[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] several web2py issue n/a, mark the existing no-dsa entries as <ignored>

Moritz Muehlenhoff jmm at debian.org
Mon Apr 2 12:04:54 BST 2018 

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f5361dc0 by Moritz Muehlenhoff at 2018-04-02T13:04:35+02:00
several web2py issue n/a, mark the existing no-dsa entries as <ignored>
unixodbc no-dsa
ntp postponed
podofo CVE dupe

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2774,10 +2774,9 @@ CVE-2018-8001 (In PoDoFo 0.9.5, there exists a heap-based buffer over-read ...)
 	NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/14/
 	NOTE: Upstream commit: http://sourceforge.net/p/podofo/code/1909
 CVE-2018-8000 (In PoDoFo 0.9.5, there exists a heap-based buffer overflow ...)
-	- libpodofo <unfixed> (bug #892520)
 	NOTE: PoC https://bugzilla.redhat.com/show_bug.cgi?id=1548918
 	NOTE: Upstream bug: https://sourceforge.net/p/podofo/tickets/13/
-	NOTE: Believed to be a dupe of CVE-2017-5886
+	NOTE: Upstream tracked this down as a of CVE-2017-5886
 CVE-2018-7999 (In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference ...)
 	- graphite2 1.3.11-2 (bug #892590)
 	[stretch] - graphite2 <no-dsa> (Minor issue)
@@ -4508,6 +4507,8 @@ CVE-2018-7410
 	RESERVED
 CVE-2018-7409 (In unixODBC before 2.3.5, there is a buffer overflow in the ...)
 	- unixodbc <unfixed> (bug #891596)
+	[stretch] - unixodbc <no-dsa> (Minor issue)
+	[jessie] - unixodbc <no-dsa> (Minor issue)
 	[wheezy] - unixodbc <ignored> (Minor issue)
 	NOTE: Fixed by: https://sourceforge.net/p/unixodbc/code/136/
 	NOTE: https://github.com/lurcher/unixODBC/commit/4f9f77fb4204659ec9b7be8745d9e05a539c80b9
@@ -5321,6 +5322,8 @@ CVE-2018-7183 (Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 
 	NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S
 CVE-2018-7182 (The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows ...)
 	- ntp 1:4.2.8p11+dfsg-1
+	[stretch] - ntp <postponed> (Can be fixed along in a future update)
+	[jessie] - ntp <postponed> (Can be fixed along in a future update)
 	[wheezy] - ntp <not-affected> (Issue not present)
 	- ntpsec 1.0.0+dfsg1-5
 	NOTE: http://www.kb.cert.org/vuls/id/961909
@@ -91530,25 +91533,25 @@ CVE-2016-4809 (The archive_read_format_cpio_read_header function in ...)
 	NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/fd7e0c02e272913a0a8b6d492c7260dfca0b1408 (v3.2.1)
 CVE-2016-10321 (web2py before 2.14.6 does not properly check if a host is denied before ...)
 	- web2py <removed> (bug #860038)
-	[jessie] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production)
+	[jessie] - web2py <ignored> (Minor issue; issue in web admin interface which has no need to be used in production)
 	[wheezy] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production)
 	NOTE: https://github.com/web2py/web2py/issues/1585#issuecomment-284317919
 	NOTE: https://github.com/web2py/web2py/commit/944d8bd8f3c5cf8ae296fc03d149056c65358426
 CVE-2016-4808 (Web2py versions 2.14.5 and below was affected by CSRF (Cross Site ...)
 	- web2py <removed> (bug #856127)
-	[jessie] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production)
+	[jessie] - web2py <ignored> (Minor issue; issue in web admin interface which has no need to be used in production)
 	[wheezy] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production)
 	NOTE: https://github.com/web2py/web2py/issues/1585
 	NOTE: https://github.com/web2py/web2py/commit/4bd002aee978813bc664cf186ef38ff4e8bbe1cd
 CVE-2016-4807 (Web2py versions 2.14.5 and below was affected by Reflected XSS ...)
 	- web2py <removed> (bug #856127)
-	[jessie] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production)
+	[jessie] - web2py <ignored> (Minor issue; issue in web admin interface which has no need to be used in production)
 	[wheezy] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production)
 	NOTE: https://github.com/web2py/web2py/issues/1585
 	NOTE: https://github.com/web2py/web2py/commit/51c3b633fe7ad647bc3013e899c1e3a910362dd1
 CVE-2016-4806 (Web2py versions 2.14.5 and below was affected by Local File Inclusion ...)
 	- web2py <removed> (bug #856127)
-	[jessie] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production)
+	[jessie] - web2py <ignored> (Minor issue; issue in web admin interface which has no need to be used in production)
 	[wheezy] - web2py <no-dsa> (Minor issue; issue in web admin interface which has no need to be used in production)
 	NOTE: https://github.com/web2py/web2py/issues/1585
 	NOTE: https://github.com/web2py/web2py/issues/1316
@@ -94053,6 +94056,8 @@ CVE-2016-3960 (Integer overflow in the x86 shadow pagetable code in Xen allows l
 	NOTE: http://xenbits.xen.org/xsa/advisory-173.html
 CVE-2016-3957 (The secure_load function in gluon/utils.py in web2py before 2.14.2 ...)
 	- web2py <removed> (bug #891220)
+	[jessie] - web2py <not-affected> (Vulnerable code not present)
+	[wheezy] - web2py <not-affected> (Vulnerable code not present)
 CVE-2016-3956 (The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js ...)
 	- npm <unfixed> (bug #850322)
 	[jessie] - npm <no-dsa> (Minor issue)
@@ -94061,10 +94066,16 @@ CVE-2016-3956 (The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Nod
 	NOTE: https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 (3.8.3)
 CVE-2016-3954 (web2py before 2.14.2 allows remote attackers to obtain the ...)
 	- web2py <removed> (bug #891220)
+	[jessie] - web2py <not-affected> (Vulnerable code not present)
+	[wheezy] - web2py <not-affected> (Vulnerable code not present)
 CVE-2016-3953 (The sample web application in web2py before 2.14.2 might allow remote ...)
 	- web2py <removed> (bug #891220)
+	[jessie] - web2py <not-affected> (Vulnerable code not present)
+	[wheezy] - web2py <not-affected> (Vulnerable code not present)
 CVE-2016-3952 (web2py before 2.14.1, when using the standalone version, allows remote ...)
 	- web2py <removed> (bug #891220)
+	[jessie] - web2py <not-affected> (Vulnerable code not present)
+	[wheezy] - web2py <not-affected> (Vulnerable code not present)
 CVE-2016-3951 (Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux ...)
 	{DSA-3607-1 DLA-516-1}
 	- linux 4.5.1-1
@@ -111343,7 +111354,7 @@ CVE-2015-7236 (Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c
 	NOTE: http://www.openwall.com/lists/oss-security/2015/09/17/1
 CVE-2015-6961 (Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows ...)
 	- web2py 2.12.3-1
-	[jessie] - web2py <no-dsa> (Minor issue)
+	[jessie] - web2py <ignored> (Minor issue)
 	[wheezy] - web2py <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/web2py/web2py/commit/e31a099cb3456fef471886339653430ae59056b0 (R-2.12.1)
 	NOTE: https://github.com/web2py/web2py/issues/731



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5361dc07cf645cf1d9ee84f7f6e307d39337601

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f5361dc07cf645cf1d9ee84f7f6e307d39337601
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180402/9e456cad/attachment.html>

More information about the debian-security-tracker-commits mailing list