Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c2e9bdff by Moritz Muehlenhoff at 2020-05-27T22:36:54+02:00
buster/stretch triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -50,6 +50,8 @@ CVE-2020-13615 (lib/QoreSocket.cpp in Qore before 0.9.4.2
lacks hostname verific
NOT-FOR-US: Qore
CVE-2020-13614 (An issue was discovered in ssl.c in Axel before 2.17.8. The
TLS implem ...)
- axel 2.17.8-1
+ [buster] - axel <no-dsa> (Minor issue)
+ [stretch] - axel <no-dsa> (Minor issue)
NOTE: https://github.com/axel-download-accelerator/axel/issues/262
CVE-2020-13613
RESERVED
@@ -5165,7 +5167,7 @@ CVE-2020-11763 (An issue was discovered in OpenEXR before
2.4.1. There is an std
- openexr <unfixed> (bug #959444)
[jessie] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
- TODO: check fixing commit
+ NOTE:
https://github.com/AcademySoftwareFoundation/openexr/pull/643/commits/d0303d1785d2a8cb994efee9efa81f8ee4be4c17
CVE-2020-11762 (An issue was discovered in OpenEXR before 2.4.1. There is an
out-of-bo ...)
[experimental] - openexr 2.5.0-1
- openexr <unfixed> (bug #959444)
@@ -5198,7 +5200,7 @@ CVE-2020-11758 (An issue was discovered in OpenEXR before
2.4.1. There is an out
- openexr <unfixed> (bug #959444)
[jessie] - openexr <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
- TODO: check isolated commit to fix issue
+ NOTE:
https://github.com/AcademySoftwareFoundation/openexr/commit/7a52d40ae23c148f27116cb1f6e897b9143b372c
CVE-2020-11757
RESERVED
CVE-2020-11756
@@ -5475,6 +5477,7 @@ CVE-2020-11654
RESERVED
CVE-2020-11653 (An issue was discovered in Varnish Cache before 6.0.6 LTS,
6.1.x and 6 ...)
- varnish 6.4.0-1 (bug #956307)
+ [buster] - varnish <postponed> (Can be fixed along in next DSA)
[stretch] - varnish <not-affected> (Only affects 6.x)
[jessie] - varnish <not-affected> (Only affects 6.x)
NOTE: https://varnish-cache.org/security/VSV00005.html#vsv00005
@@ -6076,33 +6079,45 @@ CVE-2020-11527 (In Zoho ManageEngine OpManager before
12.4.181, an unauthenticat
NOT-FOR-US: Zoho
CVE-2020-11526 (libfreerdp/core/update.c in FreeRDP versions > 1.1 through
2.0.0-rc ...)
- freerdp2 <unfixed>
+ [buster] - freerdp2 <no-dsa> (Minor issue)
- freerdp <removed>
+ [stretch] - freerdp <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-97jw-m5w5-xvf9
NOTE: Fixed by:
https://github.com/FreeRDP/FreeRDP/commit/192856cb59974ee4d7d3e72cbeafa676aa7565cf
NOTE: https://github.com/FreeRDP/FreeRDP/issues/6012
CVE-2020-11525 (libfreerdp/cache/bitmap.c in FreeRDP versions > 1.0 through
2.0.0-r ...)
- freerdp2 <unfixed>
+ [buster] - freerdp2 <no-dsa> (Minor issue)
- freerdp <removed>
+ [stretch] - freerdp <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9755-fphh-gmjg
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/0b6b92a25a77d533b8a92d6acc840a81e103684e
CVE-2020-11524 (libfreerdp/codec/interleaved.c in FreeRDP versions > 1.0
through 2. ...)
- freerdp2 <unfixed>
+ [buster] - freerdp2 <no-dsa> (Minor issue)
- freerdp <removed>
+ [stretch] - freerdp <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgw8-3mp2-p5qw
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/7b1d4b49391b4512402840431757703a96946820
CVE-2020-11523 (libfreerdp/gdi/region.c in FreeRDP versions > 1.0 through
2.0.0-rc4 ...)
