Adrian Bunk pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1b915665 by Adrian Bunk at 2020-07-27T17:34:32+03:00
Update version information for libjpeg-turbo
- CVE-2020-13790 is fixed in 2.0.5
- CVE-2019-2201 fix is now in unstable
- CVE-2018-14498 fix is now in unstable
- CVE-2018-11813 is fixed in 2.0.0
- CVE-2018-1152 fix is now in unstable
- CVE-2017-15232 fix is now in unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -5440,7 +5440,7 @@ CVE-2020-13791 (hw/pci/pci.c in QEMU 4.2.0 allows guest
OS users to trigger an o
NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/1
NOTE:
https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00831.html
CVE-2020-13790 (libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based
buffer over-r ...)
- - libjpeg-turbo <unfixed> (bug #962829)
+ - libjpeg-turbo 1:2.0.5-1 (bug #962829)
[buster] - libjpeg-turbo <no-dsa> (Minor issue)
[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
[jessie] - libjpeg-turbo <ignored> (No package in Debian jessie uses
the TurboJPEG API)
@@ -92300,8 +92300,7 @@ CVE-2019-2203 (In CryptoPlugin::decrypt of
CryptoPlugin.cpp, there is a possible
CVE-2019-2202 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a
possible out ...)
NOT-FOR-US: Android media framework
CVE-2019-2201 (In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S,
there is ...)
- [experimental] - libjpeg-turbo 1:2.0.3-1~exp1
- - libjpeg-turbo <unfixed> (low)
+ - libjpeg-turbo 1:2.0.3-1~exp1 (low)
[buster] - libjpeg-turbo <no-dsa> (Minor issue)
[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
[jessie] - libjpeg-turbo <ignored> (No package in Debian jessie uses
the TurboJPEG API)
@@ -111611,8 +111610,7 @@ CVE-2018-14499 (An issue was found in HYBBS through
2016-03-08. There is an XSS
NOT-FOR-US: HYBBS
CVE-2018-14498 (get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and
MozJPEG th ...)
{DLA-1719-1}
- [experimental] - libjpeg-turbo 1:2.0.2-1~exp1
- - libjpeg-turbo <unfixed> (low; bug #924678)
+ - libjpeg-turbo 1:2.0.2-1~exp1 (low; bug #924678)
[buster] - libjpeg-turbo <no-dsa> (Minor issue)
[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
- mozjpeg <itp> (bug #741487)
@@ -118652,7 +118650,7 @@ CVE-2018-11814
RESERVED
CVE-2018-11813 (libjpeg 9c has a large loop because read_pixel in rdtarga.c
mishandles ...)
- libjpeg9 1:9d-1 (unimportant; bug #904719)
- - libjpeg-turbo <unfixed> (unimportant)
+ - libjpeg-turbo 1:2.0.2-1~exp1 (unimportant)
NOTE:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/909a8cfc7bca9b2e6707425bdb74da997e8fa499
NOTE: Infinite loop in CLI tool, no security impact
CVE-2018-11812
@@ -149337,8 +149335,7 @@ CVE-2018-1153 (Burp Suite Community Edition 1.7.32
and 1.7.33 fail to validate t
NOT-FOR-US: Burp Suite (different from src:burp)
CVE-2018-1152 (libjpeg-turbo 1.5.90 is vulnerable to a denial of service
vulnerabilit ...)
{DLA-1638-1}
- [experimental] - libjpeg-turbo 1:2.0.2-1~exp1
- - libjpeg-turbo <unfixed> (low; bug #902950)
+ - libjpeg-turbo 1:2.0.2-1~exp1 (low; bug #902950)
[buster] - libjpeg-turbo <no-dsa> (Minor issue)
[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
NOTE:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6
@@ -158565,8 +158562,7 @@ CVE-2017-15234
CVE-2017-15233
RESERVED
CVE-2017-15232 (libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in
jdpostct.c and j ...)
- [experimental] - libjpeg-turbo 1:2.0.2-1~exp1
- - libjpeg-turbo <unfixed> (unimportant; bug #878567)
+ - libjpeg-turbo 1:2.0.2-1~exp1 (unimportant; bug #878567)
- libjpeg6b <not-affected> (Vulnerable code not present)
- libjpeg8 <not-affected> (Vulnerable code not present)
- libjpeg9 <not-affected> (Vulnerable code not present)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b91566598fc7c33afb7f3b18d17310147152b80
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b91566598fc7c33afb7f3b18d17310147152b80
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
