[Git][security-tracker-team/security-tracker][master] r-base non issue

Mon Apr 30 22:57:50 BST 2018

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
de2d2132 by Moritz Muehlenhoff at 2018-04-30T23:57:27+02:00
r-base non issue
readd chromium to dsa-needed, new upstream release
add and take quassel
phpmyadmin not-affected in jessie/stretch
one mruby issue not-affected
libgit, sqlite, libraw no-dsa

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -146,11 +146,15 @@ CVE-2018-10531
 CVE-2018-10530
 	RESERVED
 CVE-2018-10529 (An issue was discovered in LibRaw 0.18.9. There is an out-of-bounds ...)
-	- libraw <unfixed> (bug #897186)
+	- libraw <unfixed> (low; bug #897186)
+	[stretch] - libraw <no-dsa> (Minor issue)
+	[jessie] - libraw <no-dsa> (Minor issue)
 	NOTE: https://github.com/LibRaw/LibRaw/commit/f0c505a3e5d47989a5f69be2d0d4f250af6b1a6c
 	NOTE: https://github.com/LibRaw/LibRaw/issues/144
 CVE-2018-10528 (An issue was discovered in LibRaw 0.18.9. There is a stack-based buffer ...)
-	- libraw <unfixed> (bug #897185)
+	- libraw <unfixed> (low; bug #897185)
+	[stretch] - libraw <no-dsa> (Minor issue)
+	[jessie] - libraw <no-dsa> (Minor issue)
 	NOTE: https://github.com/LibRaw/LibRaw/commit/895529fc2f2eb8bc633edd6b04b5b237eb4db564
 	NOTE: https://github.com/LibRaw/LibRaw/issues/144
 CVE-2018-10527 (EasyCMS 1.3 is prone to Stored XSS when posting an article; four fields ...)
@@ -910,6 +914,8 @@ CVE-2018-1000158 (cmsmadesimple version 2.2.7 contains a Incorrect Access Contro
 	NOT-FOR-US: CMS Made Simple
 CVE-2018-10199 (In versions of mruby up to and including 1.4.0, a use-after-free ...)
 	- mruby 1.4.0+20180418+git54905e98-1 (bug #896021)
+	[stretch] - mruby <not-affected> (Vulnerable code introduced later)
+	[jessie] - mruby <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/mruby/mruby/issues/4001
 	NOTE: https://github.com/mruby/mruby/commit/b51b21fc63c9805862322551387d9036f2b63433
 CVE-2018-10193 (LogMeIn LastPass through 4.9.1 allows remote attackers to cause a ...)
@@ -918,6 +924,8 @@ CVE-2018-10192 (IPVanish 3.0.11 for macOS suffers from a root privilege escalati
 	NOT-FOR-US: IPVanish for macOS
 CVE-2018-10191 (In versions of mruby up to and including 1.4.0, an integer overflow ...)
 	- mruby 1.4.0+20180418+git54905e98-1 (bug #896020)
+	[stretch] - mruby <no-dsa> (Minor issue)
+	[jessie] - mruby <no-dsa> (Minor issue)
 	NOTE: https://github.com/mruby/mruby/issues/3995
 	NOTE: https://github.com/mruby/mruby/commit/1905091634a6a2925c911484434448e568330626
 CVE-2018-10190 (A vulnerability in London Trust Media Private Internet Access (PIA) VPN ...)
@@ -926,6 +934,8 @@ CVE-2018-10189 (An issue was discovered in Mautic 1.x and 2.x before 2.13.0. It 
 	NOT-FOR-US: Mautic
 CVE-2018-10188 (phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to ...)
 	- phpmyadmin <unfixed> (bug #896490)
+	[stretch] - phpmyadmin <not-affected> (Vulnerable code not present)
+	[jessie] - phpmyadmin <not-affected> (Vulnerable code not present)
 	[wheezy] - phpmyadmin <not-affected> (vulnerable code not present)
 	NOTE: https://www.phpmyadmin.net/security/PMASA-2018-2/
 	NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/c6dd6b56e236a3aff953cee4135ecaa67130e641
@@ -3546,8 +3556,7 @@ CVE-2018-9062
 CVE-2018-9061
 	RESERVED
 CVE-2018-9060 (R 3.4.4 suffers from a local buffer overflow that allows code ...)
-	- r-base <unfixed>
-	[wheezy] - r-base <no-dsa> (Minor issue)
+	- r-base <not-affected> (R on Linux doesn't ship the GUI, likely non-issue for Windows as well, see #897254)
