[Git][security-tracker-team/security-tracker][master] Merge fixes included in Stretch 9.5 point release
Salvatore Bonaccorso
carnil at debian.org
Sat Jul 14 10:13:22 BST 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d3a79cc0 by Salvatore Bonaccorso at 2018-07-14T11:12:52+02:00
Merge fixes included in Stretch 9.5 point release
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -4789,7 +4789,7 @@ CVE-2018-12086
RESERVED
CVE-2018-12085 (Liblouis 3.6.0 has a stack-based Buffer Overflow in the function ...)
- liblouis 3.5.0-4 (bug #901202)
- [stretch] - liblouis <no-dsa> (Minor issue)
+ [stretch] - liblouis 3.0.0-3+deb9u4
[jessie] - liblouis <no-dsa> (Minor issue)
NOTE: https://github.com/liblouis/liblouis/issues/595
NOTE: https://github.com/liblouis/liblouis/commit/dbfa58bb128cae86729578ac596056b3385817ef
@@ -5807,19 +5807,19 @@ CVE-2018-11686
RESERVED
CVE-2018-11685 (Liblouis 3.5.0 has a stack-based Buffer Overflow in the function ...)
- liblouis 3.5.0-3
- [stretch] - liblouis <no-dsa> (Minor issue)
+ [stretch] - liblouis 3.0.0-3+deb9u4
[jessie] - liblouis <no-dsa> (Minor issue)
NOTE: https://github.com/liblouis/liblouis/issues/593
NOTE: https://github.com/liblouis/liblouis/commit/b5049cb17ae3d15b2b26890de0e24d0fecc080f5
CVE-2018-11684 (Liblouis 3.5.0 has a stack-based Buffer Overflow in the function ...)
- liblouis 3.5.0-3
- [stretch] - liblouis <no-dsa> (Minor issue)
+ [stretch] - liblouis 3.0.0-3+deb9u4
[jessie] - liblouis <no-dsa> (Minor issue)
NOTE: https://github.com/liblouis/liblouis/issues/592
NOTE: https://github.com/liblouis/liblouis/commit/fb2bfce4ed49ac4656a8f7e5b5526e4838da1dde
CVE-2018-11683 (Liblouis 3.5.0 has a stack-based Buffer Overflow in the function ...)
- liblouis 3.5.0-3
- [stretch] - liblouis <no-dsa> (Minor issue)
+ [stretch] - liblouis 3.0.0-3+deb9u4
[jessie] - liblouis <no-dsa> (Minor issue)
NOTE: https://github.com/liblouis/liblouis/issues/591
NOTE: https://github.com/liblouis/liblouis/commit/e7eee2b7926668360a0d8e2abee6c35a00ebce3c
@@ -6071,7 +6071,7 @@ CVE-2018-11578 (GifIndexToTrueColor in ngiflib.c in MiniUPnP ngiflib 0.4 has a .
NOT-FOR-US: ngiflib
CVE-2018-11577 (Liblouis 3.5.0 has a Segmentation fault in lou_logPrint in logging.c. ...)
- liblouis 3.5.0-3 (bug #900607)
- [stretch] - liblouis <no-dsa> (Minor issue)
+ [stretch] - liblouis 3.0.0-3+deb9u4
[jessie] - liblouis <no-dsa> (Minor issue)
NOTE: https://github.com/liblouis/liblouis/issues/582
CVE-2018-11576 (ngiflib.c in MiniUPnP ngiflib 0.4 has a heap-based buffer over-read in ...)
@@ -6429,7 +6429,7 @@ CVE-2018-11441
RESERVED
CVE-2018-11440 (Liblouis 3.5.0 has a stack-based Buffer Overflow in the function ...)
- liblouis 3.5.0-3 (bug #900085)
- [stretch] - liblouis <no-dsa> (Minor issue)
+ [stretch] - liblouis 3.0.0-3+deb9u4
[jessie] - liblouis <no-dsa> (Minor issue)
NOTE: https://github.com/liblouis/liblouis/issues/575
NOTE: https://github.com/liblouis/liblouis/commit/4417bad83df4481ed58419b28c5c91b9649e2a86
@@ -6501,7 +6501,7 @@ CVE-2018-11411 (The transferFrom function of a smart contract implementation for
NOT-FOR-US: DimonCoin
CVE-2018-11410 (An issue was discovered in Liblouis 3.5.0. A invalid free in the ...)
- liblouis 3.5.0-2 (bug #899999)
- [stretch] - liblouis <no-dsa> (Minor issue; can be fixed via point release)
+ [stretch] - liblouis 3.0.0-3+deb9u2
[jessie] - liblouis <not-affected> (Code did not even exist at the time)
[wheezy] - liblouis <not-affected> (Code did not even exist at the time)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1582024
@@ -8002,7 +8002,7 @@ CVE-2018-10860 (perl-archive-zip is vulnerable to a directory traversal in ...)
