[Git][security-tracker-team/security-tracker][master] 9 commits: CVE-2018-5766,libav: Remove ignored tag.
Markus Koschany
apo at debian.org
Tue Dec 11 14:15:31 GMT 2018
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
6dcb422f by Markus Koschany at 2018-12-11T14:15:00Z
CVE-2018-5766,libav: Remove ignored tag.
- - - - -
f6fb5473 by Markus Koschany at 2018-12-11T14:15:00Z
CVE-2018-5684,libav: Jessie is not affected
The vulnerable code in function ff_mov_read_stsd_entries is not present.
- - - - -
a0677736 by Markus Koschany at 2018-12-11T14:15:01Z
CVE-2018-20001,libav: no-dsa for Jessie
The floating point exception cannot be observed on Jessie, with or without
ASAN. The possibly vulnerable function is present hence mark the issue as
no-dsa (low priority) for now. The POC triggers the following message:
Could not find codec parameters (Audio: ape, mono, u8p)
This might indicate that some code to exploit this issue is missing.
- - - - -
ee4c4566 by Markus Koschany at 2018-12-11T14:15:02Z
CVE-2018-1999015,libav: Jessie is not affected.
- - - - -
bbc1fc68 by Markus Koschany at 2018-12-11T14:15:02Z
CVE-2018-1999014,libav: Jessie is not affected
- - - - -
eb267739 by Markus Koschany at 2018-12-11T14:15:03Z
CVE-2018-1999013,libav: Jessie is not affected
- - - - -
c29b1ffe by Markus Koschany at 2018-12-11T14:15:04Z
CVE-2018-1999012,libav: Jessie is affected.
- - - - -
ac1e3198 by Markus Koschany at 2018-12-11T14:15:04Z
CVE-2018-1999011,libav: Jessie is not affected.
- - - - -
b66dfc5b by Markus Koschany at 2018-12-11T14:15:05Z
CVE-2018-1999010,libav: Jessie is affected.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -938,6 +938,7 @@ CVE-2018-20002 (The _bfd_generic_read_minisymbols function in syms.c in the Bina
NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=c2f5dc30afa34696f2da0081c4ac50b958ecb0e9
CVE-2018-20001 (In Libav 12.3, there is a floating point exception in the ...)
- libav <removed>
+ [jessie] - libav <no-dsa> (floating point exception cannot be observed on Jessie)
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1141
CVE-2018-20000 (Apereo Bedework bw-webdav before 4.0.3 allows XXE attacks, as ...)
TODO: check
@@ -18483,32 +18484,36 @@ CVE-2018-1999016 (Pydio version 8.2.0 and earlier contains a Cross Site Scriptin
CVE-2018-1999015 (FFmpeg before commit 5aba5b89d0b1d73164d3b81764828bb8b20ff32a contains ...)
- ffmpeg 7:4.0.2-1
[stretch] - ffmpeg <not-affected> (Vulnerable code not present)
- - libav <undetermined>
+ - libav <removed>
+ [jessie] - libav <not-affected> (Vulnerable code not present)
NOTE: https://github.com/FFmpeg/FFmpeg/commit/5aba5b89d0b1d73164d3b81764828bb8b20ff32
CVE-2018-1999014 (FFmpeg before commit bab0716c7f4793ec42e05a5aa7e80d82a0dd4e75 contains ...)
- ffmpeg 7:4.0.2-1
[stretch] - ffmpeg <not-affected> (Vulnerable code not present)
- - libav <undetermined>
+ - libav <removed>
+ [jessie] - libav <not-affected> (Vulnerable code not present)
NOTE: https://github.com/FFmpeg/FFmpeg/commit/bab0716c7f4793ec42e05a5aa7e80d82a0dd4e7
CVE-2018-1999013 (FFmpeg before commit a7e032a277452366771951e29fd0bf2bd5c029f0 contains ...)
{DSA-4249-1}
- ffmpeg 7:4.0.2-1
- - libav <undetermined>
+ - libav <removed>
+ [jessie] - libav <not-affected> (Vulnerable code not present)
NOTE: https://github.com/FFmpeg/FFmpeg/commit/a7e032a277452366771951e29fd0bf2bd5c029f
CVE-2018-1999012 (FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains ...)
{DSA-4249-1}
- ffmpeg 7:4.0.2-1
- - libav <undetermined>
+ - libav <removed>
NOTE: https://github.com/FFmpeg/FFmpeg/commit/9807d3976be0e92e4ece3b4b1701be894cd7c2e
CVE-2018-1999011 (FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains ...)
- ffmpeg 7:4.0.2-1
[stretch] - ffmpeg <postponed> (Minor issue, wait for next 3.2 release)
- - libav <undetermined>
+ - libav <removed>
+ [jessie] - libav <not-affected> (Vulnerable code not present)
NOTE: https://github.com/FFmpeg/FFmpeg/commit/2b46ebdbff1d8dec7a3d8ea280a612b91a58286
CVE-2018-1999010 (FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains ...)
{DSA-4249-1}
- ffmpeg 7:4.0.2-1
- - libav <undetermined>
+ - libav <removed>
NOTE: https://github.com/FFmpeg/FFmpeg/commit/cced03dd667a5df6df8fd40d8de0bff477ee02e
CVE-2018-1999009 (October CMS version prior to Build 437 contains a Local File Inclusion ...)
NOT-FOR-US: October CMS
@@ -42912,7 +42917,6 @@ CVE-2018-5767 (An issue was discovered on Tenda AC15 V15.03.1.16_multi devices.
NOT-FOR-US: Tenda AC15 V15.03.1.16_multi devices
CVE-2018-5766 (In Libav through 12.2, there is an invalid memcpy in the av_packet_ref ...)
- libav <removed>
- [jessie] - libav <ignored> (Minor issue)
[wheezy] - libav <ignored> (Minor issue)
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1112
CVE-2018-5765
@@ -43241,7 +43245,7 @@ CVE-2018-5685 (In GraphicsMagick 1.3.27, there is an infinite loop and applicati
NOTE: expanded to 64-bit architectures with upstream commit be5e89e6032d
CVE-2018-5684 (In Libav through 12.2, there is an invalid memcpy call in the ...)
- libav <removed>
- [jessie] - libav <ignored> (Minor issue)
+ [jessie] - libav <not-affected> (vulnerable code is not present)
NOTE: https://bugzilla.libav.org/show_bug.cgi?id=1110
CVE-2018-5683 (The vga_draw_text function in Qemu allows local OS guest privileged ...)
{DSA-4213-1 DLA-1497-1}
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0927dab5ed33774b6ade6c6a022c2ce1166bead5...b66dfc5b745e30972a4c2fe606835ec7d6c94872
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/0927dab5ed33774b6ade6c6a022c2ce1166bead5...b66dfc5b745e30972a4c2fe606835ec7d6c94872
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181211/d2235f49/attachment.html>
More information about the debian-security-tracker-commits
mailing list