 	NOTE: https://github.com/bzyo/CVE-PoCs/tree/master/CVE-2018-9060
 CVE-2018-9059 (Stack-based buffer overflow in Easy File Sharing (EFS) Web Server 7.2 ...)
 	NOT-FOR-US: Easy File Sharing (EFS)
@@ -5831,10 +5840,14 @@ CVE-2018-8100 (The JPXStream::readTilePart function in JPXStream.cc in xpdf 4.00
 	NOTE: src:xpdf switched to use system poppler libary in 3.02-3
 	NOTE: Reproducer correctly detected as broken with jessie's poppler build
 CVE-2018-8099 (Incorrect returning of an error code in the index.c:read_entry() ...)
-	- libgit2 <unfixed> (bug #892962)
+	- libgit2 <unfixed> (low; bug #892962)
+	[stretch] - libgit2 <no-dsa> (Minor issue)
+	[jessie] - libgit2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/libgit2/libgit2/commit/58a6fe94cb851f71214dbefac3f9bffee437d6fe
 CVE-2018-8098 (Integer overflow in the index.c:read_entry() function while ...)
-	- libgit2 <unfixed> (bug #892961)
+	- libgit2 <unfixed> (low; bug #892961)
+	[stretch] - libgit2 <no-dsa> (Minor issue)
+	[jessie] - libgit2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/libgit2/libgit2/commit/3207ddb0103543da8ad2139ec6539f590f9900c1
 	NOTE: https://github.com/libgit2/libgit2/commit/3db1af1f370295ad5355b8f64b865a2a357bcac0
 CVE-2018-8097 (io/mongo/parser.py in Eve (aka pyeve) before 0.7.5 allows remote ...)
@@ -73799,18 +73812,21 @@ CVE-2017-2521 (An issue was discovered in certain Apple products. iOS before 10.
 	NOTE: Not covered by security support
 CVE-2017-2520 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...)
 	- sqlite3 3.16.2-1
+	[jessie] - sqlite3 <no-dsa> (Minor issue)
 	[wheezy] - sqlite3 <not-affected> (Vulnerable code not present)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=384
 	NOTE: https://clusterfuzz-external.appspot.com/testcase?key=5694101458518016
 	NOTE: Fixed by: https://www.sqlite.org/src/info/2dc7eeb5b4d2eaf1
 CVE-2017-2519 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...)
 	- sqlite3 3.16.0-1
+	[jessie] - sqlite3 <no-dsa> (Minor issue)
 	[wheezy] - sqlite3 <not-affected> (Vulnerable code not present)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=288
 	NOTE: https://clusterfuzz-external.appspot.com/testcase?key=6739028850245632
 	NOTE: Fixed by: https://www.sqlite.org/src/info/d08b72c38ff6fae6
 CVE-2017-2518 (An issue was discovered in certain Apple products. iOS before 10.3.2 ...)
 	- sqlite3 3.15.2-1
+	[jessie] - sqlite3 <no-dsa> (Minor issue)
 	[wheezy] - sqlite3 <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=199
 	NOTE: https://clusterfuzz-external.appspot.com/testcase?key=4603622180519936


=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -17,6 +17,8 @@ If needed, specify the release by adding a slash after the name of the source pa
 asterisk/stable
   berni working on updates
 --
+chromium-browser
+--
 dokuwiki/oldstable
 --
 ffmpeg/stable
@@ -67,6 +69,8 @@ php-horde-image
 phpmyadmin/oldstable (abhijith)
   https://mentors.debian.net/debian/pool/main/p/phpmyadmin/phpmyadmin_4.2.12-2+deb8u3.dsc
 --
+quassel (jmm)
+--
 qemu/oldstable
 --
 redmine (seb)
@@ -98,7 +102,7 @@ wordpress
   Craig Small prepared update for stretch-security
   Craig Small and Markus Koschany working on jessie-security update, needs debdiff review
 --
-xen/oldstable
+xen
 --
 zendframework/oldstable
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de2d2132752e67d8b3ec9a4d39c4c504d34da0be

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/de2d2132752e67d8b3ec9a4d39c4c504d34da0be
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180430/f2ecd5f0/attachment-0001.html>
