Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 3600d8c8 by Moritz Muehlenhoff at 2018-01-28T03:34:15+01:00 icu not affected openjfx no-dsa (no specific information provided, but low CVSS score in Oracle advisory) libraw no-dsa remaining libvorbis issues postponed obs-build no-dsa libkohana2-php ignored add and take libvorbis to dsa-needed - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: ===================================== data/CVE/list ===================================== --- a/data/CVE/list +++ b/data/CVE/list @@ -9589,6 +9589,7 @@ CVE-2018-2582 (Vulnerability in the Java SE, Java SE Embedded component of Oracl - openjdk-8 <unfixed> CVE-2018-2581 (Vulnerability in the Java SE component of Oracle Java SE ...) - openjfx <unfixed> (bug #888530) + [stretch] - openjfx <no-dsa> (Minor issue) CVE-2018-2580 (Vulnerability in the Oracle Applications DBA component of Oracle ...) NOT-FOR-US: Oracle CVE-2018-2579 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of ...) @@ -12702,15 +12703,13 @@ CVE-2017-17485 (FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9. NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1528565#c0 NOTE: https://github.com/FasterXML/jackson-databind/issues/1855 CVE-2017-17484 (The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International ...) - [experimental] - icu 60.2-1 - - icu <unfixed> - [wheezy] - icu <not-affected> (Vulnerable code not present) + - icu <not-affected> (Vulnerable code not present, only experimental was ever affected and fixed in 60.2-1) NOTE: https://ssl.icu-project.org/trac/ticket/13510 NOTE: https://ssl.icu-project.org/trac/ticket/13490 NOTE: Fixed by: https://ssl.icu-project.org/trac/changeset/40714 NOTE: Testcase: https://ssl.icu-project.org/trac/changeset/40715 NOTE: POC: https://ssl.icu-project.org/trac/attachment/ticket/13490/poc.2.cpp - NOTE: Likely introduced by: https://ssl.icu-project.org/trac/changeset/40455/trunk/icu4c/source/common/ucnv_u8.cpp + NOTE: Introduced by https://ssl.icu-project.org/trac/changeset/40455/ CVE-2017-17483 RESERVED CVE-2017-17482 @@ -16712,12 +16711,16 @@ CVE-2017-16911 CVE-2017-16910 RESERVED - libraw 0.18.6-1 + [stretch] - libraw <no-dsa> (Minor issue) + [jessie] - libraw <no-dsa> (Minor issue) [wheezy] - libraw <no-dsa> (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e CVE-2017-16909 RESERVED - libraw 0.18.6-1 + [stretch] - libraw <no-dsa> (Minor issue) + [jessie] - libraw <no-dsa> (Minor issue) [wheezy] - libraw <no-dsa> (Minor issue) NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19 NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e @@ -23366,6 +23369,8 @@ CVE-2017-14805 CVE-2017-14804 [build: Exploit extractbuild to write to files in the host system] RESERVED - obs-build <unfixed> (bug #887306) + [stretch] - obs-build <no-dsa> (Minor issue) + [jessie] - obs-build <no-dsa> (Minor issue) NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1069904 CVE-2017-14803 (In NetIQ Access Manager 4.3 and 4.4, a bug exists in Identity Server ...) NOT-FOR-US: NetIQ Access Manager @@ -23855,6 +23860,7 @@ CVE-2017-14634 (In libsndfile 1.0.28, a divide-by-zero error exists in the funct NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788 CVE-2017-14633 (In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability ...) - libvorbis 1.3.5-4.1 (bug #876778) + [jessie] - libvorbis <postponed> (Minor issue, can be fixed along later) NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2329 NOTE: https://github.com/xiph/vorbis/pull/34 CVE-2017-14632 (Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing ...) @@ -23962,6 +23968,8 @@ CVE-2017-14609 (The server daemons in Kannel 1.5.0 and earlier create a PID file CVE-2017-14608 (In LibRaw through 0.18.4, an out of bounds read flaw related to ...) {DLA-1109-1} - libraw 0.18.5-1 (low) + [stretch] - libraw <no-dsa> (Minor