[Git][security-tracker-team/security-tracker][master] 4 commits: add link for fix of CVE-2020-26870

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2841d98f by Thorsten Alteholz at 2020-10-29T16:16:41+01:00
add link for fix of CVE-2020-26870

- - - - -
f237bbbc by Thorsten Alteholz at 2020-10-29T16:17:53+01:00
this CVE-2019-16728 will be fixed with next upload

- - - - -
c2935a5c by Thorsten Alteholz at 2020-10-29T16:21:21+01:00
consistently fix libsndfile CVEs in all suites

- - - - -
f5dc715a by Thorsten Alteholz at 2020-10-29T16:53:30+01:00
Reserve DLA-2418-1 for libsndfile

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2921,6 +2921,7 @@ CVE-2020-26871
 CVE-2020-26870 (Cure53 DOMPurify before 2.0.17 allows mutation XSS. This 
occurs becaus ...)
        - dompurify.js <removed>
        NOTE: 
https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/
+       NOTE: 
https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d
 CVE-2020-26869 (An information exposure vulnerability exists in PcVue 12, 
allowing a n ...)
        NOT-FOR-US: PcVue
 CVE-2020-26868 (A Denial Of Service vulnerability exists in PcVue from version 
8.10 on ...)
@@ -75432,7 +75433,6 @@ CVE-2019-16730 (processCommandUpgrade() in libcommon.so 
in Petwant PF-103 firmwa
        NOT-FOR-US: Petwant PF-103 and Petalk AI
 CVE-2019-16728 (DOMPurify before 2.0.1 allows XSS because of innerHTML 
mutation XSS (m ...)
        - dompurify.js <removed>
-       [stretch] - dompurify.js <ignored> (Minor issue)
        NOTE: https://research.securitum.com/dompurify-bypass-using-mxss/
 CVE-2019-16746 (An issue was discovered in net/wireless/nl80211.c in the Linux 
kernel  ...)
        {DLA-2114-1 DLA-2068-1}
@@ -113445,7 +113445,6 @@ CVE-2019-3833 (Openwsman, versions up to and 
including 2.6.9, are vulnerable to
 CVE-2019-3832 (It was discovered the fix for CVE-2018-19758 (libsndfile) was 
not comp ...)
        {DLA-1712-1}
        - libsndfile 1.0.28-6 (bug #922372)
-       [stretch] - libsndfile <not-affected> (Incomplete fix for 
CVE-2018-19758 not applied)
        NOTE: 
https://github.com/erikd/libsndfile/issues/456#issuecomment-463542436
        NOTE: https://github.com/erikd/libsndfile/pull/460
        NOTE: 
https://github.com/erikd/libsndfile/commit/6d7ce94c020cc720a6b28719d1a7879181790008
@@ -121382,7 +121381,6 @@ CVE-2018-19759 (There is a heap-based buffer 
over-read at stb_image_write.h (fun
 CVE-2018-19758 (There is a heap-based buffer over-read at wav.c in 
wav_write_header in ...)
        {DLA-1632-1}
        - libsndfile 1.0.28-5 (bug #917416)
-       [stretch] - libsndfile <ignored> (Minor issue)
        NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643812
        NOTE: https://github.com/erikd/libsndfile/issues/435
        NOTE: 
https://github.com/erikd/libsndfile/commit/42132c543358cee9f7c3e9e9b15bb6c1063a608e
@@ -121611,14 +121609,12 @@ CVE-2018-19663
 CVE-2018-19662 (An issue was discovered in libsndfile 1.0.28. There is a 
buffer over-r ...)
        {DLA-1618-1}
        - libsndfile 1.0.28-5 (low)
-       [stretch] - libsndfile <ignored> (Minor issue)
        NOTE: https://github.com/erikd/libsndfile/issues/429
        NOTE: 
https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f
        NOTE: similar to CVE-2017-17456/CVE-2017-17457 (but not duplicate)
 CVE-2018-19661 (An issue was discovered in libsndfile 1.0.28. There is a 
buffer over-r ...)
        {DLA-1618-1}
        - libsndfile 1.0.28-5 (low)
-       [stretch] - libsndfile <ignored> (Minor issue)
        NOTE: https://github.com/erikd/libsndfile/issues/429
        NOTE: 
https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f
        NOTE: similar to CVE-2017-17456/CVE-2017-17457 (but not duplicate)
@@ -187408,7 +187404,6 @@ CVE-2017-14650 (A Remote Code Execution vulnerability 
has been found in the Hord
 CVE-2017-14634 (In libsndfile 1.0.28, a divide-by-zero error exists in the 
function do ...)
        {DLA-1618-1}
        - libsndfile 1.0.28-5 (bug #876783)
-       [stretch] - libsndfile <ignored> (Minor issue)
        [wheezy] - libsndfile <no-dsa> (Minor issue)
        NOTE: https://github.com/erikd/libsndfile/issues/318
        NOTE: Fixed by: 
https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788
@@ -188557,14 +188552,12 @@ CVE-2017-14247 (SQL Injection exists in the 
EyesOfNetwork web interface (aka eon
 CVE-2017-14246 (An out of bounds read in the function d2ulaw_array() in ulaw.c 
of libs ...)
        {DLA-1618-1}
        - libsndfile 1.0.28-5 (low; bug #876682)
-       [stretch] - libsndfile <ignored> (Minor issue)
        [wheezy] - libsndfile <no-dsa> (Minor issue)
        NOTE: https://github.com/erikd/libsndfile/issues/317
        NOTE: 
https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f
 CVE-2017-14245 (An out of bounds read in the function d2alaw_array() in alaw.c 
of libs ...)
        {DLA-1618-1}
        - libsndfile 1.0.28-5 (low; bug #876682)
-       [stretch] - libsndfile <ignored> (Minor issue)
        [wheezy] - libsndfile <no-dsa> (Minor issue)
        NOTE: https://github.com/erikd/libsndfile/issues/317
        NOTE: 
https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f
@@ -211325,7 +211318,6 @@ CVE-2017-6893
 CVE-2017-6892 (In libsndfile version 1.0.28, an error in the 
"aiff_read_chanmap()" fu ...)
        {DLA-985-1}
        - libsndfile 1.0.28-1 (bug #864704)
-       [stretch] - libsndfile <ignored> (Minor issue)
        [jessie] - libsndfile <no-dsa> (Minor issue)
        NOTE: Fixed by: 
https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748
 CVE-2017-6891 (Two errors in the "asn1_find_node()" function 
(lib/parser_aux.c) withi ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[29 Oct 2020] DLA-2418-1 libsndfile - security update
+       {CVE-2017-6892 CVE-2017-14245 CVE-2017-14246 CVE-2017-14634 
CVE-2018-19661 CVE-2018-19662 CVE-2018-19758 CVE-2019-3832}
+       [stretch] - libsndfile 1.0.27-3+deb9u1
 [27 Oct 2020] DLA-2417-1 linux-4.19 - security update
        {CVE-2020-12351 CVE-2020-12352 CVE-2020-25211 CVE-2020-25643 
CVE-2020-25645}
        [stretch] - linux-4.19 4.19.152-1~deb9u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ac158ec0242194c38ac6337d99f3af702ffe63df...f5dc715ad56733f8ca16c467ba0d870b1c393bf6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ac158ec0242194c38ac6337d99f3af702ffe63df...f5dc715ad56733f8ca16c467ba0d870b1c393bf6
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits