[Git][security-tracker-team/security-tracker][master] add wavpack to dsa-needed, n/a for jessie

Moritz Muehlenhoff jmm at debian.org
Mon Apr 30 21:53:00 BST 2018 

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
686beee2 by Moritz Muehlenhoff at 2018-04-30T22:52:20+02:00
add wavpack to dsa-needed, n/a for jessie
lrzsz, cacti, flac, uimaj no-dsa

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -91,24 +91,34 @@ CVE-2018-10541
 	RESERVED
 CVE-2018-10540 (An issue was discovered in WavPack 5.1.0 and earlier for W64 input. ...)
 	- wavpack <unfixed>
+	[jessie] - wavpack <not-affected> (Vulnerable code not present, introduced in 5.0.0)
+	[wheezy] - wavpack <not-affected> (Vulnerable code not present, introduced in 5.0.0)
 	NOTE: https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d
 	NOTE: https://github.com/dbry/WavPack/issues/33
 CVE-2018-10539 (An issue was discovered in WavPack 5.1.0 and earlier for DSDiff input. ...)
 	- wavpack <unfixed>
+	[jessie] - wavpack <not-affected> (Vulnerable code not present, introduced in 5.0.0)
+	[wheezy] - wavpack <not-affected> (Vulnerable code not present, introduced in 5.0.0)
 	NOTE: https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d
 	NOTE: https://github.com/dbry/WavPack/issues/33
 CVE-2018-10538 (An issue was discovered in WavPack 5.1.0 and earlier for WAV input. ...)
 	- wavpack <unfixed>
+	[jessie] - wavpack <not-affected> (Vulnerable code not present, introduced in 5.0.0)
+	[wheezy] - wavpack <not-affected> (Vulnerable code not present, introduced in 5.0.0)
 	NOTE: https://github.com/dbry/WavPack/commit/6f8bb34c2993a48ab9afbe353e6d0cff7c8d821d
 	NOTE: https://github.com/dbry/WavPack/issues/33
 CVE-2018-10537 (An issue was discovered in WavPack 5.1.0 and earlier. The W64 parser ...)
 	- wavpack <unfixed>
+	[jessie] - wavpack <not-affected> (Vulnerable code not present, introduced in 5.0.0)
+	[wheezy] - wavpack <not-affected> (Vulnerable code not present, introduced in 5.0.0)
 	NOTE: https://github.com/dbry/WavPack/commit/26cb47f99d481ad9b93eeff80d26e6b63bbd7e15
 	NOTE: https://github.com/dbry/WavPack/issues/30
 	NOTE: https://github.com/dbry/WavPack/issues/31
 	NOTE: https://github.com/dbry/WavPack/issues/32
 CVE-2018-10536 (An issue was discovered in WavPack 5.1.0 and earlier. The WAV parser ...)
 	- wavpack <unfixed>
+	[jessie] - wavpack <not-affected> (Vulnerable code not present, introduced in 5.0.0)
+	[wheezy] - wavpack <not-affected> (Vulnerable code not present, introduced in 5.0.0)
 	NOTE: https://github.com/dbry/WavPack/commit/26cb47f99d481ad9b93eeff80d26e6b63bbd7e15
 	NOTE: https://github.com/dbry/WavPack/issues/30
 	NOTE: https://github.com/dbry/WavPack/issues/31
@@ -866,7 +876,9 @@ CVE-2018-10196
 	RESERVED
 CVE-2018-10195 [rzsz: sz can leak data to receiving side]
 	RESERVED
-	- lrzsz <unfixed> (bug #897010)
+	- lrzsz <unfixed> (low; bug #897010)
+	[stretch] - lrzsz <no-dsa> (Minor issue)
+	[jessie] - lrzsz <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1090051
 	NOTE: Fedora patch: https://src.fedoraproject.org/cgit/rpms/lrzsz.git/tree/lrzsz-0.12.20.patch
 CVE-2018-10194 (The set_text_distance function in devices/vector/gdevpdts.c in the ...)
@@ -1232,10 +1244,14 @@ CVE-2018-10074 (The hi3660_stub_clk_probe function in ...)
 	- linux <not-affected> (Vulnerable code introduced later)
 	NOTE: Fixed by: https://git.kernel.org/linus/9903e41ae1f5d50c93f268ca3304d4d7c64b9311 (4.16-rc7)
 CVE-2018-10061 (Cacti before 1.1.37 has XSS because it makes certain htmlspecialchars ...)
-	- cacti 1.1.37+ds1-1
+	- cacti 1.1.37+ds1-1 (low)
+	[stretch] - cacti <no-dsa> (Minor issue)
+	[jessie] - cacti <no-dsa> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/issues/1457
 CVE-2018-10060 (Cacti before 1.1.37 has XSS because it does not properly reject ...)
-	- cacti 1.1.37+ds1-1
+	- cacti 1.1.37+ds1-1 (low)
+	[stretch] - cacti <no-dsa> (Minor issue)
+	[jessie] - cacti <no-dsa> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/issues/1457
 CVE-2018-10059 (Cacti before 1.1.37 has XSS because the get_current_page function in ...)
 	- cacti 1.1.37+ds1-1
@@ -33075,6 +33091,8 @@ CVE-2017-15692 (In Apache Geode before v1.4.0, the TcpServer within the Geode lo
 	NOT-FOR-US: Apache Geode
 CVE-2017-15691 (In Apache uimaj prior to 2.10.2, Apache uimaj 3.0.0-xxx prior to ...)
 	- uimaj <unfixed> (bug #897009)
+	[stretch] - uimaj <no-dsa> (Minor issue)
+	[jessie] - uimaj <no-dsa> (Minor issue)
 	NOTE: https://uima.apache.org/security_report#CVE-2017-15691
 CVE-2017-15924 (In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsing ...)
 	{DSA-4009-1}
@@ -60286,7 +60304,9 @@ CVE-2017-6890 (A boundary error within the "foveon_load_camf()" functi
 CVE-2017-6889 (An integer overflow error within the "foveon_load_camf()" function ...)
 	NOT-FOR-US: libraw demosaic extension (not packaged in Debian)
 CVE-2017-6888 (An error in the "read_metadata_vorbiscomment_()" function ...)
-	- flac <unfixed> (bug #897015)
+	- flac <unfixed> (low; bug #897015)
+	[stretch] - flac <no-dsa> (Minor issue)
+	[jessie] - flac <no-dsa> (Minor issue)
 	NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-7/
 	NOTE: https://git.xiph.org/?p=flac.git;a=commit;h=4f47b63e9c971e6391590caf00a0f2a5ed612e67
 CVE-2017-6887 (A boundary error within the "parse_tiff_ifd()" function ...)


=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -92,6 +92,8 @@ undertow
 --
 vlc (jmm)
 --
+wavpack (jmm)
+--
 wordpress
   Craig Small prepared update for stretch-security
   Craig Small and Markus Koschany working on jessie-security update, needs debdiff review



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/686beee24b1f679fc18486508e810ecca2784db8

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/686beee24b1f679fc18486508e810ecca2784db8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180430/46405a0d/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list