Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3600d8c8 by Moritz Muehlenhoff at 2018-01-28T03:34:15+01:00
icu not affected
openjfx no-dsa (no specific information provided, but low CVSS score in Oracle
advisory)
libraw no-dsa
remaining libvorbis issues postponed
obs-build no-dsa
libkohana2-php ignored
add and take libvorbis to dsa-needed
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -9589,6 +9589,7 @@ CVE-2018-2582 (Vulnerability in the Java SE, Java SE
Embedded component of Oracl
- openjdk-8 <unfixed>
CVE-2018-2581 (Vulnerability in the Java SE component of Oracle Java SE ...)
- openjfx <unfixed> (bug #888530)
+ [stretch] - openjfx <no-dsa> (Minor issue)
CVE-2018-2580 (Vulnerability in the Oracle Applications DBA component of
Oracle ...)
NOT-FOR-US: Oracle
CVE-2018-2579 (Vulnerability in the Java SE, Java SE Embedded, JRockit
component of ...)
@@ -12702,15 +12703,13 @@ CVE-2017-17485 (FasterXML jackson-databind through
2.8.10 and 2.9.x through 2.9.
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1528565#c0
NOTE: https://github.com/FasterXML/jackson-databind/issues/1855
CVE-2017-17484 (The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International
...)
- [experimental] - icu 60.2-1
- - icu <unfixed>
- [wheezy] - icu <not-affected> (Vulnerable code not present)
+ - icu <not-affected> (Vulnerable code not present, only experimental
was ever affected and fixed in 60.2-1)
NOTE: https://ssl.icu-project.org/trac/ticket/13510
NOTE: https://ssl.icu-project.org/trac/ticket/13490
NOTE: Fixed by: https://ssl.icu-project.org/trac/changeset/40714
NOTE: Testcase: https://ssl.icu-project.org/trac/changeset/40715
NOTE: POC:
https://ssl.icu-project.org/trac/attachment/ticket/13490/poc.2.cpp
- NOTE: Likely introduced by:
https://ssl.icu-project.org/trac/changeset/40455/trunk/icu4c/source/common/ucnv_u8.cpp
+ NOTE: Introduced by https://ssl.icu-project.org/trac/changeset/40455/
CVE-2017-17483
RESERVED
CVE-2017-17482
@@ -16712,12 +16711,16 @@ CVE-2017-16911
CVE-2017-16910
RESERVED
- libraw 0.18.6-1
+ [stretch] - libraw <no-dsa> (Minor issue)
+ [jessie] - libraw <no-dsa> (Minor issue)
[wheezy] - libraw <no-dsa> (Minor issue)
NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19
NOTE:
https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e
CVE-2017-16909
RESERVED
- libraw 0.18.6-1
+ [stretch] - libraw <no-dsa> (Minor issue)
+ [jessie] - libraw <no-dsa> (Minor issue)
[wheezy] - libraw <no-dsa> (Minor issue)
NOTE:
https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19
NOTE:
https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e
@@ -23366,6 +23369,8 @@ CVE-2017-14805
CVE-2017-14804 [build: Exploit extractbuild to write to files in the host
system]
RESERVED
- obs-build <unfixed> (bug #887306)
+ [stretch] - obs-build <no-dsa> (Minor issue)
+ [jessie] - obs-build <no-dsa> (Minor issue)
NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1069904
CVE-2017-14803 (In NetIQ Access Manager 4.3 and 4.4, a bug exists in Identity
Server ...)
NOT-FOR-US: NetIQ Access Manager
@@ -23855,6 +23860,7 @@ CVE-2017-14634 (In libsndfile 1.0.28, a divide-by-zero
error exists in the funct
NOTE: Fixed by:
https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788
CVE-2017-14633 (In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read
vulnerability ...)
- libvorbis 1.3.5-4.1 (bug #876778)
+ [jessie] - libvorbis <postponed> (Minor issue, can be fixed along later)
NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2329
NOTE: https://github.com/xiph/vorbis/pull/34
CVE-2017-14632 (Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon
freeing ...)
@@ -23962,6 +23968,8 @@ CVE-2017-14609 (The server daemons in Kannel 1.5.0 and
earlier create a PID file
CVE-2017-14608 (In LibRaw through 0.18.4, an out of bounds read flaw related
to ...)
{DLA-1109-1}
- libraw 0.18.5-1 (low)
+ [stretch] - libraw <no-dsa> (Minor issue)
+ [jessie] - libraw <no-dsa> (Minor issue)
NOTE:
https://github.com/LibRaw/LibRaw/commit/d13e8f6d1e987b7491182040a188c16a395f1d21
NOTE: https://github.com/LibRaw/LibRaw/issues/101
CVE-2017-14607 (In ImageMagick 7.0.7-4 Q16, an out of bounds read flaw related
to ...)
