[Git][security-tracker-team/security-tracker][master] 2 commits: Track 4.9.107-1 fixes

Sat Jul 14 09:21:47 BST 2018

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7265d8c0 by Salvatore Bonaccorso at 2018-07-14T10:21:15+02:00
Track 4.9.107-1 fixes

- - - - -
47c4f562 by Salvatore Bonaccorso at 2018-07-14T10:21:22+02:00
Add note for wayland CVE

- - - - -


2 changed files:

- data/CVE/list
- data/next-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -5403,6 +5403,7 @@ CVE-2018-1002200 [arbitrary file write vulnerability / arbitrary code execution 
 CVE-2018-1000204 (** DISPUTED ** Linux Kernel version 3.18 to 4.16 incorrectly handles ...)
 	{DLA-1423-1 DLA-1422-1}
 	- linux 4.16.12-1
+	[stretch] - linux 4.9.107-1
 	NOTE: Fixed by: https://git.kernel.org/linus/a45b599ad808c3c982fdcdc12b0b8611c2f92824
 CVE-2018-1000203 (Soar Labs Soar Coin version up to and including git commit ...)
 	NOT-FOR-US: Soar Labs Soar Coin
@@ -7761,6 +7762,7 @@ CVE-2018-10941
 CVE-2018-10940 (The cdrom_ioctl_media_changed function in drivers/cdrom/cdrom.c in the ...)
 	{DLA-1423-1 DLA-1422-1 DLA-1392-1}
 	- linux 4.16.12-1
+	[stretch] - linux 4.9.107-1
 	NOTE: Fixed by: https://git.kernel.org/linus/9de4ee40547fd315d4a0ed1dd15a2fa3559ad707
 CVE-2018-10939 (Zimbra Web Client (ZWC) in Zimbra Collaboration Suite 8.8 before ...)
 	NOT-FOR-US: Zimbra Web Client
@@ -9992,14 +9994,14 @@ CVE-2018-10088 (Buffer overflow in XiongMai uc-httpd 1.0.0 has unspecified impac
 CVE-2018-10124 (The kill_something_info function in kernel/signal.c in the Linux kernel ...)
 	{DLA-1423-1}
 	- linux 4.13.4-1
-	[stretch] - linux <ignored> (Minor issue)
+	[stretch] - linux 4.9.107-1
 	[jessie] - linux <ignored> (Minor issue)
 	[wheezy] - linux <ignored> (Minor issue)
 	NOTE: Fixed by: https://git.kernel.org/linus/4ea77014af0d6205b05503d1c7aac6eace11d473 (4.13-rc1)
 CVE-2018-10087 (The kernel_wait4 function in kernel/exit.c in the Linux kernel before ...)
 	{DLA-1423-1}
 	- linux 4.13.4-1
-	[stretch] - linux <ignored> (Minor issue)
+	[stretch] - linux 4.9.107-1
 	[jessie] - linux <ignored> (Minor issue)
 	[wheezy] - linux <ignored> (Minor issue)
 	NOTE: Fixed by: https://git.kernel.org/linus/dd83c161fbcc5d8be637ab159c0de015cbff5ba4 (4.13-rc1)
@@ -10161,6 +10163,7 @@ CVE-2018-10022
 CVE-2018-10021 (** DISPUTED ** drivers/scsi/libsas/sas_scsi_host.c in the Linux kernel ...)
 	{DLA-1423-1}
 	- linux 4.15.17-1
+	[stretch] - linux 4.9.107-1
 	[wheezy] - linux <not-affected> (Vulnerable code introduced later)
 	NOTE: Fixed by: https://git.kernel.org/linus/318aaf34f1179b39fa9c30fa0f3288b645beee39 (4.16-rc7)
 	NOTE: Low security impact, failure can only occur for physically
@@ -11504,6 +11507,7 @@ CVE-2018-9416
 CVE-2018-9415
 	RESERVED
 	- linux 4.16.12-1
+	[stretch] - linux 4.9.107-1
 	[jessie] - linux <not-affected> (Vulnerable code not present)
 	NOTE: https://source.android.com/security/bulletin/pixel/2018-07-01
 	NOTE: https://patchwork.kernel.org/patch/9946759/
@@ -12256,6 +12260,7 @@ CVE-2018-9153 (The plugin upload component in Z-BlogPHP 1.5.1 allows remote atta
 CVE-2017-18255 (The perf_cpu_time_max_percent_handler function in kernel/events/core.c ...)
 	{DLA-1423-1}
 	- linux 4.11.6-1 (unimportant)
+	[stretch] - linux 4.9.107-1
 	NOTE: https://git.kernel.org/linus/1572e45a924f254d9570093abde46430c3172e3d
 CVE-2015-9259 (In Docker Notary before 0.1, the checkRoot function in ...)
 	- notary 0.1~ds1-1
@@ -20107,6 +20112,8 @@ CVE-2018-6413 (There is a buffer overflow in the Hikvision Camera DS-2CD9111-S o
 CVE-2018-6412 (In the function sbusfb_ioctl_helper() in drivers/video/fbdev/sbuslib.c ...)
 	{DLA-1423-1}
 	- linux 4.16.5-1 (unimportant)
+	[stretch] - linux 4.9.107-1
+	[jessie] - linux 3.16.57-1
 	[wheezy] - linux 3.2.102-1
 	NOTE: https://marc.info/?l=linux-fbdev&m=151734425901499&w=2
 	NOTE: The issue only affects SPARC systems.
@@ -22108,6 +22115,7 @@ CVE-2018-5815
 CVE-2018-5814 (In the Linux Kernel before version 4.16.11, 4.14.43, 4.9.102, and ...)
 	{DLA-1423-1 DLA-1422-1}
 	- linux 4.16.12-1
+	[stretch] - linux 4.9.107-1
 	NOTE: https://git.kernel.org/linus/22076557b07c12086eeb16b8ce2b0b735f7a27e7
 	NOTE: https://git.kernel.org/linus/c171654caa875919be3c533d3518da8be5be966e
 CVE-2018-5813
@@ -27823,6 +27831,7 @@ CVE-2018-3639 (Systems with microprocessors utilizing speculative execution and 
 	{DSA-4210-1 DLA-1423-1}
 	- intel-microcode 3.20180703.1
 	- linux 4.16.12-1
+	[stretch] - linux 4.9.107-1
 	[wheezy] - linux <ignored> (Too much work to backport)
 	- xen <unfixed>
 	NOTE: https://xenbits.xen.org/xsa/advisory-263.html
@@ -35129,6 +35138,7 @@ CVE-2018-1131 (Infinispan permits improper deserialization of trusted data via X
 CVE-2018-1130 (Linux kernel before version 4.16-rc7 is vulnerable to a null pointer ...)
 	{DLA-1423-1 DLA-1422-1 DLA-1392-1}
 	- linux 4.15.17-1
+	[stretch] - linux 4.9.107-1
 	NOTE: Fixed by: https://git.kernel.org/linus/67f93df79aeefc3add4e4b31a752600f834236e2
 CVE-2018-1129 (A flaw was found in the way signature calculation was handled by cephx ...)
 	- ceph <unfixed>
@@ -35183,6 +35193,7 @@ CVE-2018-1121 (procps-ng, procps is vulnerable to a process hiding through race 
 CVE-2018-1120 (A flaw was found affecting the Linux kernel before version 4.17. By ...)
 	{DLA-1423-1}
 	- linux 4.16.12-1
+	[stretch] - linux 4.9.107-1
 	NOTE: http://www.openwall.com/lists/oss-security/2018/05/17/1
 	NOTE: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
 	NOTE: Fixed by: https://git.kernel.org/linus/7f7ccc2ccc2e70c6054685f5e3522efa81556830
@@ -40071,6 +40082,8 @@ CVE-2017-16612 (libXcursor before 1.1.15 has various integer overflows that coul
 	NOTE: https://marc.info/?l=freedesktop-xorg-announce&m=151188036018262&w=2
 	NOTE: Wayland: https://bugs.freedesktop.org/show_bug.cgi?id=103961
 	NOTE: Wayland: https://cgit.freedesktop.org/wayland/wayland/commit/?id=5d201df72f3d4f4cb8b8f75f980169b03507da38
+	NOTE: For src:wayland originally fixed in 1.14.0-2 but the 1.15.0-1 upload
+	NOTE: did not merge in the 1.14.0-2 upload.
 CVE-2017-16611 (In libXfont before 1.5.4 and libXfont2 before 2.0.3, a local attacker ...)
 	- libxfont 1:2.0.3-1 (low; bug #883929)
 	[stretch] - libxfont <no-dsa> (Minor issue)