CVE-2018-10859
RESERVED
- git-annex 6.20180626-1
- [stretch] - git-annex <no-dsa> (Will be fixed via next point release)
+ [stretch] - git-annex 6.20170101-1+deb9u2
NOTE: http://www.openwall.com/lists/oss-security/2018/06/26/4
NOTE: https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/
CVE-2018-10858
@@ -8010,7 +8010,7 @@ CVE-2018-10858
CVE-2018-10857
RESERVED
- git-annex 6.20180626-1
- [stretch] - git-annex <no-dsa> (Will be fixed via next point release)
+ [stretch] - git-annex 6.20170101-1+deb9u2
NOTE: http://www.openwall.com/lists/oss-security/2018/06/26/4
NOTE: https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/
CVE-2018-10856 (It has been discovered that podman before version 0.6.1 does not drop ...)
@@ -8462,7 +8462,7 @@ CVE-2018-10690
RESERVED
CVE-2018-10689 (blktrace (aka Block IO Tracing) 1.2.0, as used with the Linux kernel ...)
- blktrace 1.2.0-1 (low; bug #897695)
- [stretch] - blktrace <no-dsa> (Minor issue)
+ [stretch] - blktrace 1.1.0-2+deb9u1
[jessie] - blktrace 1.0.5-1+deb8u1
[wheezy] - blktrace <no-dsa> (Minor issue)
NOTE: https://git.kernel.org/pub/scm/linux/kernel/git/axboe/blktrace.git/commit/?id=d61ff409cb4dda31386373d706ea0cfb1aaac5b7
@@ -9295,7 +9295,7 @@ CVE-2018-10363 (An issue was discovered in the WpDevArt "Booking calendar,
NOT-FOR-US: WpDevArt "Booking calendar, Appointment Booking System" plugin for WordPress
CVE-2018-10360 (The do_core_note function in readelf.c in libmagic.a in file 5.33 ...)
- file 1:5.33-3 (bug #901351)
- [stretch] - file <no-dsa> (Minor issue; will be fixed via pu)
+ [stretch] - file 1:5.30-1+deb9u2
[jessie] - file 1:5.22+15-2+deb8u4
NOTE: https://github.com/file/file/commit/a642587a9c9e2dd7feacdf513c3643ce26ad3c22
CVE-2018-10359 (A pool corruption privilege escalation vulnerability in Trend Micro ...)
@@ -9683,7 +9683,7 @@ CVE-2018-10195 [rzsz: sz can leak data to receiving side]
CVE-2018-10194 (The set_text_distance function in devices/vector/gdevpdts.c in the ...)
{DLA-1363-1}
- ghostscript 9.22~dfsg-2.1 (bug #896069)
- [stretch] - ghostscript <no-dsa> (Minor issue)
+ [stretch] - ghostscript 9.20~dfsg-3.2+deb9u2
[jessie] - ghostscript 9.06~dfsg-2+deb8u7
NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=39b1e54b2968620723bf32e96764c88797714879
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=699255 (not yet public)
@@ -10618,7 +10618,7 @@ CVE-2018-1000161 (nmap version 6.49BETA6 through 7.60, up to and including SVN r
NOTE: Script added in 6.49BETA6 (cf. https://bugzilla.novell.com/show_bug.cgi?id=1088608#c1)
CVE-2018-1000159 (tlslite-ng version 0.7.3 and earlier, since commit ...)
- tlslite-ng 0.7.4-1 (low; bug #895728)
- [stretch] - tlslite-ng <no-dsa> (Minor issue, code describes itself as beta quality and use with caution)
+ [stretch] - tlslite-ng 0.6.0-1+deb9u1
NOTE: https://github.com/tomato42/tlslite-ng/pull/234
NOTE: https://github.com/tomato42/tlslite-ng/pull/234/commits/3674815d1b0f7484454995e2737a352e0a6a93d8 (v0.8.0-alpha3)
NOTE: https://github.com/tomato42/tlslite-ng/pull/235
@@ -16016,7 +16016,7 @@ CVE-2018-7668 (TestLink through 1.9.16 allows remote attackers to read arbitrary
CVE-2018-7667 (Adminer through 4.3.1 has SSRF via the server parameter. ...)
