[Git][security-tracker-team/security-tracker][master] 5 commits: Mark CVE-2018-19857/vlc as end-of-life for jessie LTS.

Chris Lamb lamby at debian.org
Fri Dec 7 07:54:40 GMT 2018 

Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
eb009601 by Chris Lamb at 2018-12-07T07:54:22Z
Mark CVE-2018-19857/vlc as end-of-life for jessie LTS.

- - - - -
d262e97f by Chris Lamb at 2018-12-07T07:54:23Z
Mark CVE-2018-198{86,87,88,89,90,91} (faac) as no-dsa in jessie LTS.

- - - - -
1e96bd3b by Chris Lamb at 2018-12-07T07:54:23Z
data/dla-needed.txt: Triage ghostscript for jessie.

- - - - -
d7833878 by Chris Lamb at 2018-12-07T07:54:23Z
data/dla-needed.txt: Triage polarssl for jessie.

- - - - -
42474c31 by Chris Lamb at 2018-12-07T07:54:23Z
data/dla-needed.txt: Add comment for polarssl re. CVE-2018-19608.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -97,26 +97,32 @@ CVE-2018-19892 (DomainMOD through 4.11.01 has XSS via the admin/dw/add-server.ph
 CVE-2018-19891 (An invalid memory address dereference was discovered in the huffcode ...)
 	- faac <unfixed> (bug #915763)
 	[stretch] - faac <no-dsa> (Non-free not supported)
+	[jessie] - faac <no-dsa> (Non-free not supported)
 	NOTE: https://github.com/knik0/faac/issues/24
 CVE-2018-19890 (An invalid memory address dereference was discovered in the huffcode ...)
 	- faac <unfixed> (bug #915763)
 	[stretch] - faac <no-dsa> (Non-free not supported)
+	[jessie] - faac <no-dsa> (Non-free not supported)
 	NOTE: https://github.com/knik0/faac/issues/20
 CVE-2018-19889 (An invalid memory address dereference was discovered in the huffcode ...)
 	- faac <unfixed> (bug #915763)
 	[stretch] - faac <no-dsa> (Non-free not supported)
+	[jessie] - faac <no-dsa> (Non-free not supported)
 	NOTE: https://github.com/knik0/faac/issues/22
 CVE-2018-19888 (An invalid memory address dereference was discovered in the huffcode ...)
 	- faac <unfixed> (bug #915763)
 	[stretch] - faac <no-dsa> (Non-free not supported)
+	[jessie] - faac <no-dsa> (Non-free not supported)
 	NOTE: https://github.com/knik0/faac/issues/25
 CVE-2018-19887 (An invalid memory address dereference was discovered in the huffcode ...)
 	- faac <unfixed> (bug #915763)
 	[stretch] - faac <no-dsa> (Non-free not supported)
+	[jessie] - faac <no-dsa> (Non-free not supported)
 	NOTE: https://github.com/knik0/faac/issues/21
 CVE-2018-19886 (An invalid memory address dereference was discovered in the huffcode ...)
 	- faac <unfixed> (bug #915763)
 	[stretch] - faac <no-dsa> (Non-free not supported)
+	[jessie] - faac <no-dsa> (Non-free not supported)
 	NOTE: https://github.com/knik0/faac/issues/23
 CVE-2018-19885
 	RESERVED
@@ -191,6 +197,7 @@ CVE-2018-19858
 	RESERVED
 CVE-2018-19857 (The CAF demuxer in modules/demux/caf.c in VideoLAN VLC media player ...)
 	- vlc <unfixed> (bug #915760)
+	[jessie] - vlc <end-of-life> (See https://lists.debian.org/debian-security-announce/2018/msg00130.html)
 	NOTE: https://dyntopia.com/advisories/013-vlc
 	NOTE: https://git.videolan.org/?p=vlc.git;a=commit;h=0cc5ea748ee5ff7705dde61ab15dff8f58be39d0
 CVE-2018-19856


=====================================
data/dla-needed.txt
=====================================
@@ -32,6 +32,8 @@ freerdp (Mike Gabriel)
   NOTE: 20181205: patches needed for producing a secured and functional stretch-security and jessie-security
   NOTE: 20181205: upload package.
 --
+ghostscript
+--
 jasper
 --
 libapache-mod-jk (Roberto C. Sánchez)
@@ -94,6 +96,9 @@ pdns-recursor (Abhijith PA)
 --
 php5 (Roberto C. Sánchez)
 --
+polarssl
+  NOTE: 20121207: Not 100% sure if vulnerable. Upstream would prefer us to move to latest version, etc. (!). (lamby)
+--
 policykit-1 (Santiago)
   NOTE: 20181202: probably maintainer wants to upload this (Thorsten)
   NOTE: 20181207: fixed in stretch by secteam



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5e6f05dd43d6d780ce47b7a8b66624f057bfd2d9...42474c31218a5c7878e5933b6f0ad59e5c7d2005

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/5e6f05dd43d6d780ce47b7a8b66624f057bfd2d9...42474c31218a5c7878e5933b6f0ad59e5c7d2005
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181207/1825e4a4/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list