@@ -24703,6 +24711,8 @@ CVE-2017-14341 (ImageMagick 7.0.6-6 has a large loop
vulnerability in ReadWPGIma
NOTE: ImageMagick-6:
https://github.com/ImageMagick/ImageMagick/commit/4eae304e773bad8a876c3c26fdffac24d4253ae4
CVE-2017-14348 (LibRaw before 0.18.4 has a heap-based Buffer Overflow in the
...)
- libraw 0.18.5-1
+ [stretch] - libraw <no-dsa> (Minor issue)
+ [jessie] - libraw <not-affected> (Vulnerable code not present)
[wheezy] - libraw <not-affected> (Vulnerable code not present)
NOTE: https://github.com/LibRaw/LibRaw/issues/100
NOTE:
https://github.com/LibRaw/LibRaw/commit/8303e74b0567806dd5f16fc39aab70fe928de1a2
@@ -24917,6 +24927,8 @@ CVE-2017-14266 (tcprewrite in Tcpreplay 3.4.4 has a
Heap-Based Buffer Overflow .
NOTE: Patch enforce-maxpacket.patch addresses the issue
CVE-2017-14265 (A Stack-based Buffer Overflow was discovered in
xtrans_interpolate in ...)
- libraw 0.18.5-1
+ [stretch] - libraw <no-dsa> (Minor issue)
+ [jessie] - libraw <no-dsa> (Minor issue)
[wheezy] - libraw <not-affected> (Vulnerable code not present)
NOTE: https://github.com/LibRaw/LibRaw/issues/99
NOTE:
https://github.com/LibRaw/LibRaw/commit/82616eff4c7f7437e96bdeeed238c3ef3dc12d60
@@ -25242,6 +25254,8 @@ CVE-2017-14165 (The ReadSUNImage function in
coders/sun.c in GraphicsMagick 1.3.
NOTE: https://sourceforge.net/p/graphicsmagick/bugs/442/
CVE-2017-14160 (The bark_noise_hybridmp function in psy.c in Xiph.Org
libvorbis 1.3.5 ...)
- libvorbis <unfixed> (bug #876780)
+ [stretch] - libvorbis <postponed> (Minor issue, can be revisited once
fixed upstream)
+ [jessie] - libvorbis <postponed> (Minor issue, can be revisited once
fixed upstream)
NOTE: http://www.openwall.com/lists/oss-security/2017/09/21/2
NOTE: http://www.openwall.com/lists/oss-security/2017/09/21/3
NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2330
@@ -25652,6 +25666,7 @@ CVE-2017-14052
CVE-2016-10510 (Cross-site scripting (XSS) vulnerability in the Security
component of ...)
{DLA-1241-1}
- libkohana2-php <removed>
+ [jessie] - libkohana2-php <ignored> (Minor issue)
NOTE: https://github.com/kohana/kohana/issues/107
NOTE: Fixed by https://github.com/kohana/core/pull/697
CVE-2016-10509 (SQL injection vulnerability in the updateAmazonOrderTracking
function ...)
@@ -33667,8 +33682,8 @@ CVE-2017-11334 (The address_space_write_continue
function in exec.c in QEMU (aka
NOTE:
https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=04bf2526ce87f21b32c9acba1c5518708c243ad0
CVE-2017-11333 (The vorbis_analysis_wrote function in lib/block.c in Xiph.Org
libvorbis ...)
- libvorbis <unfixed> (low; bug #870341)
- [stretch] - libvorbis <no-dsa> (Minor issue)
- [jessie] - libvorbis <no-dsa> (Minor issue)
+ [stretch] - libvorbis <postponed> (Minor issue, can be revisited once
fixed upstream)
+ [jessie] - libvorbis <postponed> (Minor issue, can be revisited once
fixed upstream)
NOTE: http://seclists.org/fulldisclosure/2017/Jul/82
NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2332
CVE-2017-11332 (The startread function in wav.c in Sound eXchange (SoX) 14.4.2
allows ...)
=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -78,6 +78,8 @@ tomcat8
--
unbound (jmm)
--
+libvorbis (jmm)
+--
wireshark (jmm)
--
xen
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3600d8c81623b9564953dcf9f06a53e2fb9d788b
---
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/commit/3600d8c81623b9564953dcf9f06a53e2fb9d788b
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
Secure-testing-commits mailing list
Secure-testing-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-commits