- freerdp2 <unfixed>
+ [buster] - freerdp2 <no-dsa> (Minor issue)
- freerdp <removed>
+ [stretch] - freerdp <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4qrh-8cp8-4x42
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/ce21b9d7ecd967e0bc98ed31a6b3757848aa6c9e
CVE-2020-11522 (libfreerdp/gdi/gdi.c in FreeRDP > 1.0 through 2.0.0-rc4 has
an Out- ...)
- freerdp2 <unfixed>
+ [buster] - freerdp2 <no-dsa> (Minor issue)
- freerdp <removed>
+ [stretch] - freerdp <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-48wx-7vgj-fffh
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/907640a924fa7a9a99c80a48ac225e9d8e41548b
CVE-2020-11521 (libfreerdp/codec/planar.c in FreeRDP version > 1.0 through
2.0.0-rc ...)
- freerdp2 <unfixed>
+ [buster] - freerdp2 <no-dsa> (Minor issue)
- freerdp <removed>
+ [stretch] - freerdp <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5cwc-6wc9-255w
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/17f547ae11835bb11baa3d045245dc1694866845
CVE-2020-11520
@@ -7095,7 +7110,9 @@ CVE-2020-11059
RESERVED
CVE-2020-11058 (In FreeRDP after 1.1 and before 2.0.0, a stream out-of-bounds
seek in ...)
- freerdp2 <unfixed>
+ [buster] - freerdp2 <no-dsa> (Minor issue)
- freerdp <removed>
+ [stretch] - freerdp <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wjg2-2f82-466g
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/3627aaf7d289315b614a584afb388f04abfb5bbf
NOTE: https://github.com/FreeRDP/FreeRDP/issues/6011
@@ -7120,25 +7137,33 @@ CVE-2020-11050 (In Java-WebSocket less than or equal to
1.4.1, there is an Impro
NOT-FOR-US: Java-WebSocket, different from src:websocket-api
CVE-2020-11049 (In FreeRDP after 1.1 and before 2.0.0, there is an
out-of-bound read o ...)
- freerdp2 <unfixed>
+ [buster] - freerdp2 <no-dsa> (Minor issue)
- freerdp <removed>
+ [stretch] - freerdp <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wwh7-r2r8-xjpr
NOTE: Fixed with: https://github.com/FreeRDP/FreeRDP/pull/6019
NOTE: https://github.com/FreeRDP/FreeRDP/issues/6008
CVE-2020-11048 (In FreeRDP after 1.0 and before 2.0.0, there is an
out-of-bounds read. ...)
- freerdp2 <unfixed>
+ [buster] - freerdp2 <no-dsa> (Minor issue)
- freerdp <removed>
+ [stretch] - freerdp <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hv8w-f2hx-5gcv
NOTE: Fixed by:
https://github.com/FreeRDP/FreeRDP/commit/9301bfe730c66180263248b74353daa99f5a969b
NOTE: https://github.com/FreeRDP/FreeRDP/issues/6007
CVE-2020-11047 (In FreeRDP after 1.1 and before 2.0.0, there is an
out-of-bounds read ...)
- freerdp2 <unfixed>
+ [buster] - freerdp2 <no-dsa> (Minor issue)
- freerdp <removed>
+ [stretch] - freerdp <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9fw6-m2q8-h5pw
NOTE: Fixed by:
https://github.com/FreeRDP/FreeRDP/commit/f5e73cc7c9cd973b516a618da877c87b80950b65
NOTE: https://github.com/FreeRDP/FreeRDP/issues/6009
CVE-2020-11046 (In FreeRDP after 1.0 and before 2.0.0, there is a stream
out-of-bounds ...)
- freerdp2 <unfixed>
+ [buster] - freerdp2 <no-dsa> (Minor issue)
- freerdp <removed>
+ [stretch] - freerdp <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hx48-wmmm-mr5q
NOTE: Fixed by:
https://github.com/FreeRDP/FreeRDP/commit/ed53cd148f43cbab905eaa0f5308c2bf3c48cc37
NOTE: https://github.com/FreeRDP/FreeRDP/issues/6006
@@ -7150,6 +7175,7 @@ CVE-2020-11045 (In FreeRDP after 1.0 and before 2.0.0,
there is an out-of-bound
NOTE: https://github.com/FreeRDP/FreeRDP/issues/6005
CVE-2020-11044 (In FreeRDP greater than 1.2 and before 2.0.0, a double free in
update_ ...)
- freerdp2 <unfixed>
+ [buster] - freerdp2 <no-dsa> (Minor issue)
- freerdp <not-affected> (Vulnerable code introduced later)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgqh-p732-6x2w
NOTE: Fixed by:
https://github.com/FreeRDP/FreeRDP/commit/67c2aa52b2ae0341d469071d1bc8aab91f8d2ed8
@@ -7158,7 +7184,9 @@ CVE-2020-11043
RESERVED
CVE-2020-11042 (In FreeRDP greater than 1.1 and before 2.0.0, there is an
out-of-bound ...)
- freerdp2 <unfixed>
+ [buster] - freerdp2 <no-dsa> (Minor issue)
- freerdp <removed>
+ [stretch] - freerdp <no-dsa> (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9jp6-5vf2-cx2q
NOTE: Fixed by:
https://github.com/FreeRDP/FreeRDP/commit/6b2bc41935e53b0034fe5948aeeab4f32e80f30f
NOTE: https://github.com/FreeRDP/FreeRDP/issues/6010
@@ -29960,9 +29988,9 @@ CVE-2020-2027
CVE-2020-2026
RESERVED
CVE-2020-2025 (Kata Containers before 1.11.0 on Cloud Hypervisor persists
guest files ...)
- TODO: check
+ NOT-FOR-US: Kata Containers
CVE-2020-2024 (An improper link resolution vulnerability affects Kata
Containers vers ...)
- TODO: check
+ NOT-FOR-US: Kata Containers
CVE-2020-2023
RESERVED
CVE-2020-2022
@@ -30577,7 +30605,7 @@ CVE-2020-1899
CVE-2020-1898
RESERVED
CVE-2020-1897 (A use-after-free is possible due to an error in lifetime
management in ...)
- TODO: check
+ NOT-FOR-US: Facebook Proxygen
CVE-2020-1896
RESERVED
CVE-2020-1895 (A large heap overflow could occur in Instagram for Android when
attemp ...)
@@ -32935,7 +32963,8 @@ CVE-2019-18862 (maidag in GNU Mailutils before 3.8 is
installed setuid and allow
CVE-2019-18861
RESERVED
CVE-2019-18860 (Squid before 4.9, when certain web browsers are used,
mishandles HTML ...)
- - squid 4.9-1
+ - squid 4.9-1 (low)
+ [buster] - squid <no-dsa> (Minor issue)
- squid3 <removed>
NOTE: https://github.com/squid-cache/squid/pull/504
NOTE:
https://github.com/squid-cache/squid/commit/5cc4b155cee1a4968109737f6eba2ef29d51034d
(SQUID_5_0_1)
@@ -47589,13 +47618,13 @@ CVE-2019-14877 (In the __mdiff function of the newlib
libc library, all versions
[stretch] - newlib <no-dsa> (Minor issue)
[jessie] - newlib <ignored> (Minor issue)
NOTE:
https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/
- TODO: picolibc might be affected, not yet in the archive
+ TODO: picolibc might be affected
CVE-2019-14876 (In the __lshift function of the newlib libc library, all
versions prio ...)
- newlib 3.3.0-1
[buster] - newlib <no-dsa> (Minor issue)
[stretch] - newlib <no-dsa> (Minor issue)
[jessie] - newlib <ignored> (Minor issue)
- - picolibc <unfixed> (low)
+ - picolibc <unfixed> (unimportant)
NOTE:
https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/
CVE-2019-14875 (In the __multiply function of the newlib libc library, all
versions pr ...)
