[Git][security-tracker-team/security-tracker][master] stretch triage
Moritz Muehlenhoff
jmm at debian.org
Fri Dec 28 23:11:44 GMT 2018
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b7e957b2 by Moritz Muehlenhoff at 2018-12-28T23:10:59Z
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -543,22 +543,28 @@ CVE-2018-20363 (LibRaw::raw2image in libraw_cxx.cpp in LibRaw 0.19.1 has a NULL
NOTE: https://github.com/LibRaw/LibRaw/commit/7e29b9f29449fde30cc878fbb137d61c14bba3a4
NOTE: CVE-2018-20363, CVE-2018-20364 and CVE-2018-20365 have same root cause
CVE-2018-20362 (A NULL pointer dereference was discovered in ifilter_bank of ...)
- - faad2 <unfixed>
+ - faad2 <unfixed> (low)
+ [stretch] - faad2 <no-dsa> (Minor issue)
NOTE: https://github.com/knik0/faad2/issues/26
CVE-2018-20361 (An invalid memory address dereference was discovered in the hf_assembly ...)
- - faad2 <unfixed>
+ - faad2 <unfixed> (low)
+ [stretch] - faad2 <no-dsa> (Minor issue)
NOTE: https://github.com/knik0/faad2/issues/30
CVE-2018-20360 (An invalid memory address dereference was discovered in the ...)
- - faad2 <unfixed>
+ - faad2 <unfixed> (low)
+ [stretch] - faad2 <no-dsa> (Minor issue)
NOTE: https://github.com/knik0/faad2/issues/32
CVE-2018-20359 (An invalid memory address dereference was discovered in the ...)
- - faad2 <unfixed>
+ - faad2 <unfixed> (low)
+ [stretch] - faad2 <no-dsa> (Minor issue)
NOTE: https://github.com/knik0/faad2/issues/29
CVE-2018-20358 (An invalid memory address dereference was discovered in the ...)
- - faad2 <unfixed>
+ - faad2 <unfixed> (low)
+ [stretch] - faad2 <no-dsa> (Minor issue)
NOTE: https://github.com/knik0/faad2/issues/31
CVE-2018-20357 (A NULL pointer dereference was discovered in sbr_process_channel of ...)
- - faad2 <unfixed>
+ - faad2 <unfixed> (low)
+ [stretch] - faad2 <no-dsa> (Minor issue)
NOTE: https://github.com/knik0/faad2/issues/28
CVE-2018-20356
RESERVED
@@ -9290,7 +9296,8 @@ CVE-2018-19506 (Zurmo 3.2.4 has XSS via an admin's use of the name parameter in
CVE-2018-19505
RESERVED
CVE-2018-19504 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) ...)
- - faad2 <unfixed> (bug #914641)
+ - faad2 <unfixed> (low; bug #914641)
+ [stretch] - faad2 <no-dsa> (Minor issue)
[jessie] - faad2 <postponed> (Minor issue)
NOTE: https://sourceforge.net/p/faac/bugs/240/
CVE-2018-19503 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) ...)
@@ -20678,8 +20685,7 @@ CVE-2018-15127 (LibVNC before commit 502821828ed00b4a2c4bef90683d0fd88ce495de co
NOTE: https://github.com/LibVNC/libvncserver/commit/502821828ed00b4a2c4bef90683d0fd88ce495de
NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-028-libvnc-heap-out-of-bound-write/
CVE-2018-15126 (LibVNC before commit 73cb96fec028a576a5a24417b57723b55854ad7b contains ...)
- - libvncserver <unfixed> (bug #916941)
- [jessie] - libvncserver <not-affected> (Vulnerable code not present)
+ - libvncserver <not-affected> (Vulnerable code introduced after 0.9.11 release)
NOTE: https://github.com/LibVNC/libvncserver/issues/242
NOTE: https://github.com/LibVNC/libvncserver/commit/73cb96fec028a576a5a24417b57723b55854ad7b
NOTE: https://ics-cert.kaspersky.com/advisories/klcert-advisories/2018/12/19/klcert-18-027-libvnc-heap-use-after-free/
=====================================
data/dsa-needed.txt
=====================================
@@ -19,6 +19,7 @@ ansible
Maintainer is preparing updates
--
faad2
+ not yet fixed upstream
--
glusterfs
--
@@ -30,6 +31,8 @@ libidn
--
libspring-java
--
+libvncserver (jmm)
+--
linux
Wait until more issues have piled up
--
@@ -48,6 +51,8 @@ smarty3
sssd
Maintainer prepared an update and proposed debdiff, acked for upload, but update needs further testing before release.
--
+thunderbird (jmm)
+--
vlc (jmm)
Maintainer proposed to wait for 3.0.5 and release a DSA based on 3.0.5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b7e957b2a9683e5dad951168524f7b2bfe5e2dde
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b7e957b2a9683e5dad951168524f7b2bfe5e2dde
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181228/c1ee74c1/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list