Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
116f39de by Moritz Muehlenhoff at 2020-10-12T19:45:22+02:00
buster triage
reviewed the status of some old issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1769,6 +1769,7 @@ CVE-2020-26116 (http.client in Python 3.x before 3.5.10,
3.6.x before 3.6.12, 3.
- python3.9 3.9.0~b5-1
- python3.8 3.8.5-1
- python3.7 <removed>
+ [buster] - python3.7 <no-dsa> (Minor issue)
- python3.5 <removed>
NOTE: https://bugs.python.org/issue39603
NOTE:
https://python-security.readthedocs.io/vuln/http-header-injection-method.html
@@ -2606,6 +2607,7 @@ CVE-2020-25740
CVE-2020-25739 (An issue was discovered in the gon gem before gon-6.4.0 for
Ruby. Mult ...)
{DLA-2380-1}
- ruby-gon <unfixed> (bug #970938)
+ [buster] - ruby-gon <no-dsa> (Minor issue)
NOTE:
https://github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7
CVE-2020-25738
RESERVED
@@ -2825,6 +2827,7 @@ CVE-2020-25638
CVE-2020-25637 (A double free memory issue was found to occur in the libvirt
API, in v ...)
{DLA-2395-1}
- libvirt <unfixed> (bug #971555)
+ [buster] - libvirt <no-dsa> (Minor issue)
NOTE: Introduced by:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=0977b8aa071de550e1a013d35e2c72615e65d520
(v1.2.14-rc1)
NOTE: Fixed by:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=955029bd0ad7ef96000f529ac38204a8f4a96401
(v6.8.0)
NOTE: Fixed by:
https://libvirt.org/git/?p=libvirt.git;a=commit;h=50864dcda191eb35732dbd80fb6ca251a6bba923
(v6.8.0)
@@ -22336,11 +22339,13 @@ CVE-2020-16122
RESERVED
{DLA-2399-1}
- packagekit <unfixed>
+ [buster] - packagekit <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098
CVE-2020-16121
RESERVED
{DLA-2399-1}
- packagekit <unfixed>
+ [buster] - packagekit <no-dsa> (Minor issue)
NOTE: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1888887
CVE-2020-16120
RESERVED
@@ -46935,6 +46940,7 @@ CVE-2020-7070 (In PHP versions 7.2.x below 7.2.34,
7.3.x below 7.3.23 and 7.4.x
{DLA-2397-1}
- php7.4 7.4.11-1
- php7.3 <removed>
+ [buster] - php7.3 <postponed> (Minor issue, likely to introduce
tegressions, wait for one more 7.3 upstream release)
- php7.0 <removed>
NOTE: Fixed in PHP 7.4.11, 7.3.23, 7.2.34
NOTE: PHP Bug: https://bugs.php.net/79699
@@ -46942,8 +46948,7 @@ CVE-2020-7070 (In PHP versions 7.2.x below 7.2.34,
7.3.x below 7.3.23 and 7.4.x
CVE-2020-7069 (In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and
7.4.x below ...)
- php7.4 7.4.11-1
- php7.3 <removed>
- - php7.0 <removed>
- [stretch] - php7.0 <not-affected> (Affected code not present)
+ - php7.0 <not-affected> (Affected code not present)
NOTE: Fixed in PHP 7.4.11, 7.3.23, 7.2.34
NOTE: PHP Bug: https://bugs.php.net/79601
NOTE:
https://git.php.net/?p=php-src.git;a=commit;h=0216630ea2815a5789a24279a1211ac398d4de79
@@ -51686,12 +51691,14 @@ CVE-2020-5218 (Affected versions of Sylius give
attackers the ability to switch
NOT-FOR-US: Sylius
CVE-2020-5217 (In Secure Headers (RubyGem secure_headers), a directive
injection vuln ...)
- ruby-secure-headers 6.3.1-1 (bug #949999)
+ [buster] - ruby-secure-headers <no-dsa> (Minor issue)
NOTE:
https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
NOTE:
https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3
NOTE: https://github.com/twitter/secure_headers/issues/418
NOTE: https://github.com/twitter/secure_headers/pull/421
CVE-2020-5216 (In Secure Headers (RubyGem secure_headers), a directive
injection vuln ...)