=====================================
data/next-point-update.txt
=====================================
--- a/data/next-point-update.txt
+++ b/data/next-point-update.txt
@@ -82,28 +82,6 @@ CVE-2018-10360
 	[stretch] - file 1:5.30-1+deb9u2
 CVE-2018-0496
 	[stretch] - freedink-dfarc 3.12-1+deb9u1
-CVE-2017-18255
-	[stretch] - linux 4.9.107-1
-CVE-2018-1120
-	[stretch] - linux 4.9.107-1
-CVE-2018-1130
-	[stretch] - linux 4.9.107-1
-CVE-2018-3639
-	[stretch] - linux 4.9.107-1
-CVE-2018-10021
-	[stretch] - linux 4.9.107-1
-CVE-2018-10087
-	[stretch] - linux 4.9.107-1
-CVE-2018-10124
-	[stretch] - linux 4.9.107-1
-CVE-2018-10940
-	[stretch] - linux 4.9.107-1
-CVE-2018-1000204
-	[stretch] - linux 4.9.107-1
-CVE-2018-5814
-	[stretch] - linux 4.9.107-1
-CVE-2018-9415
-	[stretch] - linux 4.9.107-1
 CVE-2018-10853
 	[stretch] - linux 4.9.110-1
 CVE-2018-10876



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7532679e2d45b88a428eac96f1b1a6b39eb0fa04...47c4f562fd5f3d9de1638c65bf2f724369b5cf29

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/7532679e2d45b88a428eac96f1b1a6b39eb0fa04...47c4f562fd5f3d9de1638c65bf2f724369b5cf29
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180714/00af9c5a/attachment-0001.html>
