[Git][security-tracker-team/security-tracker][master] stretch triage

Fri Dec 7 18:34:26 GMT 2018

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c7983a12 by Moritz Muehlenhoff at 2018-12-07T18:33:56Z
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1035,7 +1035,8 @@ CVE-2018-19870 [Check for QImage allocation failure in qgifhandler]
 	TODO: check for completeness
 CVE-2018-19869 [Fix crash when parsing malformed url reference]
 	RESERVED
-	- qtsvg-opensource-src <unfixed>
+	- qtsvg-opensource-src <unfixed> (low)
+	[stretch] - qtsvg-opensource-src <no-dsa> (Minor issue)
 	NOTE: https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/
 	NOTE: https://codereview.qt-project.org/#/c/234142/
 	TODO: check for completeness, possibly as well qt4-x11
@@ -1098,11 +1099,13 @@ CVE-2018-19845
 CVE-2018-19844
 	RESERVED
 CVE-2018-19843 (opmov in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows ...)
-	- radare2 3.1.0+dfsg-1
+	- radare2 3.1.0+dfsg-1 (low)
+	[stretch] - radare2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/radare/radare2/commit/f17bfd9f1da05f30f23a4dd05e9d2363e1406948
 	NOTE: https://github.com/radare/radare2/issues/12242
 CVE-2018-19842 (getToken in libr/asm/p/asm_x86_nz.c in radare2 before 3.1.0 allows ...)
-	- radare2 3.1.0+dfsg-1
+	- radare2 3.1.0+dfsg-1 (low)
+	[stretch] - radare2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/radare/radare2/commit/66191f780863ea8c66ace4040d0d04a8842e8432
 	NOTE: https://github.com/radare/radare2/issues/12239
 CVE-2018-19841 (The function WavpackVerifySingleBlock in open_utils.c in libwavpack.a ...)
@@ -1251,6 +1254,7 @@ CVE-2018-19788 (A flaw was found in PolicyKit (aka polkit) 0.115 that allows a u
 	NOTE: https://gitlab.freedesktop.org/polkit/polkit/commit/b534a10727455409acd54018a9c91000e7626126
 CVE-2018-19787 (An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the ...)
 	- lxml 4.2.5-1
+	[stretch] - lxml <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/lxml/lxml/commit/6be1d081b49c97cfd7b3fbd934a193b668629109 (lxml-4.2.5)
 CVE-2018-19786 (HashiCorp Vault before 1.0.0 writes the master key to the server log in ...)
 	NOT-FOR-US: HashiCorp Vault
@@ -4629,18 +4633,21 @@ CVE-2018-19492 (An issue was discovered in cairo.trm in Gnuplot 5.2.5. This issu
 	NOTE: https://sourceforge.net/p/gnuplot/bugs/2089/
 	NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/d5020716834582b20a5e12cdd49f39ee4f9dd949/
 	NOTE: No security impact, neutralised by toolchain hardening
+	NOTE: No security impact, gnuplot can execute arbitrary commands and need to come from a trusted source
 CVE-2018-19491 (An issue was discovered in post.trm in Gnuplot 5.2.5. This issue allows ...)
 	{DLA-1597-1 DLA-1595-1}
-	- gnuplot <unfixed>
-	- gnuplot5 <removed>
+	- gnuplot <unfixed> (unimportant)
+	- gnuplot5 <removed> (unimportant)
 	NOTE: https://sourceforge.net/p/gnuplot/bugs/2094/
 	NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/d5020716834582b20a5e12cdd49f39ee4f9dd949/
+	NOTE: No security impact, gnuplot can execute arbitrary commands and need to come from a trusted source
 CVE-2018-19490 (An issue was discovered in datafile.c in Gnuplot 5.2.5. This issue ...)
 	{DLA-1597-1 DLA-1595-1}
-	- gnuplot <unfixed>
-	- gnuplot5 <removed>
+	- gnuplot <unfixed> (unimportant)
+	- gnuplot5 <removed> (unimportant)
 	NOTE: https://sourceforge.net/p/gnuplot/bugs/2093/
 	NOTE: https://sourceforge.net/p/gnuplot/gnuplot-main/ci/d5020716834582b20a5e12cdd49f39ee4f9dd949/
+	NOTE: No security impact, gnuplot can execute arbitrary commands and need to come from a trusted source
 CVE-2018-19489 [9pfs: crash due to race condition in renaming files]
 	RESERVED
 	- qemu <unfixed> (bug #914727)
@@ -5001,14 +5008,16 @@ CVE-2018-19359 [Unauthorized service template creation]
 	- gitlab 11.3.10+dfsg-2 (bug #914166)
 	NOTE: https://about.gitlab.com/2018/11/19/critical-security-release-gitlab-11-dot-4-dot-6-released/
 CVE-2018-19358 (GNOME Keyring through 3.28.2 allows local users to retrieve login ...)
-	- gnome-keyring <unfixed> (bug #914154)
-	[jessie] - gnome-keyring <no-dsa> (The current design works as expected)
+	- gnome-keyring <unfixed> (unimportant; bug #914154)
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365
 	NOTE: https://github.com/sungjungk/keyring_crack
 	NOTE: The default keyring is automatically unlocked upon successful login.
 	NOTE: The current behavior to access passwords via DBus is expected but
 	NOTE: cannot be compromised by another user on the system. Users can choose
 	NOTE: to use a separate keyring if they prefer to be prompted.
+	NOTE: Non issue
+	NOTE: https://wiki.gnome.org/Projects/GnomeKeyring/SecurityFAQ
+	NOTE: https://gitlab.gnome.org/GNOME/gnome-keyring/issues/5
 CVE-2018-19357
 	RESERVED
 CVE-2018-19356
@@ -9148,23 +9157,23 @@ CVE-2018-17850
 CVE-2018-17849 (Navigate CMS 2.8 has Stored XSS via a navigate_upload.php (aka File ...)
 	NOT-FOR-US: Navigate CMS
 CVE-2018-17848 (The html package (aka x/net/html) through 2018-09-25 in Go mishandles ...)
-	- golang-golang-x-net-dev <unfixed> (bug #911795)
+	- golang-golang-x-net-dev <unfixed> (low; bug #911795)
+	[stretch] - golang-golang-x-net-dev <not-affected> (Vulnerable code not present)
 	- golang-go.net-dev <removed>
 	[jessie] - golang-go.net-dev <ignored> (Minor issue)
 	NOTE: https://github.com/golang/go/issues/27846
-	TODO: check, possibly introduced in later versions
 CVE-2018-17847 (The html package (aka x/net/html) through 2018-09-25 in Go mishandles ...)
-	- golang-golang-x-net-dev <unfixed> (bug #911795)
+	- golang-golang-x-net-dev <unfixed> (low; bug #911795)
+	[stretch] - golang-golang-x-net-dev <not-affected> (Vulnerable code not present)
 	- golang-go.net-dev <removed>
 	[jessie] - golang-go.net-dev <ignored> (Minor issue)
 	NOTE: https://github.com/golang/go/issues/27846
-	TODO: check, possibly introduced in later versions
 CVE-2018-17846 (The html package (aka x/net/html) through 2018-09-25 in Go mishandles ...)
 	- golang-golang-x-net-dev <unfixed> (bug #911795)
+	[stretch] - golang-golang-x-net-dev <not-affected> (Vulnerable code not present)
 	- golang-go.net-dev <removed>
 	[jessie] - golang-go.net-dev <ignored> (Minor issue)
 	NOTE: https://github.com/golang/go/issues/27842
-	TODO: check, possibly introduced in later versions
 CVE-2018-17845
 	RESERVED
 CVE-2018-17844


=====================================
data/dsa-needed.txt
=====================================
@@ -34,10 +34,14 @@ libspring-java
 linux
   Wait until more issues have piled up
 --
+mbedtls
+--
 mercurial
 --
 openjpeg2 (luciano)
 --
+openssl1.0
+--
 passenger
 --
 php7.0



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7983a12d54d7e8d18e335ac6c3ce19672219088

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c7983a12d54d7e8d18e335ac6c3ce19672219088
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181207/1676b32d/attachment-0001.html>