issue) + [jessie] - libraw <no-dsa> (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/commit/d13e8f6d1e987b7491182040a188c16a395f1d21 NOTE: https://github.com/LibRaw/LibRaw/issues/101 CVE-2017-14607 (In ImageMagick 7.0.7-4 Q16, an out of bounds read flaw related to ...) @@ -24703,6 +24711,8 @@ CVE-2017-14341 (ImageMagick 7.0.6-6 has a large loop vulnerability in ReadWPGIma NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4eae304e773bad8a876c3c26fdffac24d4253ae4 CVE-2017-14348 (LibRaw before 0.18.4 has a heap-based Buffer Overflow in the ...) - libraw 0.18.5-1 + [stretch] - libraw <no-dsa> (Minor issue) + [jessie] - libraw <not-affected> (Vulnerable code not present) [wheezy] - libraw <not-affected> (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/100 NOTE: https://github.com/LibRaw/LibRaw/commit/8303e74b0567806dd5f16fc39aab70fe928de1a2 @@ -24917,6 +24927,8 @@ CVE-2017-14266 (tcprewrite in Tcpreplay 3.4.4 has a Heap-Based Buffer Overflow . NOTE: Patch enforce-maxpacket.patch addresses the issue CVE-2017-14265 (A Stack-based Buffer Overflow was discovered in xtrans_interpolate in ...) - libraw 0.18.5-1 + [stretch] - libraw <no-dsa> (Minor issue) + [jessie] - libraw <no-dsa> (Minor issue) [wheezy] - libraw <not-affected> (Vulnerable code not present) NOTE: https://github.com/LibRaw/LibRaw/issues/99 NOTE: https://github.com/LibRaw/LibRaw/commit/82616eff4c7f7437e96bdeeed238c3ef3dc12d60 @@ -25242,6 +25254,8 @@ CVE-2017-14165 (The ReadSUNImage function in coders/sun.c in GraphicsMagick 1.3. NOTE: https://sourceforge.net/p/graphicsmagick/bugs/442/ CVE-2017-14160 (The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 ...) - libvorbis <unfixed> (bug #876780) + [stretch] - libvorbis <postponed> (Minor issue, can be revisited once fixed upstream) + [jessie] - libvorbis <postponed> (Minor issue, can be revisited once fixed upstream) NOTE: http://www.openwall.com/lists/oss-security/2017/09/21/2 NOTE: http://www.openwall.com/lists/oss-security/2017/09/21/3 NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2330 @@ -25652,6 +25666,7 @@ CVE-2017-14052 CVE-2016-10510 (Cross-site scripting (XSS) vulnerability in the Security component of ...) {DLA-1241-1} - libkohana2-php <removed> + [jessie] - libkohana2-php <ignored> (Minor issue) NOTE: https://github.com/kohana/kohana/issues/107 NOTE: Fixed by https://github.com/kohana/core/pull/697 CVE-2016-10509 (SQL injection vulnerability in the updateAmazonOrderTracking function ...) @@ -33667,8 +33682,8 @@ CVE-2017-11334 (The address_space_write_continue function in exec.c in QEMU (aka NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=04bf2526ce87f21b32c9acba1c5518708c243ad0 CVE-2017-11333 (The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis ...) - libvorbis <unfixed> (low; bug #870341) - [stretch] - libvorbis <no-dsa> (Minor issue) - [jessie] - libvorbis <no-dsa> (Minor issue) + [stretch] - libvorbis <postponed> (Minor issue, can be revisited once fixed upstream) + [jessie] - libvorbis <postponed> (Minor issue, can be revisited once fixed upstream) NOTE: http://seclists.org/fulldisclosure/2017/Jul/82 NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2332 CVE-2017-11332 (The startread function in wav.c in Sound eXchange (SoX) 14.4.2 allows ...) ===================================== data/dsa-needed.txt ===================================== --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -78,6 +78,8 @@ tomcat8 -- unbound (jmm) -- +libvorbis (jmm) +-- wireshark (jmm) -- xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3600d8c81623b9564953dcf9f06a53e2fb9d788b --- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3600d8c81623b9564953dcf9f06a53e2fb9d788b You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ Secure-testing-commits mailing list Secure-testing-commits@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits