[Git][security-tracker-team/security-tracker][master] stretch triage

Moritz Muehlenhoff jmm at debian.org
Mon Aug 20 19:44:00 BST 2018 

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5c7f646f by Moritz Muehlenhoff at 2018-08-20T18:43:34Z
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -168,7 +168,8 @@ CVE-2018-15503 (The unpack implementation in Swoole version 4.0.4 lacks correct 
 CVE-2018-15502
 	RESERVED
 CVE-2018-15501 (In ng_pkt in transports/smart_pkt.c in libgit2 before 0.26.6 and 0.27.x ...)
-	- libgit2 0.27.4+dfsg.1-0.1
+	- libgit2 0.27.4+dfsg.1-0.1 (low)
+	[stretch] - libgit2 <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9406
 	NOTE: https://github.com/libgit2/libgit2/commit/1f9a8510e1d2f20ed7334eeeddb92c4dd8e7c649
 CVE-2018-15500
@@ -773,6 +774,7 @@ CVE-2018-15210
 	RESERVED
 CVE-2018-15209 (ChopUpSingleUncompressedStrip in tif_dirread.c in LibTIFF 4.0.9 allows ...)
 	- tiff <unfixed> (bug #905798)
+	[stretch] - tiff <postponed> (Can be fixed along in future DSA)
 	- tiff3 <removed>
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2808
 CVE-2018-15208
@@ -3739,6 +3741,7 @@ CVE-2018-14029 (CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6.
 	NOT-FOR-US: Creatiwity wityCMS
 CVE-2018-14028 (In WordPress 4.9.7, plugins uploaded via the admin area are not ...)
 	- wordpress <unfixed> (bug #906565)
+	[stretch] - wordpress <no-dsa> (Minor issue)
 	[jessie] - wordpress <postponed> (can be fixed with a later update)
 	NOTE: https://core.trac.wordpress.org/ticket/44710
 	NOTE: https://rastating.github.io/unrestricted-file-upload-via-plugin-uploader-in-wordpress/
@@ -9284,6 +9287,7 @@ CVE-2018-11772
 	RESERVED
 CVE-2018-11771 (When reading a specially crafted ZIP archive, the read method of ...)
 	- libcommons-compress-java <unfixed> (bug #906301)
+	[stretch] - libcommons-compress-java <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/08/16/2
 CVE-2018-11770 (From version 1.3.0 onward, Apache Spark's standalone master exposes a ...)
 	NOT-FOR-US: Apache Spark
@@ -18925,9 +18929,11 @@ CVE-2018-8021
 	RESERVED
 CVE-2018-8020 (Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw ...)
 	- tomcat-native 1.2.17-1
+	[stretch] - tomcat-native <no-dsa> (Minor issue)
 	NOTE: https://svn.apache.org/r1832863
 CVE-2018-8019 (When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and ...)
 	- tomcat-native 1.2.17-1
+	[stretch] - tomcat-native <no-dsa> (Minor issue)
 	NOTE: https://svn.apache.org/r1832832
 CVE-2018-8018 (Apache Ignite 2.5 and earlier serialization mechanism does not have a ...)
 	NOT-FOR-US: Apache Ignite
@@ -31268,6 +31274,7 @@ CVE-2017-1000434 (Wordpress plugin Furikake version 0.1.0 is vulnerable to an Op
 CVE-2017-1000433 (pysaml2 version 4.4.0 and older accept any password when run with ...)
 	{DLA-1410-1}
 	- python-pysaml2 <unfixed> (bug #886423)
+	[stretch] - python-pysaml2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/rohe/pysaml2/issues/451
 	NOTE: Fixed by: https://github.com/rohe/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5
 CVE-2017-1000432 (Vanilla Forums below 2.1.5 are affected by CSRF leading to Deleting ...)


=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -65,6 +65,8 @@ openjpeg2 (luciano)
 openssh (seb)
   User enumeration vulnerability
 --
+openssh
+--
 otrs2
 --
 passenger



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c7f646f0e6c5f4f5372ce5f3f528145eb739255

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5c7f646f0e6c5f4f5372ce5f3f528145eb739255
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180820/297b77cf/attachment.html>

More information about the debian-security-tracker-commits mailing list