[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: triage nmap out of jessie and wheezy: vulnerable code introduced later

Wed Apr 11 14:45:00 BST 2018

Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker


Commits:
958c1045 by Antoine Beaupré at 2018-04-11T09:42:48-04:00
triage nmap out of jessie and wheezy: vulnerable code introduced later

- - - - -
127100fa by Antoine Beaupré at 2018-04-11T09:44:34-04:00
follow jessie and no-dla for mysql (postponed) and zsh (minor)

- - - - -
69be5443 by Antoine Beaupré at 2018-04-11T09:44:47-04:00
squirrelmail should be doable in lts

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -410,7 +410,9 @@ CVE-2018-1000164 [Improper neutralization of CRLF Sequences http/wsgi.py:process
 CVE-2018-1000161 [directory traversal in the way the non-default http-fetch script sanitized URLs]
 	- nmap 7.70+dfsg1-1
 	[stretch] - nmap <no-dsa> (Minor issue)
-	[jessie] - nmap <no-dsa> (Minor issue)
+	[jessie] - nmap <not-affected> (Vulnerable code not present)
+	[wheezy] - nmap <not-affected> (Vulnerable code not present)
+	NOTE: script added in 6.49BETA6 according to https://bugzilla.novell.com/show_bug.cgi?id=CVE-2018-1000161
 CVE-2018-1000157
 	REJECTED
 CVE-2018-9838 (The caml_ba_deserialize function in byterun/bigarray.c in the standard ...)
@@ -19320,6 +19322,7 @@ CVE-2018-2767 [Use of SSL/TLS not enforced in client library (Return of BACKRONY
 	- mysql-5.7 <unfixed>
 	- mysql-5.5 <removed>
 	[jessie] - mysql-5.5 <postponed> (Wait for next upstream security/bugfix release)
+	[wheezy] - mysql-5.5 <postponed> (Wait for next upstream security/bugfix release)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/04/08/2
 	NOTE: Result from an incomplete fix for CVE-2015-3152 and related CVE for
 	NOTE: Oracle products.
@@ -23843,6 +23846,7 @@ CVE-2018-1100 [check bounds on buffer in mail checking]
 	- zsh 5.5-1 (bug #895225)
 	[stretch] - zsh <no-dsa> (Minor issue)
 	[jessie] - zsh <no-dsa> (Minor issue)
+	[wheezy] - zsh <no-dsa> (Minor issue)
 	NOTE: https://www.zsh.org/cgi-bin/mla/redirect?WORKERNUMBER=42607
 	NOTE: https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/
 CVE-2018-1099 (DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An ...)


=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -93,6 +93,8 @@ sharutils (Abhijith PA)
 --
 slurm-llnl (Thorsten Alteholz)
 --
+squirrelmail
+--
 tiff (Hugo Lefeuvre)
   NOTE: incomplete fix of CVE-2017-18013, see CVE-2018-7456.
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bdd1de62c2618453a8f9dccf14f810930d5a8893...69be54436ac87ff91f3f23983ea8e23325237287

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bdd1de62c2618453a8f9dccf14f810930d5a8893...69be54436ac87ff91f3f23983ea8e23325237287
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180411/a20cedd7/attachment.html>
