[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 5 commits: Triage zziplib for LTS

[Chris Lamb]

Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f213d3ef by Chris Lamb at 2018-02-19T10:51:25+00:00
Triage zziplib for LTS

- - - - -
617b31db by Chris Lamb at 2018-02-19T10:51:41+00:00
data/dla-needed.txt: Correct ordering.

- - - - -
a489c643 by Chris Lamb at 2018-02-19T10:51:42+00:00
Claim zziplib in data/dla-needed.txt

- - - - -
c69ee5d0 by Chris Lamb at 2018-02-19T10:51:43+00:00
Mark CVE-2018-7208 in binutils as no-dsa in wheezy.

- - - - -
9701f624 by Chris Lamb at 2018-02-19T10:51:43+00:00
Mark CVE-2017-18186, CVE-2017-18185, CVE-2017-18184, CVE-2017-18183 & CVE-2015-9252 for qpdf as no-dsa in wheezy.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -34,6 +34,7 @@ CVE-2018-7208 (In the coff_pointerize_aux function in coffgen.c in the Binary Fi
 	- binutils <unfixed>
 	[stretch] - binutils <ignored> (Minor issue)
 	[jessie] - binutils <ignored> (Minor issue)
+	[wheezy] - binutils <ignored> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=22741
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=eb77f6a4621795367a39cdd30957903af9dbb815
 CVE-2018-7207 (National Payments Corporation of India (NPCI) Bharat Interface for ...)
@@ -689,24 +690,28 @@ CVE-2017-18186 (An issue was discovered in QPDF before 7.0.0. There is an infini
 	- qpdf 7.0.0-1
 	[stretch] - qpdf <no-dsa> (Minor issue)
 	[jessie] - qpdf <no-dsa> (Minor issue)
+	[wheezy] - qpdf <no-dsa> (Minor issue)
 	NOTE: https://github.com/qpdf/qpdf/commit/85f05cc57ffa0a863d9d9b23e73acea9410b2937
 	NOTE: https://github.com/qpdf/qpdf/issues/149
 CVE-2017-18185 (An issue was discovered in QPDF before 7.0.0. There is a large ...)
 	- qpdf 7.0.0-1
 	[stretch] - qpdf <no-dsa> (Minor issue)
 	[jessie] - qpdf <no-dsa> (Minor issue)
+	[wheezy] - qpdf <no-dsa> (Minor issue)
 	NOTE: https://github.com/qpdf/qpdf/commit/ec7d74a386c0b2f38990079c3b0d2a2b30be0e71
 	NOTE: https://github.com/qpdf/qpdf/issues/150
 CVE-2017-18184 (An issue was discovered in QPDF before 7.0.0. There is a stack-based ...)
 	- qpdf 7.0.0-1
 	[stretch] - qpdf <no-dsa> (Minor issue)
 	[jessie] - qpdf <no-dsa> (Minor issue)
+	[wheezy] - qpdf <no-dsa> (Minor issue)
 	NOTE: https://github.com/qpdf/qpdf/commit/dea704f0ab7f625e1e7b3f9a1110b45b63157317
 	NOTE: https://github.com/qpdf/qpdf/issues/147
 CVE-2017-18183 (An issue was discovered in QPDF before 7.0.0. There is an infinite loop ...)
 	- qpdf 7.0.0-1
 	[stretch] - qpdf <no-dsa> (Minor issue)
 	[jessie] - qpdf <no-dsa> (Minor issue)
+	[wheezy] - qpdf <no-dsa> (Minor issue)
 	NOTE: https://github.com/qpdf/qpdf/commit/8249a26d69f72b9cda584c14cc3f12769985e481
 	NOTE: https://github.com/qpdf/qpdf/issues/143
 CVE-2017-18182
@@ -723,6 +728,7 @@ CVE-2015-9252 (An issue was discovered in QPDF before 7.0.0. Endless recursion c
 	- qpdf 7.0.0-1
 	[stretch] - qpdf <no-dsa> (Minor issue)
 	[jessie] - qpdf <no-dsa> (Minor issue)
+	[wheezy] - qpdf <no-dsa> (Minor issue)
 	NOTE: https://github.com/qpdf/qpdf/commit/701b518d5c56a1449825a3a37a716c58e05e1c3e
 	NOTE: https://github.com/qpdf/qpdf/issues/51
 CVE-2018-6927 (The futex_requeue function in kernel/futex.c in the Linux kernel before ...)


=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -42,16 +42,16 @@ lame (Hugo Lefeuvre)
   NOTE: 20180125: Fabian showed interest in porting lame to libsndfile and submitted a patch draft for Jessie.
   NOTE: I'll test it, submit the update for Jessie and backport the result to Wheezy on time.
 --
+leptonlib
+  NOTE: #885704 fix is incomplete and may require a CVE
+  NOTE: see also https://lists.debian.org/1518730488.2617.129.camel@decadent.org.uk
+--
 libav (Hugo Lefeuvre)
   NOTE: 20180118: Diego Biurrun (from the libav team) was working on patches, but encountered personal issues and had to stop.
   NOTE: It is unlikely that he will start again in the next weeks.
   NOTE: I am currently working on CVE triage but I will not be able to process the whole backlog until May.
   NOTE: Help is welcome, feel free to mail Hugo.
 --
-leptonlib
-  NOTE: #885704 fix is incomplete and may require a CVE
-  NOTE: see also https://lists.debian.org/1518730488.2617.129.camel@decadent.org.uk
---
 libgcrypt11
 --
 libmad (Kurt Roeckx)
@@ -86,3 +86,6 @@ suricata (Santiago R.R.)
 --
 wordpress
   NOTE: 20180217: Upstream unsure how to fix at the moment (lamby)
+--
+zziplib (Chris Lamb)
+--



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/486bb3ecb08903cf5488a82359d8e57d99ce085b...9701f624773c56bbe0580beeeeef2d524b2093b6

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/486bb3ecb08903cf5488a82359d8e57d99ce085b...9701f624773c56bbe0580beeeeef2d524b2093b6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180219/2f0ec19d/attachment-0001.html>