[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] puppet modules unimportant

Tue Apr 3 21:21:55 BST 2018

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3567c990 by Moritz Muehlenhoff at 2018-04-03T22:21:29+02:00
puppet modules unimportant
add libslf4j-java to dsa-needed
libzypp ignored
radare, gpac, leptonlib no-dsa

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1029,14 +1029,20 @@ CVE-2018-8811 (Cross-site request forgery (CSRF) vulnerability in ...)
 	NOT-FOR-US: OpenCMS
 CVE-2018-8810 (In radare2 2.4.0, there is a heap-based buffer over-read in the ...)
 	- radare2 <unfixed>
+	[stretch] - radare2 <no-dsa> (Minor issue)
+	[jessie] - radare2 <no-dsa> (Minor issue)
 	[wheezy] - radare2 <not-affected> (vulnerable code not present)
 	NOTE: https://github.com/radare/radare2/issues/9727
 CVE-2018-8809 (In radare2 2.4.0, there is a heap-based buffer over-read in the ...)
-	- radare2 <unfixed>
+	- radare2 <unfixed> (low)
+	[stretch] - radare2 <no-dsa> (Minor issue)
+	[jessie] - radare2 <no-dsa> (Minor issue)
 	[wheezy] - radare2 <no-dsa> (minor issue, likely not even affected)
 	NOTE: https://github.com/radare/radare2/issues/9726
 CVE-2018-8808 (In radare2 2.4.0, there is a heap-based buffer over-read in the ...)
-	- radare2 <unfixed>
+	- radare2 <unfixed> (low)
+	[stretch] - radare2 <no-dsa> (Minor issue)
+	[jessie] - radare2 <no-dsa> (Minor issue)
 	[wheezy] - radare2 <no-dsa> (minor issue, likely not even affected)
 	NOTE: https://github.com/radare/radare2/issues/9725
 CVE-2018-8807 (In libming 0.4.8, these is a use-after-free in the function ...)
@@ -3575,6 +3581,8 @@ CVE-2018-7719 (Acrolinx Server before 5.2.5 on Windows allows Directory Traversa
 	NOT-FOR-US: Acrolinx Server
 CVE-2018-7752 (GPAC through 0.7.1 has a Buffer Overflow in the gf_media_avc_read_sps ...)
 	- gpac <unfixed> (bug #892526)
+	[stretch] - gpac <no-dsa> (Minor issue)
+	[jessie] - gpac <no-dsa> (Minor issue)
 	[wheezy] - gpac <not-affected> (vulnerable code not present)
 	NOTE: https://github.com/gpac/gpac/issues/997
 	NOTE: https://github.com/gpac/gpac/commit/90dc7f853d31b0a4e9441cba97feccf36d8b69a4
@@ -5470,7 +5478,9 @@ CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in ...)
 	NOTE: https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41 (v2.2.2)
 CVE-2018-7186 (Leptonica before 1.75.3 does not limit the number of characters in a %s ...)
 	{DLA-1302-1}
-	- leptonlib 1.75.3-2 (bug #890548)
+	- leptonlib 1.75.3-2 (low; bug #890548)
+	[stretch] - leptonlib <no-dsa> (Minor issue)
+	[jessie] - leptonlib <no-dsa> (Minor issue)
 	NOTE: https://github.com/DanBloomberg/leptonica/commit/ee301cb2029db8a6289c5295daa42bba7715e99a
 CVE-2018-7180 (SQL Injection exists in the Saxum Astro 4.0.14 component for Joomla! ...)
 	NOT-FOR-US: Saxum Astro component for Joomla!
@@ -7368,9 +7378,9 @@ CVE-2018-6510
 CVE-2018-6509
 	RESERVED
 CVE-2018-6508 (Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a ...)
-	- puppet-module-puppetlabs-apt <unfixed>
-	- puppet-module-puppetlabs-apache <unfixed>
-	- puppet-module-puppetlabs-mysql <unfixed>
+	- puppet-module-puppetlabs-apt <unfixed> (unimportant)
+	- puppet-module-puppetlabs-apache <unfixed> (unimportant)
+	- puppet-module-puppetlabs-mysql <unfixed> (unimportant)
 	NOTE: https://puppet.com/security/cve/CVE-2018-6508
 	NOTE: Issue in various puppet modules: facter_task, puppet_conf, apt, apache and mysql modules
 	NOTE: https://github.com/puppetlabs/puppetlabs-facter_task/commit/dd37c72e78c8a37e671e20becb05d6ceafdbd81c
@@ -7378,6 +7388,7 @@ CVE-2018-6508 (Puppet Enterprise 2017.3.x prior to 2017.3.3 are vulnerable to a 
