitool before
1.8.19 negl ...)
{DLA-2098-1}
- ipmitool <unfixed> (bug #950761)
+ [buster] - ipmitool <no-dsa> (Minor issue)
+ [stretch] - ipmitool <no-dsa> (Minor issue)
NOTE:
https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
NOTE:
https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2
NOTE:
https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10
@@ -84240,6 +84255,7 @@ CVE-2018-19654 (An issue was discovered in Sales &
Company Management System
NOT-FOR-US: Sales & Company Management System (SCMS)
CVE-2018-19653 (HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext
agent-to-agent ...)
- consul 1.4.4~dfsg1-1
+ [buster] - consul <no-dsa> (Minor issue)
NOTE: https://github.com/hashicorp/consul/pull/5069
CVE-2018-19652
RESERVED
=====================================
data/dsa-needed.txt
=====================================
@@ -37,6 +37,8 @@ squid/stable
--
squid3/oldstable
--
+teeworlds/stable
+--
tiff/oldstable (carnil)
Maintainer prepared an update
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44d451f2bac8802f930da2c2f602b0cafae52a01
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44d451f2bac8802f930da2c2f602b0cafae52a01
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
