[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] icu not affected

Moritz Muehlenhoff jmm at debian.org
Sun Jan 28 02:34:33 UTC 2018


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
3600d8c8 by Moritz Muehlenhoff at 2018-01-28T03:34:15+01:00
icu not affected
openjfx no-dsa (no specific information provided, but low CVSS score in Oracle advisory)
libraw no-dsa
remaining libvorbis issues postponed
obs-build no-dsa
libkohana2-php ignored
add and take libvorbis to dsa-needed

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -9589,6 +9589,7 @@ CVE-2018-2582 (Vulnerability in the Java SE, Java SE Embedded component of Oracl
 	- openjdk-8 <unfixed>
 CVE-2018-2581 (Vulnerability in the Java SE component of Oracle Java SE ...)
 	- openjfx <unfixed> (bug #888530)
+	[stretch] - openjfx <no-dsa> (Minor issue)
 CVE-2018-2580 (Vulnerability in the Oracle Applications DBA component of Oracle ...)
 	NOT-FOR-US: Oracle
 CVE-2018-2579 (Vulnerability in the Java SE, Java SE Embedded, JRockit component of ...)
@@ -12702,15 +12703,13 @@ CVE-2017-17485 (FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1528565#c0
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/1855
 CVE-2017-17484 (The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International ...)
-	[experimental] - icu 60.2-1
-	- icu <unfixed>
-	[wheezy] - icu <not-affected> (Vulnerable code not present)
+	- icu <not-affected> (Vulnerable code not present, only experimental was ever affected and fixed in 60.2-1)
 	NOTE: https://ssl.icu-project.org/trac/ticket/13510
 	NOTE: https://ssl.icu-project.org/trac/ticket/13490
 	NOTE: Fixed by: https://ssl.icu-project.org/trac/changeset/40714
 	NOTE: Testcase: https://ssl.icu-project.org/trac/changeset/40715
 	NOTE: POC: https://ssl.icu-project.org/trac/attachment/ticket/13490/poc.2.cpp
-	NOTE: Likely introduced by: https://ssl.icu-project.org/trac/changeset/40455/trunk/icu4c/source/common/ucnv_u8.cpp
+	NOTE: Introduced by https://ssl.icu-project.org/trac/changeset/40455/
 CVE-2017-17483
 	RESERVED
 CVE-2017-17482
@@ -16712,12 +16711,16 @@ CVE-2017-16911
 CVE-2017-16910
 	RESERVED
 	- libraw 0.18.6-1
+	[stretch] - libraw <no-dsa> (Minor issue)
+	[jessie] - libraw <no-dsa> (Minor issue)
 	[wheezy] - libraw <no-dsa> (Minor issue)
 	NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19
 	NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e
 CVE-2017-16909
 	RESERVED
 	- libraw 0.18.6-1
+	[stretch] - libraw <no-dsa> (Minor issue)
+	[jessie] - libraw <no-dsa> (Minor issue)
 	[wheezy] - libraw <no-dsa> (Minor issue)
 	NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2017-19
 	NOTE: https://github.com/LibRaw/LibRaw/commit/2f59bac59dbcbf6bbcf01a9f3eed74307e96ca7e
@@ -23366,6 +23369,8 @@ CVE-2017-14805
 CVE-2017-14804 [build: Exploit extractbuild to write to files in the host system]
 	RESERVED
 	- obs-build <unfixed> (bug #887306)
+	[stretch] - obs-build <no-dsa> (Minor issue)
+	[jessie] - obs-build <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1069904
 CVE-2017-14803 (In NetIQ Access Manager 4.3 and 4.4, a bug exists in Identity Server ...)
 	NOT-FOR-US: NetIQ Access Manager
@@ -23855,6 +23860,7 @@ CVE-2017-14634 (In libsndfile 1.0.28, a divide-by-zero error exists in the funct
 	NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788
 CVE-2017-14633 (In Xiph.Org libvorbis 1.3.5, an out-of-bounds array read vulnerability ...)
 	- libvorbis 1.3.5-4.1 (bug #876778)
+	[jessie] - libvorbis <postponed> (Minor issue, can be fixed along later)
 	NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2329
 	NOTE: https://github.com/xiph/vorbis/pull/34
 CVE-2017-14632 (Xiph.Org libvorbis 1.3.5 allows Remote Code Execution upon freeing ...)
@@ -23962,6 +23968,8 @@ CVE-2017-14609 (The server daemons in Kannel 1.5.0 and earlier create a PID file
 CVE-2017-14608 (In LibRaw through 0.18.4, an out of bounds read flaw related to ...)
