[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: mark golang's CVE-2018-6574 as dla-needed and add relation to CVE-2017-15041
Antoine Beaupré
anarcat at debian.org
Fri Feb 16 19:37:10 UTC 2018
Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7553fe97 by Antoine Beaupré at 2018-02-16T14:02:20-05:00
mark golang's CVE-2018-6574 as dla-needed and add relation to CVE-2017-15041
- - - - -
4755a0f6 by Antoine Beaupré at 2018-02-16T14:02:22-05:00
CVE-2018-6829 gnupg n/a, libgcrypt dla-needed
as mentioned in the notes, GnuPG uses Elgamal correctly so it is not
vulnerable. libgcrypt, however, is, so it should at least be checked in wheezy and others.
- - - - -
4880f3ef by Antoine Beaupré at 2018-02-16T14:36:45-05:00
re-add leptonlib to dla-needed
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -854,11 +854,12 @@ CVE-2018-6830
CVE-2018-6829 (cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt ...)
- libgcrypt20 <unfixed>
- libgcrypt11 <removed>
- - gnupg1 <unfixed>
- - gnupg <removed>
+ - gnupg1 <not-affected>
+ - gnupg <not-affected>
NOTE: https://github.com/weikengchen/attack-on-libgcrypt-elgamal
NOTE: https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki
NOTE: https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html
+ NOTE: GnuPG uses elgamal in hybrid mode so it is not affected
CVE-2018-6828
RESERVED
CVE-2018-6827 (VOBOT CLOCK before 0.99.30 devices do not verify X.509 certificates ...)
@@ -1607,6 +1608,7 @@ CVE-2018-6574 (Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases
- golang-1.7 <unfixed>
- golang <removed>
NOTE: https://github.com/golang/go/issues/23672
+ NOTE: similar to CVE-2017-15041, which was fixed in wheezy, but no-dsa in jessie and ignored in stretch
CVE-2018-6573
RESERVED
CVE-2018-6572
=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -25,6 +25,8 @@ gcc-4.7 (Roberto C. Sánchez)
NOTE: Backport the retpoline support for spectre mitigation.
NOTE: Do we want/need it on this gcc version as well?
--
+golang
+--
icu (Thorsten Alteholz)
NOTE: 20171229: CVE-2017-15422 was reported via Google Code issue report in Chromium project; report is not visible to the public
--
@@ -43,6 +45,12 @@ libav (Hugo Lefeuvre)
NOTE: I am currently working on CVE triage but I will not be able to process the whole backlog until May.
NOTE: Help is welcome, feel free to mail Hugo.
--
+leptonlib
+ NOTE: #885704 fix is incomplete and may require a CVE
+ NOTE: see also https://lists.debian.org/1518730488.2617.129.camel@decadent.org.uk
+--
+libgcrypt11
+--
libmad (Kurt Roeckx)
--
libreoffice
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d3b329bad3ee4c1c346dc02ed2cfcbec406fefc0...4880f3ef311538de940214f314c7d864d339568c
---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d3b329bad3ee4c1c346dc02ed2cfcbec406fefc0...4880f3ef311538de940214f314c7d864d339568c
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180216/7168fa86/attachment-0001.html>
More information about the Secure-testing-commits
mailing list