 	NOTE: https://github.com/puppetlabs/puppetlabs-apt/commit/81879be960d5723016e3d0b4ff155ee704261bbc
 	NOTE: https://github.com/puppetlabs/puppetlabs-apache/commit/81bc5119ceced1faa4bf261efa4b7cd3731ef3ef
 	NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/da3684c79d5fe6ece826e087e8693c75ac40414c
+	NOTE: This is only exploitable with Puppet Tasks, which aren't packaged/available in Debian
 CVE-2018-6507
 	RESERVED
 CVE-2018-6506 (Cross-Site Scripting (XSS) exists in the Add Forum feature in the ...)
@@ -14096,12 +14107,16 @@ CVE-2018-3837
 	RESERVED
 CVE-2018-7442 (An issue was discovered in Leptonica through 1.75.3. The ...)
 	- leptonlib <unfixed>
+	[stretch] - leptonlib <no-dsa> (Minor issue)
+	[jessie] - leptonlib <no-dsa> (Minor issue)
 	NOTE: https://lists.debian.org/debian-lts/2018/02/msg00086.html
 CVE-2018-7441 (Leptonica through 1.75.3 uses hardcoded /tmp pathnames, which might ...)
-	- leptonlib <unfixed>
+	- leptonlib <unfixed> (unimportant)
 	NOTE: https://lists.debian.org/debian-lts/2018/02/msg00054.html
+	NOTE: Neutralised by kernel hardening
 CVE-2017-18196 (Leptonica 1.74.4 constructs unintended pathnames (containing duplicated ...)
-	- leptonlib 1.74.4-2 (bug #885704)
+	- leptonlib 1.74.4-2 (low; bug #885704)
+	[stretch] - leptonlib <no-dsa> (Minor issue)
 	[jessie] - leptonlib <not-affected> (Vulnerable code not present)
 	[wheezy] - leptonlib <not-affected> (Vulnerable code not present)
 CVE-2018-7440 (An issue was discovered in Leptonica through 1.75.3. The ...)
@@ -14115,6 +14130,8 @@ CVE-2018-3836 [gplotMakeOutput Command Injection Vulnerability]
 	RESERVED
 	{DLA-1284-1}
 	- leptonlib 1.75.3-1 (bug #889759)
+	[stretch] - leptonlib <no-dsa> (Minor issue)
+	[jessie] - leptonlib <no-dsa> (Minor issue)
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0516
 	NOTE: https://github.com/DanBloomberg/leptonica/issues/303
 	NOTE: When fixing this issue make sure the fix is complete and includes as well
@@ -48538,6 +48555,7 @@ CVE-2017-9270 (In cryptctl before version 2.0 a malicious server could send RPC 
 	NOT-FOR-US: SuSE cryptctl
 CVE-2017-9269 (In libzypp before August 2018 GPG keys attached to YUM repositories ...)
 	- libzypp <unfixed>
+	[jessie] - libzypp <ignored> (Minor issue)
 CVE-2017-9268 (In the open build service before 201707022 the wipetrigger and rebuild ...)
 	- open-build-service <unfixed> (low)
 	[stretch] - open-build-service <no-dsa> (Minor issue)
@@ -54539,8 +54557,10 @@ CVE-2017-7437 (NetIQ Privileged Account Manager before 3.1 Patch Update 3 allowe
 	NOT-FOR-US: NetIQ Privileged Account Manager
 CVE-2017-7436 (In libzypp before 20170803 it was possible to retrieve unsigned ...)
 	- libzypp <unfixed>
+	[jessie] - libzypp <ignored> (Minor issue)
 CVE-2017-7435 (In libzypp before 20170803 it was possible to add unsigned YUM ...)
 	- libzypp <unfixed>
+	[jessie] - libzypp <ignored> (Minor issue)
 CVE-2017-7434 (In the JDBC driver of NetIQ Identity Manager before 4.6 sending out ...)
 	NOT-FOR-US: NetIQ Identity Manager
 CVE-2017-7433 (An absolute path traversal vulnerability (CWE-36) in Micro Focus Vibe ...)


=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -41,6 +41,8 @@ libav/oldstable
 --
 libidn
 --
+libslf4j-java
+--
 libmad
 --
 linux



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3567c990ffdf55a77d5f27b01ab1dee266ece832

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3567c990ffdf55a77d5f27b01ab1dee266ece832
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180403/2aa6416f/attachment.html>
