stretch triage

Moritz Muehlenhoff Wed, 20 May 2020 10:47:23 -0700


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
6b41643b by Moritz Muehlenhoff at 2020-05-20T19:46:20+02:00
buster/stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -213,6 +213,8 @@ CVE-2019-20798 (An XSS issue was discovered in 
handler_server_info.c in Cherokee
        - cherokee <removed>
 CVE-2019-20797 (An issue was discovered in e6y prboom-plus 2.5.1.5. There is a 
buffer  ...)
        - prboom-plus <unfixed>
+       [buster] - prboom-plus <no-dsa> (Minor issue)
+       [stretch] - prboom-plus <no-dsa> (Minor issue)
        [jessie] - prboom-plus <end-of-life> (games are not supported)
        NOTE: https://logicaltrust.net/blog/2019/10/prboom1.html
        NOTE: https://sourceforge.net/p/prboom-plus/bugs/252/
@@ -822,7 +824,9 @@ CVE-2020-12830
        RESERVED
 CVE-2020-12829
        RESERVED
-       - qemu <unfixed>
+       - qemu <unfixed> (low)
+       [buster] - qemu <no-dsa> (Minor issue)
+       [stretch] - qemu <no-dsa> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1808510
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1786026
 CVE-2020-12828
@@ -892,6 +896,8 @@ CVE-2020-12802
        RESERVED
 CVE-2020-12801 (If LibreOffice has an encrypted document open and crashes, 
that docume ...)
        - libreoffice 1:6.4.3-1 (low)
+       [buster] - libreoffice <no-dsa> (Minor issue)
+       [stretch] - libreoffice <no-dsa> (Minor issue)
        NOTE: 
https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12801
 CVE-2020-12800
        RESERVED
@@ -1756,7 +1762,8 @@ CVE-2020-12431
        RESERVED
 CVE-2020-12430 (An issue was discovered in qemuDomainGetStatsIOThread in 
qemu/qemu_dri ...)
        [experimental] - libvirt 6.2.0-1
-       - libvirt <unfixed> (bug #959447)
+       - libvirt <unfixed> (low; bug #959447)
+       [buster] - libvirt <no-dsa> (Minor issue)
        [stretch] - libvirt <not-affected> (Vulnerable code introduced later)
        [jessie] - libvirt <not-affected> (Vulnerable code introduced later)
        NOTE: Fixed by: 
https://libvirt.org/git/?p=libvirt.git;a=commit;h=9bf9e0ae6af38c806f4672ca7b12a6b38d5a9581
 (v6.1.0-rc1)
@@ -2202,6 +2209,8 @@ CVE-2020-12269
        RESERVED
 CVE-2020-12268 (jbig2_image_compose in jbig2_image.c in Artifex jbig2dec 
before 0.18 h ...)
        - jbig2dec 0.18-1
+       [buster] - jbig2dec <no-dsa> (Minor issue)
+       [stretch] - jbig2dec <no-dsa> (Minor issue)
        [jessie] - jbig2dec <no-dsa> (Minor issue)
        NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20332
        NOTE: 
https://github.com/ArtifexSoftware/jbig2dec/commit/0726320a4b55078e9d8deb590e477d598b3da66e
@@ -3708,12 +3717,16 @@ CVE-2020-11867
        RESERVED
 CVE-2020-11866 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows a 
use-aft ...)
        - libemf 1.0.12-1
+       [buster] - libemf <no-dsa> (Minor issue)
 CVE-2020-11865 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows 
out-of-bo ...)
        - libemf 1.0.12-1
+       [buster] - libemf <no-dsa> (Minor issue)
 CVE-2020-11864 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows 
denial of ...)
        - libemf 1.0.12-1
+       [buster] - libemf <no-dsa> (Minor issue)
 CVE-2020-11863 (libEMF (aka ECMA-234 Metafile Library) through 1.0.11 allows 
denial of ...)
        - libemf 1.0.12-1
+       [buster] - libemf <no-dsa> (Minor issue)
 CVE-2019-20785 (An issue was discovered on LG mobile devices with Android OS 
8.0 and 8 ...)
        NOT-FOR-US: LG mobile devices
 CVE-2019-20784 (An issue was discovered on LG mobile devices with Android OS 
7.0, 7.1, ...)
@@ -8623,6 +8636,7 @@ CVE-2020-10188 (utility.c in telnetd in netkit telnet 
through 0.17 allows remote
 CVE-2019-20503 (usrsctp before 2019-12-20 has out-of-bounds reads in 
sctp_load_address ...)
        {DSA-4645-1 DSA-4642-1 DSA-4639-1 DLA-2150-1 DLA-2140-1}
        - libusrsctp 0.9.3.0+20200312-1 (bug #953270)
+       [buster] - libusrsctp <no-dsa> (Minor issue)
        - firefox 74.0-1
        - firefox-esr 68.6.0esr-1
        - thunderbird 1:68.6.0-1
@@ -18246,7 +18260,9 @@ CVE-2020-6098
 CVE-2020-6097
        RESERVED
 CVE-2020-6096 (An exploitable signed comparison vulnerability exists in the 
ARMv7 mem ...)
-       - glibc <unfixed>
+       - glibc <unfixed> (low)
+       [buster] - glibc <no-dsa> (Minor issue)
+       [stretch] - glibc <no-dsa> (Minor issue)
        [jessie] - glibc <not-affected> (Vulnerable code not present)
        NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=25620
        NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2020-1019
@@ -20160,6 +20176,8 @@ CVE-2020-5250 (In PrestaShop before version 1.7.6.4, 
when a customer edits their
        NOT-FOR-US: PrestaShop
 CVE-2020-5249 (In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application 
using Pum ...)
        - puma 3.12.4-1 (bug #953122)
+       [buster] - puma <no-dsa> (Minor issue)
+       [stretch] - puma <no-dsa> (Minor issue)
        NOTE: 
https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
        NOTE: 
https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
 CVE-2020-5248 (GLPI before before version 9.4.6 has a vulnerability involving 
a defau ...)
@@ -20169,6 +20187,8 @@ CVE-2020-5248 (GLPI before before version 9.4.6 has a 
vulnerability involving a
        NOTE: 
https://github.com/glpi-project/glpi/commit/efd14468c92c4da43333aa9735e65fd20cbc7c6c
 CVE-2020-5247 (In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an 
application us ...)
        - puma 3.12.4-1 (bug #952766)
+       [buster] - puma <no-dsa> (Minor issue)
+       [stretch] - puma <no-dsa> (Minor issue)
        NOTE: 
https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
        NOTE: 
https://github.com/puma/puma/commit/1b17e85a06183cd169b41ca719928c26d44a6e03 
(3.12.3)
        NOTE: 
https://github.com/puma/puma/commit/694feafcd4fdcea786a0730701dad933f7547bea 
(4.3.2)


=====================================
data/dsa-needed.txt
=====================================
@@ -14,10 +14,14 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 --
 chromium
 --
+dovecot/stable
+--
 jruby/oldstable
 --
 libopenmpt
 --
+knot-resolver/stable
+--
 linux (carnil)
   Wait until more issues have piled up
 --
@@ -28,6 +32,10 @@ nss/oldstable (jmm)
 --
 pdns-recursor (jmm)
 --
+php7.0/oldstable
+--
+php7.3/stable
+--
 poppler (jmm)
 --
 squid3/oldstable



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b41643bccb5c7a78c7f2fae6d8ef2888fa12597

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b41643bccb5c7a78c7f2fae6d8ef2888fa12597
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Reply via email to