[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: swap links2 bug back, new elinks bug

Mon Feb 26 20:08:07 UTC 2018

Antoine Beaupré pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5fa96963 by Antoine Beaupré at 2018-02-26T14:10:32-05:00
swap links2 bug back, new elinks bug

- - - - -
b7bb1215 by Antoine Beaupré at 2018-02-26T14:10:58-05:00
old php5 triage: it uses libgd, which is not vulnerable

- - - - -
2b571c9f by Antoine Beaupré at 2018-02-26T15:07:43-05:00
triage php5, tiff and elinks in dla-needed

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -156,9 +156,10 @@ CVE-2018-7423
 CVE-2017-18195
 	RESERVED
 CVE-2012-6709 (ELinks 0.12 and Twibright Links 2.3 have Missing SSL Certificate ...)
-	- elinks <unfixed> (bug #694658)
-	- links2 2.7-1+deb7u1
+	- elinks <unfixed> (bug #891575)
+	- links2 2.7-1 (bug #694658)
 	NOTE: Patch proposed upstream (when using): http://lists.linuxfromscratch.org/pipermail/elinks-dev/2015-June/002099.html
+	NOTE: tested links2 against badssl.com, no apparent issue back in wheezy
 CVE-2018-7422
 	RESERVED
 CVE-2018-7421 (In Wireshark 2.2.0 to 2.2.12 and 2.4.0 to 2.4.4, the DMP dissector ...)
@@ -81487,6 +81488,7 @@ CVE-2016-6207 (Integer overflow in the _gdContributionsAlloc function in ...)
 	- php7.0 7.0.9-1 (unimportant)
 	- php5 5.6.24+dfsg-1 (unimportant)
 	[jessie] - php5 5.6.24+dfsg-0+deb8u1
+	[wheezy] - php5 <not-affected> (Vulnerable code not present)
 	NOTE: Fixed in 7.0.9, 5.6.24, 5.5.38
 	NOTE: PHP Bug: https://bugs.php.net/bug.php?id=72558
 	NOTE: Starting with 5.4.0-1 Debian uses the system copy of libgd


=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -17,6 +17,9 @@ dovecot (Thorsten Alteholz)
 --
 drupal7 (Markus Koschany)
 --
+elinks
+  NOTE: maintainer is on the security team (jmm), no notice sent
+--
 gcc-4.6 (Roberto C. Sánchez)
   NOTE: Backport the retpoline support for spectre mitigation.
   NOTE: Coordinate with jmm who started the work for gcc-4.9 in jessie.
@@ -75,10 +78,16 @@ opencv (Thorsten Alteholz)
 --
 openjdk-7 (Emilio Pozuelo)
 --
+php5
+  NOTE: consider reviewing the backlog of "unimportant" issues fixed in jessie to see if it is worth fixing a few DOS in the backlog
+--
 ruby1.9.1 (Emilio Pozuelo)
 --
 rubygems (Emilio Pozuelo)
 --
+tiff
+  NOTE: incomplete fix of CVE-2017-18013
+--
 wireshark (Thorsten Alteholz)
 --
 wordpress



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6b89bc85c90bc279181e2a3f9709f3e9b03e754d...2b571c9f801816216207e59587b692208e0b7908

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6b89bc85c90bc279181e2a3f9709f3e9b03e754d...2b571c9f801816216207e59587b692208e0b7908
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180226/c89fbe0d/attachment-0001.html>
