[Git][security-tracker-team/security-tracker][master] stretch triage

Moritz Muehlenhoff jmm at debian.org
Mon Jul 9 21:10:18 BST 2018 

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c3f166c6 by Moritz Muehlenhoff at 2018-07-09T22:09:54+02:00
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -689,7 +689,8 @@ CVE-2018-13442
 CVE-2018-13441
 	RESERVED
 CVE-2018-13440 (The audiofile Audio File Library 0.3.6 has a NULL pointer dereference ...)
-	- audiofile <unfixed>
+	- audiofile <unfixed> (low)
+	[stretch] - audiofile <no-dsa> (Minor issue)
 	NOTE: https://github.com/mpruett/audiofile/issues/49
 CVE-2018-13439 (WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a ...)
 	NOT-FOR-US: WeChat Pay Java SDK
@@ -728,14 +729,16 @@ CVE-2018-13423 (admin/themes/default/items/tag-form.php in Omeka before 2.6.1 al
 CVE-2018-13422 (TCExam before 14.1.2 has XSS via an ff_ or xl_ field. ...)
 	NOT-FOR-US: TCExam
 CVE-2018-13421 (Fast C++ CSV Parser (aka fast-cpp-csv-parser) before 2018-07-06 has a ...)
-	- fast-cpp-csv-parser 0.0+git20160525~9bf299c-2 (bug #903247)
+	- fast-cpp-csv-parser 0.0+git20160525~9bf299c-2 (low; bug #903247)
+	[stretch] - fast-cpp-csv-parser <no-dsa> (Minor issue)
 	NOTE: https://github.com/ben-strasser/fast-cpp-csv-parser/issues/67
 	NOTE: https://github.com/ben-strasser/fast-cpp-csv-parser/commit/8cf591aa7397f4372778cc927e184d28ee591093
 CVE-2018-13420 (** DISPUTED ** Google gperftools 2.7 has a memory leak in ...)
-	- google-perftools <unfixed> (low; bug #903248)
+	- google-perftools <unfixed> (unimportant; bug #903248)
 	NOTE: https://github.com/gperftools/gperftools/issues/1013
 CVE-2018-13419 (An issue has been found in libsndfile 1.0.28. There is a memory leak in ...)
 	- libsndfile <unfixed> (low)
+	[stretch] - libsndfile <no-dsa> (Minor issue)
 	NOTE: https://github.com/erikd/libsndfile/issues/398
 CVE-2018-13418
 	RESERVED
@@ -2544,7 +2547,8 @@ CVE-2018-1000534 (Joplin version prior to 1.0.90 contains a XSS evolving into co
 CVE-2018-1000533 (klaussilveira GitList version <= 0.6 contains a Passing incorrectly ...)
 	NOT-FOR-US: klaussilveira GitList
 CVE-2018-1000532 (beep version 1.3 and up contains a External Control of File Name or ...)
-	- beep <unfixed> (bug #902722)
+	- beep <unfixed> (low; bug #902722)
+	[stretch] - beep <no-dsa> (Minor issue)
 	NOTE: https://github.com/johnath/beep/issues/11#issuecomment-379514298
 CVE-2018-1000531 (inversoft prime-jwt version prior to commit ...)
 	NOT-FOR-US: prime-jwt
@@ -2944,6 +2948,7 @@ CVE-2018-12521
 	RESERVED
 CVE-2018-12520 (An issue was discovered in ntopng 3.4 before 3.4.180617. The PRNG ...)
 	- ntopng <unfixed> (bug #903154)
+	[stretch] - ntopng <no-dsa> (Minor issue)
 	NOTE: http://seclists.org/fulldisclosure/2018/Jul/14
 	NOTE: https://gist.github.com/Psychotropos/3e8c047cada9b1fb716e6a014a428b7f
 	NOTE: https://github.com/ntop/ntopng/commit/30610bda60cbfc058f90a1c0a17d0e8f4516221a
@@ -6814,6 +6819,7 @@ CVE-2018-11038
 	RESERVED
 CVE-2018-11037 (In Exiv2 0.26, the Exiv2::PngImage::printStructure function in ...)
 	- exiv2 <unfixed>
+	[stretch] - exiv2 <postponed> (Revisit when fixed upstream)
 	[jessie] - exiv2 <postponed> (Minor issue, wait for more issues)
 	NOTE: https://github.com/Exiv2/exiv2/issues/307
 CVE-2018-11036 (Ruckus SmartZone (formerly Virtual SmartCell Gateway or vSCG) 3.5.0, ...)
@@ -7268,6 +7274,7 @@ CVE-2018-10860 (perl-archive-zip is vulnerable to a directory traversal in ...)
 CVE-2018-10859
 	RESERVED
 	- git-annex 6.20180626-1
+	[stretch] - git-annex <no-dsa> (Will be fixed via next point release)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/06/26/4
 	NOTE: https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/
 CVE-2018-10858
@@ -7275,6 +7282,7 @@ CVE-2018-10858
 CVE-2018-10857
 	RESERVED
 	- git-annex 6.20180626-1
+	[stretch] - git-annex <no-dsa> (Will be fixed via next point release)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/06/26/4
 	NOTE: https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/
 CVE-2018-10856 (It has been discovered that podman before version 0.6.1 does not drop ...)


=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -22,6 +22,8 @@ enigmail
 ffmpeg
   Wait for next 3.2.x release
 --
+gitlab
+--
 glusterfs
 --
 graphicsmagick



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c3f166c6a47cd66a9361078f81ae78ff663027d5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c3f166c6a47cd66a9361078f81ae78ff663027d5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180709/9e889925/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list