- newlib 3.3.0-1
@@ -47609,7 +47638,7 @@ CVE-2019-14874 (In the __i2b function of the newlib
libc library, all versions p
[buster] - newlib <no-dsa> (Minor issue)
[stretch] - newlib <no-dsa> (Minor issue)
[jessie] - newlib <ignored> (Minor issue)
- - picolibc <unfixed> (low)
+ - picolibc <unfixed> (unimportant)
NOTE:
https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/
CVE-2019-14873 (In the __multadd function of the newlib libc library, prior to
version ...)
- newlib 3.3.0-1
@@ -47617,21 +47646,21 @@ CVE-2019-14873 (In the __multadd function of the
newlib libc library, prior to v
[stretch] - newlib <no-dsa> (Minor issue)
[jessie] - newlib <ignored> (Minor issue)
NOTE:
https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/
- TODO: picolibc might be affected, not yet in the archive
+ TODO: picolibc might be affected
CVE-2019-14872 (The _dtoa_r function of the newlib libc library, prior to
version 3.3. ...)
- newlib 3.3.0-1
[buster] - newlib <no-dsa> (Minor issue)
[stretch] - newlib <no-dsa> (Minor issue)
[jessie] - newlib <ignored> (Minor issue)
NOTE:
https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/
- TODO: picolibc might be affected, not yet in the archive
+ TODO: picolibc might be affected
CVE-2019-14871 (The REENT_CHECK macro (see newlib/libc/include/sys/reent.h) as
used by ...)
- newlib 3.3.0-1
[buster] - newlib <no-dsa> (Minor issue)
[stretch] - newlib <no-dsa> (Minor issue)
[jessie] - newlib <ignored> (Minor issue)
NOTE:
https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/
- TODO: picolibc might be affected, not yet in the archive
+ TODO: picolibc might be affected
CVE-2019-14870 (All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11
and 4.11 ...)
- samba 2:4.11.3+dfsg-1
[buster] - samba <no-dsa> (Minor issue)
@@ -62870,6 +62899,7 @@ CVE-2019-10065 (An issue was discovered in Open Ticket
Request System (OTRS) 7.0
CVE-2019-10064 (hostapd before 2.6, in EAP mode, makes calls to the rand() and
random( ...)
{DLA-2138-1}
- wpa 2:2.6-7
+ [stretch] - wpa <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/02/27/1
NOTE: Comment from upstream:
https://www.openwall.com/lists/oss-security/2020/02/27/2
NOTE: Issue fixed in conjunction with CVE-2016-10743.
@@ -70607,6 +70637,7 @@ CVE-2019-7548 (SQLAlchemy 1.2.17 has SQL Injection when
the group_by parameter c
{DLA-1718-1}
[experimental] - sqlalchemy 1.3.0~b3+ds1-1
- sqlalchemy 1.2.18+ds1-2 (bug #922669)
+ [stretch] - sqlalchemy <no-dsa> (Minor issue)
NOTE: https://github.com/sqlalchemy/sqlalchemy/issues/4481
NOTE:
https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414
CVE-2019-7547 (An issue was discovered in SIDU 6.0. Because the database name
is not ...)
@@ -71685,6 +71716,7 @@ CVE-2019-7164 (SQLAlchemy through 1.2.17 and 1.3.x
through 1.3.0b2 allows SQL In
{DLA-1718-1}
[experimental] - sqlalchemy 1.3.0~b3+ds1-1
- sqlalchemy 1.2.18+ds1-2 (bug #922669)
+ [stretch] - sqlalchemy <no-dsa> (Minor issue)
NOTE: https://github.com/sqlalchemy/sqlalchemy/issues/4481
NOTE:
https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414
CVE-2019-7163 (The web interface of Alcatel LINKZONE MW40-V-V1.0
MW40_LU_02.00_02 dev ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2e9bdff2314441ad8dcd1c3f5c0d53ec908709a
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2e9bdff2314441ad8dcd1c3f5c0d53ec908709a
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
