Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e305958f by Salvatore Bonaccorso at 2020-07-27T17:14:49+02:00
Correct tracking of libjpeg-turbo versions which entered unstable
We want to track the version which entered unstable accordingly. The
experimental tagged versions are helpers for tracking fixes which went
trough experimental OTOH. A while back we implemented this support for
[experimental] to help those situations and later on beeing able to
track the unstable versions. The untagged entries refer always to
unstable.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -92300,7 +92300,7 @@ CVE-2019-2203 (In CryptoPlugin::decrypt of
CryptoPlugin.cpp, there is a possible
CVE-2019-2202 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a
possible out ...)
NOT-FOR-US: Android media framework
CVE-2019-2201 (In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S,
there is ...)
- - libjpeg-turbo 1:2.0.3-1~exp1 (low)
+ - libjpeg-turbo 1:2.0.5-1 (low)
[buster] - libjpeg-turbo <no-dsa> (Minor issue)
[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
[jessie] - libjpeg-turbo <ignored> (No package in Debian jessie uses
the TurboJPEG API)
@@ -111610,7 +111610,7 @@ CVE-2018-14499 (An issue was found in HYBBS through
2016-03-08. There is an XSS
NOT-FOR-US: HYBBS
CVE-2018-14498 (get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and
MozJPEG th ...)
{DLA-1719-1}
- - libjpeg-turbo 1:2.0.2-1~exp1 (low; bug #924678)
+ - libjpeg-turbo 1:2.0.5-1 (low; bug #924678)
[buster] - libjpeg-turbo <no-dsa> (Minor issue)
[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
- mozjpeg <itp> (bug #741487)
@@ -118650,7 +118650,7 @@ CVE-2018-11814
RESERVED
CVE-2018-11813 (libjpeg 9c has a large loop because read_pixel in rdtarga.c
mishandles ...)
- libjpeg9 1:9d-1 (unimportant; bug #904719)
- - libjpeg-turbo 1:2.0.2-1~exp1 (unimportant)
+ - libjpeg-turbo 1:2.0.5-1 (unimportant)
NOTE:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/909a8cfc7bca9b2e6707425bdb74da997e8fa499
NOTE: Infinite loop in CLI tool, no security impact
CVE-2018-11812
@@ -149335,7 +149335,7 @@ CVE-2018-1153 (Burp Suite Community Edition 1.7.32
and 1.7.33 fail to validate t
NOT-FOR-US: Burp Suite (different from src:burp)
CVE-2018-1152 (libjpeg-turbo 1.5.90 is vulnerable to a denial of service
vulnerabilit ...)
{DLA-1638-1}
- - libjpeg-turbo 1:2.0.2-1~exp1 (low; bug #902950)
+ - libjpeg-turbo 1:2.0.5-1 (low; bug #902950)
[buster] - libjpeg-turbo <no-dsa> (Minor issue)
[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
NOTE:
https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6
@@ -158562,7 +158562,7 @@ CVE-2017-15234
CVE-2017-15233
RESERVED
CVE-2017-15232 (libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in
jdpostct.c and j ...)
- - libjpeg-turbo 1:2.0.2-1~exp1 (unimportant; bug #878567)
+ - libjpeg-turbo 1:2.0.5-1 (unimportant; bug #878567)
- libjpeg6b <not-affected> (Vulnerable code not present)
- libjpeg8 <not-affected> (Vulnerable code not present)
- libjpeg9 <not-affected> (Vulnerable code not present)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e305958f2b72607cbf93226dbb4f2677c85dddb2
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e305958f2b72607cbf93226dbb4f2677c85dddb2
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