 	{DLA-1109-1}
 	- libraw 0.18.5-1 (low)
+	[stretch] - libraw <no-dsa> (Minor issue)
+	[jessie] - libraw <no-dsa> (Minor issue)
 	NOTE: https://github.com/LibRaw/LibRaw/commit/d13e8f6d1e987b7491182040a188c16a395f1d21
 	NOTE: https://github.com/LibRaw/LibRaw/issues/101
 CVE-2017-14607 (In ImageMagick 7.0.7-4 Q16, an out of bounds read flaw related to ...)
@@ -24703,6 +24711,8 @@ CVE-2017-14341 (ImageMagick 7.0.6-6 has a large loop vulnerability in ReadWPGIma
 	NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/4eae304e773bad8a876c3c26fdffac24d4253ae4
 CVE-2017-14348 (LibRaw before 0.18.4 has a heap-based Buffer Overflow in the ...)
 	- libraw 0.18.5-1
+	[stretch] - libraw <no-dsa> (Minor issue)
+	[jessie] - libraw <not-affected> (Vulnerable code not present)
 	[wheezy] - libraw <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/LibRaw/LibRaw/issues/100
 	NOTE: https://github.com/LibRaw/LibRaw/commit/8303e74b0567806dd5f16fc39aab70fe928de1a2
@@ -24917,6 +24927,8 @@ CVE-2017-14266 (tcprewrite in Tcpreplay 3.4.4 has a Heap-Based Buffer Overflow .
 	NOTE: Patch enforce-maxpacket.patch addresses the issue
 CVE-2017-14265 (A Stack-based Buffer Overflow was discovered in xtrans_interpolate in ...)
 	- libraw 0.18.5-1
+	[stretch] - libraw <no-dsa> (Minor issue)
+	[jessie] - libraw <no-dsa> (Minor issue)
 	[wheezy] - libraw <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/LibRaw/LibRaw/issues/99
 	NOTE: https://github.com/LibRaw/LibRaw/commit/82616eff4c7f7437e96bdeeed238c3ef3dc12d60
@@ -25242,6 +25254,8 @@ CVE-2017-14165 (The ReadSUNImage function in coders/sun.c in GraphicsMagick 1.3.
 	NOTE: https://sourceforge.net/p/graphicsmagick/bugs/442/
 CVE-2017-14160 (The bark_noise_hybridmp function in psy.c in Xiph.Org libvorbis 1.3.5 ...)
 	- libvorbis <unfixed> (bug #876780)
+	[stretch] - libvorbis <postponed> (Minor issue, can be revisited once fixed upstream)
+	[jessie] - libvorbis <postponed> (Minor issue, can be revisited once fixed upstream)
 	NOTE: http://www.openwall.com/lists/oss-security/2017/09/21/2
 	NOTE: http://www.openwall.com/lists/oss-security/2017/09/21/3
 	NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2330
@@ -25652,6 +25666,7 @@ CVE-2017-14052
 CVE-2016-10510 (Cross-site scripting (XSS) vulnerability in the Security component of ...)
 	{DLA-1241-1}
 	- libkohana2-php <removed>
+	[jessie] - libkohana2-php <ignored> (Minor issue)
 	NOTE: https://github.com/kohana/kohana/issues/107
 	NOTE: Fixed by https://github.com/kohana/core/pull/697
 CVE-2016-10509 (SQL injection vulnerability in the updateAmazonOrderTracking function ...)
@@ -33667,8 +33682,8 @@ CVE-2017-11334 (The address_space_write_continue function in exec.c in QEMU (aka
 	NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=04bf2526ce87f21b32c9acba1c5518708c243ad0
 CVE-2017-11333 (The vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis ...)
 	- libvorbis <unfixed> (low; bug #870341)
-	[stretch] - libvorbis <no-dsa> (Minor issue)
-	[jessie] - libvorbis <no-dsa> (Minor issue)
+	[stretch] - libvorbis <postponed> (Minor issue, can be revisited once fixed upstream)
+	[jessie] - libvorbis <postponed> (Minor issue, can be revisited once fixed upstream)
 	NOTE: http://seclists.org/fulldisclosure/2017/Jul/82
 	NOTE: https://gitlab.xiph.org/xiph/vorbis/issues/2332
 CVE-2017-11332 (The startread function in wav.c in Sound eXchange (SoX) 14.4.2 allows ...)


=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -78,6 +78,8 @@ tomcat8
 --
 unbound (jmm)
 --
+libvorbis (jmm)
+--
 wireshark (jmm)
 --
 xen



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3600d8c81623b9564953dcf9f06a53e2fb9d788b

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3600d8c81623b9564953dcf9f06a53e2fb9d788b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180128/2710ca2f/attachment.html>


More information about the Secure-testing-commits mailing list