Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker
Commits: 2841d98f by Thorsten Alteholz at 2020-10-29T16:16:41+01:00 add link for fix of CVE-2020-26870 - - - - - f237bbbc by Thorsten Alteholz at 2020-10-29T16:17:53+01:00 this CVE-2019-16728 will be fixed with next upload - - - - - c2935a5c by Thorsten Alteholz at 2020-10-29T16:21:21+01:00 consistently fix libsndfile CVEs in all suites - - - - - f5dc715a by Thorsten Alteholz at 2020-10-29T16:53:30+01:00 Reserve DLA-2418-1 for libsndfile - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: ===================================== data/CVE/list ===================================== @@ -2921,6 +2921,7 @@ CVE-2020-26871 CVE-2020-26870 (Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs becaus ...) - dompurify.js <removed> NOTE: https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/ + NOTE: https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d CVE-2020-26869 (An information exposure vulnerability exists in PcVue 12, allowing a n ...) NOT-FOR-US: PcVue CVE-2020-26868 (A Denial Of Service vulnerability exists in PcVue from version 8.10 on ...) @@ -75432,7 +75433,6 @@ CVE-2019-16730 (processCommandUpgrade() in libcommon.so in Petwant PF-103 firmwa NOT-FOR-US: Petwant PF-103 and Petalk AI CVE-2019-16728 (DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (m ...) - dompurify.js <removed> - [stretch] - dompurify.js <ignored> (Minor issue) NOTE: https://research.securitum.com/dompurify-bypass-using-mxss/ CVE-2019-16746 (An issue was discovered in net/wireless/nl80211.c in the Linux kernel ...) {DLA-2114-1 DLA-2068-1} @@ -113445,7 +113445,6 @@ CVE-2019-3833 (Openwsman, versions up to and including 2.6.9, are vulnerable to CVE-2019-3832 (It was discovered the fix for CVE-2018-19758 (libsndfile) was not comp ...) {DLA-1712-1} - libsndfile 1.0.28-6 (bug #922372) - [stretch] - libsndfile <not-affected> (Incomplete fix for CVE-2018-19758 not applied) NOTE: https://github.com/erikd/libsndfile/issues/456#issuecomment-463542436 NOTE: https://github.com/erikd/libsndfile/pull/460 NOTE: https://github.com/erikd/libsndfile/commit/6d7ce94c020cc720a6b28719d1a7879181790008 @@ -121382,7 +121381,6 @@ CVE-2018-19759 (There is a heap-based buffer over-read at stb_image_write.h (fun CVE-2018-19758 (There is a heap-based buffer over-read at wav.c in wav_write_header in ...) {DLA-1632-1} - libsndfile 1.0.28-5 (bug #917416) - [stretch] - libsndfile <ignored> (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643812 NOTE: https://github.com/erikd/libsndfile/issues/435 NOTE: https://github.com/erikd/libsndfile/commit/42132c543358cee9f7c3e9e9b15bb6c1063a608e @@ -121611,14 +121609,12 @@ CVE-2018-19663 CVE-2018-19662 (An issue was discovered in libsndfile 1.0.28. There is a buffer over-r ...) {DLA-1618-1} - libsndfile 1.0.28-5 (low) - [stretch] - libsndfile <ignored> (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/429 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f NOTE: similar to CVE-2017-17456/CVE-2017-17457 (but not duplicate) CVE-2018-19661 (An issue was discovered in libsndfile 1.0.28. There is a buffer over-r ...) {DLA-1618-1} - libsndfile 1.0.28-5 (low) - [stretch] - libsndfile <ignored> (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/429 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f NOTE: similar to CVE-2017-17456/CVE-2017-17457 (but not duplicate) @@ -187408,7 +187404,6 @@ CVE-2017-14650 (A Remote Code Execution vulnerability has been found in the Hord CVE-2017-14634 (In libsndfile 1.0.28, a divide-by-zero error exists in the function do ...) {DLA-1618-1} - libsndfile 1.0.28-5 (bug #876783) - [stretch] - libsndfile <ignored> (Minor issue) [wheezy] - libsndfile <no-dsa> (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/318 NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788 @@ -188557,14 +188552,12 @@ CVE-2017-14247 (SQL Injection exists in the EyesOfNetwork web interface (aka eon CVE-2017-14246 (An out of bounds read in the function d2ulaw_array() in ulaw.c of libs ...) {DLA-1618-1} - libsndfile 1.0.28-5 (low; bug #876682) - [stretch] - libsndfile <ignored> (Minor issue) [wheezy] - libsndfile <no-dsa> (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/317 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f CVE-2017-14245 (An out of bounds read in the function d2alaw_array() in alaw.c of libs ...) {DLA-1618-1} - libsndfile 1.0.28-5 (low; bug #876682) - [stretch] - libsndfile <ignored> (Minor issue) [wheezy] - libsndfile <no-dsa> (Minor issue) NOTE: https://github.com/erikd/libsndfile/issues/317 NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f @@ -211325,7 +211318,6 @@ CVE-2017-6893 CVE-2017-6892 (In libsndfile version 1.0.28, an error in the "aiff_read_chanmap()" fu ...) {DLA-985-1} - libsndfile 1.0.28-1 (bug #864704) - [stretch] - libsndfile <ignored> (Minor issue) [jessie] - libsndfile <no-dsa> (Minor issue) NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748 CVE-2017-6891 (Two errors in the "asn1_find_node()" function (lib/parser_aux.c) withi ...) ===================================== data/DLA/list ===================================== @@ -1,3 +1,6 @@ +[29 Oct 2020] DLA-2418-1 libsndfile - security update + {CVE-2017-6892 CVE-2017-14245 CVE-2017-14246 CVE-2017-14634 CVE-2018-19661 CVE-2018-19662 CVE-2018-19758 CVE-2019-3832} + [stretch] - libsndfile 1.0.27-3+deb9u1 [27 Oct 2020] DLA-2417-1 linux-4.19 - security update {CVE-2020-12351 CVE-2020-12352 CVE-2020-25211 CVE-2020-25643 CVE-2020-25645} [stretch] - linux-4.19 4.19.152-1~deb9u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ac158ec0242194c38ac6337d99f3af702ffe63df...f5dc715ad56733f8ca16c467ba0d870b1c393bf6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ac158ec0242194c38ac6337d99f3af702ffe63df...f5dc715ad56733f8ca16c467ba0d870b1c393bf6 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits