[Git][security-tracker-team/security-tracker][master] libarchive DSA

Moritz Muehlenhoff jmm at debian.org
Thu Dec 27 16:29:25 GMT 2018 

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
93deac58 by Moritz Muehlenhoff at 2018-12-27T16:28:57Z
libarchive DSA

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -71225,21 +71225,18 @@ CVE-2017-14504 (ReadPNMImage in coders/pnm.c in GraphicsMagick 1.3.26 does not e
 CVE-2017-14503 (libarchive 3.3.2 suffers from an out-of-bounds read within ...)
 	{DLA-1600-1}
 	- libarchive 3.2.2-4.1 (bug #875960)
-	[stretch] - libarchive <no-dsa> (Minor issue)
 	[wheezy] - libarchive <no-dsa> (Minor issue)
 	NOTE: https://github.com/libarchive/libarchive/issues/948
 	NOTE: https://github.com/libarchive/libarchive/commit/2c8c83b9731ff822fad6cc8c670ea5519c366a14
 CVE-2017-14502 (read_header in archive_read_support_format_rar.c in libarchive 3.3.2 ...)
 	{DLA-1600-1}
 	- libarchive 3.2.2-4.1 (bug #875974)
-	[stretch] - libarchive <no-dsa> (Minor issue)
 	[wheezy] - libarchive <no-dsa> (Minor issue)
 	NOTE: https://github.com/libarchive/libarchive/commit/5562545b5562f6d12a4ef991fae158bf4ccf92b6
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=573
 CVE-2017-14501 (An out-of-bounds read flaw exists in parse_file_info in ...)
 	{DLA-1600-1}
 	- libarchive 3.2.2-4.2 (bug #875966)
-	[stretch] - libarchive <no-dsa> (Minor issue)
 	[wheezy] - libarchive <no-dsa> (Minor issue)
 	NOTE: https://github.com/libarchive/libarchive/issues/949
 	NOTE: https://github.com/libarchive/libarchive/commit/f9569c086ff29259c73790db9cbf39fe8fb9d862
@@ -72255,7 +72252,6 @@ CVE-2017-14161
 CVE-2017-14166 (libarchive 3.3.2 allows remote attackers to cause a denial of service ...)
 	{DLA-1600-1 DLA-1092-1}
 	- libarchive 3.2.2-3.1 (bug #874539)
-	[stretch] - libarchive <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/09/06/5
 	NOTE: https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71
 	NOTE: https://github.com/libarchive/libarchive/issues/935
@@ -89794,13 +89790,11 @@ CVE-2016-10351 (Telegram Desktop 0.10.19 uses 0755 permissions for ...)
 CVE-2016-10350 (The archive_read_format_cab_read_header function in ...)
 	{DLA-1600-1 DLA-1006-1}
 	- libarchive 3.2.2-3.1 (bug #861609)
-	[stretch] - libarchive <no-dsa> (Minor issue)
 	NOTE: https://github.com/libarchive/libarchive/issues/835
 	NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/88eb9e1d73fef46f04677c25b1697b8e25777ed3 (v3.3.0)
 CVE-2016-10349 (The archive_le32dec function in archive_endian.h in libarchive 3.2.2 ...)
 	{DLA-1600-1 DLA-1006-1}
 	- libarchive 3.2.2-3.1 (bug #861609)
-	[stretch] - libarchive <no-dsa> (Minor issue)
 	NOTE: https://github.com/libarchive/libarchive/issues/834
 	NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/88eb9e1d73fef46f04677c25b1697b8e25777ed3 (v3.3.0)
 CVE-2017-8342 (Radicale before 1.1.2 and 2.x before 2.0.0rc2 is prone to timing ...)
@@ -97701,7 +97695,6 @@ CVE-2016-10210 (libyara/lexer.l in YARA 3.5.0 allows remote attackers to cause a
 CVE-2016-10209 (The archive_wstring_append_from_mbs function in archive_string.c in ...)
 	{DLA-1600-1 DLA-1006-1}
 	- libarchive 3.2.2-3.1 (low; bug #859456)
-	[stretch] - libarchive <no-dsa> (Minor issue)
 	NOTE: https://github.com/libarchive/libarchive/issues/842
 	NOTE: Fixed by: https://github.com/libarchive/libarchive/commit/42a3408ac7df1e69bea9ea12b72e14f59f7400c0 (v3.3.0)
 CVE-2017-5919 (The 21st Century Insurance app 10.0.0 for iOS does not verify X.509 ...)


=====================================
data/DSA/list
=====================================
@@ -1,3 +1,6 @@
+[27 Dec 2018] DSA-4360-1 libarchive - security update
+	{CVE-2016-10209 CVE-2016-10349 CVE-2016-10350 CVE-2017-14166 CVE-2017-14501 CVE-2017-14502 CVE-2017-14503 CVE-2018-1000877 CVE-2018-1000878 CVE-2018-1000880}
+	[stretch] - libarchive 3.2.2-2+deb9u1
 [27 Dec 2018] DSA-4359-1 wireshark - security update
 	{CVE-2018-12086 CVE-2018-18225 CVE-2018-18226 CVE-2018-18227 CVE-2018-19622 CVE-2018-19623 CVE-2018-19624 CVE-2018-19625 CVE-2018-19626 CVE-2018-19627 CVE-2018-19628}
 	[stretch] - wireshark 2.6.5-1~deb9u1


=====================================
data/dsa-needed.txt
=====================================
@@ -24,9 +24,6 @@ glusterfs
 --
 graphicsmagick
 --
-libarchive
-  Markus Koschany proposed a debdiff for covering several CVEs
---
 libidn
   santiago proposed debdiffs for jessie and stretch
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93deac58f4912c127d9eb5743298dea220cebac1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93deac58f4912c127d9eb5743298dea220cebac1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181227/e10f78b5/attachment.html>

More information about the debian-security-tracker-commits mailing list