- ruby-secure-headers 6.3.1-1 (bug #949998)
+ [buster] - ruby-secure-headers <no-dsa> (Minor issue)
NOTE:
https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg
NOTE:
https://github.com/twitter/secure_headers/commit/301695706f6a70517c2a90c6ef9b32178440a2d0
CVE-2020-5215 (In TensorFlow before 1.15.2 and 2.0.1, converting a string
(from Pytho ...)
@@ -129333,8 +129340,9 @@ CVE-2018-16849 (A flaw was found in
openstack-mistral. By manipulating the SSH p
[stretch] - mistral 3.0.0-4+deb9u1
NOTE: https://bugs.launchpad.net/mistral/+bug/1783708
CVE-2018-16848 (A Denial of Service (DoS) condition is possible in OpenStack
Mistral i ...)
- - mistral <undetermined>
+ - mistral 10.0.0~rc1-2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1645332
+ NOTE: https://bugs.launchpad.net/mistral/%2Bbug/1785657
CVE-2018-16847 (An OOB heap buffer r/w access issue was found in the NVM
Express Contr ...)
- qemu 1:3.1+dfsg-1 (bug #912655)
[stretch] - qemu <not-affected> (support for Controller Memory Buffers
added later)
@@ -139479,7 +139487,6 @@ CVE-2018-12888
CVE-2018-12887
RESERVED
CVE-2018-12886 (stack_protect_prologue in cfgexpand.c and
stack_protect_epilogue in fu ...)
- - gcc-snapshot <unfixed>
- gcc-8 <unfixed>
[buster] - gcc-8 <ignored> (Too intrusive to backport)
- gcc-7 <unfixed>
@@ -150745,9 +150752,7 @@ CVE-2018-8833 (Heap-based buffer overflow
vulnerabilities in Advantech WebAccess
CVE-2018-8832 (enhavo 0.4.0 has XSS via a user-group that contains executable
JavaScr ...)
NOT-FOR-US: enhavo
CVE-2018-8831 (A Persistent XSS vulnerability exists in Kodi (formerly XBMC)
through ...)
- - kodi <unfixed> (low)
- [buster] - kodi <ignored> (Minor issue)
- [stretch] - kodi <ignored> (Minor issue)
+ - kodi <not-affected> (Chorus not included in Kodi as shipped in Debian)
- xbmc <removed>
[jessie] - xbmc <no-dsa> (Minor issue)
[wheezy] - xbmc <no-dsa> (Minor issue)
@@ -154067,9 +154072,8 @@ CVE-2018-7579
(\application\admin\controller\update_urls.class.php in YzmCMS 3.6
CVE-2018-7578
RESERVED
CVE-2018-7577 (Memcpy parameter overlap in Google Snappy library 1.1.4, as
used in Go ...)
- - snappy <undetermined>
+ - tensorflow <itp> (bug #804612)
NOTE:
https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-005.md
- NOTE: There are no useful details, could just as well be a misuse of
snappy by Tensorflow
CVE-2018-7576 (Google TensorFlow 1.6.x and earlier is affected by: Null
Pointer Deref ...)
- tensorflow <itp> (bug #804612)
CVE-2018-7575 (Google TensorFlow 1.7.x and earlier is affected by a Buffer
Overflow v ...)
@@ -202334,8 +202338,7 @@ CVE-2017-8762 (GeniXCMS 1.0.2 has XSS triggered by an
authenticated user who sub
NOT-FOR-US: GenixCMS
CVE-2017-8761 [Swift tempurl middleware reveals signatures in the logfiles]
RESERVED
- - swift <unfixed>
- [buster] - swift <no-dsa> (Minor issue)
+ - swift 2.17.0-2
[stretch] - swift <no-dsa> (Minor issue)
[jessie] - swift <end-of-life> (Not supported in Jessie LTS)
NOTE: https://bugs.launchpad.net/swift/+bug/1685798
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/116f39deb878e8f3e0f104a828b01af22df712c3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/116f39deb878e8f3e0f104a828b01af22df712c3
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
