[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] 3 commits: add and take wireshark

Fri Jan 26 14:24:03 UTC 2018

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
041c7f13 by Moritz Muehlenhoff at 2018-01-26T15:22:14+01:00
add and take wireshark

- - - - -
b9b1402a by Moritz Muehlenhoff at 2018-01-26T15:22:38+01:00
additional CVE ID fixed in php5

- - - - -
bfd50d61 by Moritz Muehlenhoff at 2018-01-26T15:23:41+01:00
qemu postponed
rsync no-dsa
syncthing no-dsa
wordpress postponed
one imagemagick issue n/a
xbmc no-dsa

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -1343,6 +1343,8 @@ CVE-2018-5773 (An issue was discovered in markdown2 (aka python-markdown2) throu
 CVE-2017-18043 [integer overflow in ROUND_UP macro could result in DoS]
 	RESERVED
 	- qemu 1:2.10.0+dfsg-2
+	[stretch] - qemu <postponed> (Can be fixed along in a future DSA)
+	[jessie] - qemu <postponed> (Can be fixed along in a future DSA)
 	[wheezy] - qemu <not-affected> (vulnerable code not present)
 	- qemu-kvm <removed>
 	[wheezy] - qemu-kvm <not-affected> (vulnerable code not present)
@@ -1401,6 +1403,8 @@ CVE-2018-5765
 CVE-2018-5764 (The parse_arguments function in options.c in rsyncd in rsync before ...)
 	{DLA-1247-1}
 	- rsync <unfixed> (bug #887588)
+	[stretch] - rsync <no-dsa> (Minor issue)
+	[jessie] - rsync <no-dsa> (Minor issue)
 	NOTE: https://git.samba.org/rsync.git/?p=rsync.git;a=commit;h=7706303828fcde524222babb2833864a4bd09e07
 CVE-2018-5763
 	RESERVED
@@ -5899,6 +5903,7 @@ CVE-2017-1000421 (Gifsicle gifview 1.89 and older is vulnerable to a use-after-f
 	NOTE: https://github.com/kohler/gifsicle/commit/81fd7823f6d9c85ab598bc850e40382068361185
 CVE-2017-1000420 (Syncthing version 0.14.33 and older is vulnerable to symlink traversal ...)
 	- syncthing 0.14.36+ds1-1
+	[stretch] - syncthing <no-dsa> (Minor issue)
 	NOTE: https://github.com/syncthing/syncthing/commit/1f09488a0f1fdca07076b007b9789f23a6df1060 (v0.14.34)
 	NOTE: https://github.com/syncthing/syncthing/commit/a0f771c221f6ef18fcc496e736670d85f36b8dec
 	NOTE: https://github.com/syncthing/syncthing/issues/4286
@@ -20605,6 +20610,8 @@ CVE-2017-15638 (The SuSEfirewall2 package before 3.6.312-2.13.1 in SUSE Linux ..
 	NOT-FOR-US: SuSEfirewall2 in SUSE
 CVE-2012-6707 (WordPress through 4.8.2 uses a weak MD5-based password hashing ...)
 	- wordpress <unfixed> (bug #880868)
+	[stretch] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution)
+	[jessie] - wordpress <postponed> (Minor issue, can be revisited with upstream has picked a new hashing solution)
 	NOTE: https://core.trac.wordpress.org/ticket/21022
 	NOTE: Proposed patch (but not merged): https://core.trac.wordpress.org/attachment/ticket/21022/21022.3.diff
 	NOTE: Cf. https://core.trac.wordpress.org/ticket/21022#comment:80 and following.
@@ -24051,6 +24058,7 @@ CVE-2017-14529 (The pe_print_idata function in peXXigen.c in the Binary File Des
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dcaaca89e8618eba35193c27afcb1cfa54f74582
 CVE-2017-14528 (The TIFFSetProfiles function in coders/tiff.c in ImageMagick 7.0.6 has ...)
 	- imagemagick <unfixed> (bug #878544)
+	[jessie] - imagemagick <not-affected> (Vulnerable code not present)
 	[wheezy] - imagemagick <not-affected> (Can't reproduce crash with file)
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2730
 	NOTE: https://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=32560
@@ -42487,6 +42495,7 @@ CVE-2017-8314 (Directory Traversal in Zip Extraction built-in function in Kodi 1
 	{DLA-1243-1}
 	- kodi 2:17.1+dfsg1-3 (bug #863230)
 	- xbmc <removed>
+	[jessie] - xbmc <no-dsa> (Minor issue)
 	NOTE: http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
 	NOTE: https://kodi.tv/article/kodi-v172-minor-bug-fix-and-security-release
 	NOTE: Fixed by https://github.com/xbmc/xbmc/commit/35cfe35608b15335ef21d798947fceab3f47c8d7


=====================================
data/DSA/list
=====================================
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1104,7 +1104,7 @@
 	{CVE-2017-5938}
 	[jessie] - viewvc 1.1.22-1+deb8u1
 [08 Feb 2017] DSA-3783-1 php5 - security update
-	{CVE-2016-10158 CVE-2016-10159 CVE-2016-10160 CVE-2016-10161}
+	{CVE-2016-10158 CVE-2016-10159 CVE-2016-10160 CVE-2016-10161 CVE-2016-7479}
 	[jessie] - php5 5.6.30+dfsg-0+deb8u1
 [08 Feb 2017] DSA-3782-1 openjdk-7 - security update
 	{CVE-2016-5546 CVE-2016-5547 CVE-2016-5548 CVE-2016-5552 CVE-2017-3231 CVE-2017-3241 CVE-2017-3252 CVE-2017-3253 CVE-2017-3260 CVE-2017-3261 CVE-2017-3272 CVE-2017-3289}


=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -18,7 +18,8 @@ chromium-browser/stable
 --
 graphicsmagick
 --
-imagemagick/oldstable (jmm)
+imagemagick
+  Wait until more issues have piled up
 --
 jackson-databind
 --
@@ -76,6 +77,8 @@ tomcat8
 --
 unbound (jmm)
 --
+wireshark (jmm)
+--
 xen
 --
 zendframework/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/3148e04cc36121ad03a372705dcd6121324d2670...bfd50d61ef2eac692a02c2ec447a3ce1f421dd72

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/3148e04cc36121ad03a372705dcd6121324d2670...bfd50d61ef2eac692a02c2ec447a3ce1f421dd72
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180126/e541881c/attachment-0001.html>