{DLA-1311-1}
- adminer 4.5.0-1 (bug #893668)
- [stretch] - adminer <no-dsa> (Minor issue, issue can be mitigated by upfront application firewalling)
+ [stretch] - adminer 4.2.5-3+deb9u1
[jessie] - adminer 3.3.3-1+deb8u1
NOTE: http://hyp3rlinx.altervista.org/advisories/ADMINER-UNAUTHENTICATED-SERVER-SIDE-REQUEST-FORGERY.txt
NOTE: https://github.com/vrana/adminer/commit/0fae40fb611b5c8167fa2b8d40bf576a8935a380
@@ -20604,7 +20604,7 @@ CVE-2018-6254 (In Android before the 2018-05-05 security patch level, NVIDIA Med
NOT-FOR-US: NVIDIA components for Android
CVE-2018-6253 (NVIDIA GPU Display Driver contains a vulnerability in the DirectX and ...)
- nvidia-graphics-drivers 390.48-1 (bug #894338)
- [stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [stretch] - nvidia-graphics-drivers 384.130-1
[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx <unfixed>
@@ -20621,7 +20621,7 @@ CVE-2018-6250 (NVIDIA Windows GPU Display Driver contains a vulnerability in the
NOT-FOR-US: NVIDIA Windows driver
CVE-2018-6249 (NVIDIA GPU Display Driver contains a vulnerability in kernel mode ...)
- nvidia-graphics-drivers 390.48-1 (bug #894338)
- [stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [stretch] - nvidia-graphics-drivers 384.130-1
[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx <unfixed>
@@ -24839,7 +24839,7 @@ CVE-2017-1000495 (QuickApps CMS version 2.0.0 is vulnerable to Stored Cross-site
NOT-FOR-US: QuickApps CMS
CVE-2017-1000494 (Uninitialized stack variable vulnerability in NameValueParserEndElt ...)
- miniupnpd 2.0.20171212-1 (bug #887129)
- [stretch] - miniupnpd <no-dsa> (Minor issue)
+ [stretch] - miniupnpd 1.8.20140523-4.1+deb9u1
[jessie] - miniupnpd <no-dsa> (Minor issue)
- miniupnpc 2.0.20171212-3 (unimportant)
NOTE: https://github.com/miniupnp/miniupnp/issues/268
@@ -34495,7 +34495,7 @@ CVE-2018-1303 (A specially crafted HTTP request header could have crashed the Ap
NOTE: http://www.openwall.com/lists/oss-security/2018/03/24/3
CVE-2018-1302 (When an HTTP/2 stream was destroyed after being handled, the Apache ...)
- apache2 2.4.33-1
- [stretch] - apache2 <postponed> (Will be fixed via stretch-pu and upating to 2.4.33's mod_http2)
+ [stretch] - apache2 2.4.25-3+deb9u5
[jessie] - apache2 <not-affected> (Vulnerable code not present)
[wheezy] - apache2 <not-affected> (Vulnerable code not present)
NOTE: HTTP/2 support introduced in 2.4.17
@@ -34855,7 +34855,7 @@ CVE-2017-17446 (The Mem_File_Reader::read_avail function in Data_Reader.cpp in t
NOTE: Additional hardening: https://bitbucket.org/mpyne/game-music-emu/commits/4a441e94cba14268bc4e983d4dfd6ed112084d00
CVE-2017-17440 (GNU Libextractor 1.6 allows remote attackers to cause a denial of ...)
- libextractor 1:1.6-2 (bug #883528)
- [stretch] - libextractor <no-dsa> (Minor issue)
+ [stretch] - libextractor 1:1.3-4+deb9u1
[jessie] - libextractor 1:1.3-2+deb8u1
[wheezy] - libextractor <no-dsa> (Minor issue)
NOTE: Fixed by: https://gnunet.org/git/libextractor.git/commit/?id=7cc63b001ceaf81143795321379c835486d0c92e
@@ -35504,7 +35504,7 @@ CVE-2018-1060 (python before versions 2.7.15, 3.4.9, 3.5.6 and 3.7.0 is vulnerab
NOTE: https://github.com/python/cpython/commit/e052d40cea15f582b50947f7d906b39744dc62a2 (2.7)
CVE-2018-1059 (The DPDK vhost-user interface does not check to verify that all the ...)
- dpdk 17.11.2-1 (bug #896688)
- [stretch] - dpdk <no-dsa> (Minor issue; can be fixed via point release)
+ [stretch] - dpdk 16.11.6-1+deb9u1
CVE-2018-1058 (A flaw was found in the way Postgresql allowed a user to modify the ...)
- postgresql-10 10.3-1
- postgresql-9.6 <removed>
@@ -37548,7 +37548,7 @@ CVE-2018-0500 (Curl_smtp_escape_eob in lib/smtp.c in curl before 7.61.0 has a ..
NOTE: https://curl.haxx.se/docs/adv_2018-70a2.html
CVE-2018-0499 (A cross-site scripting vulnerability in ...)
- xapian-core 1.4.6-1 (bug #902886)
- [stretch] - xapian-core <no-dsa> (Will be fixed in point release)
+ [stretch] - xapian-core 1.4.3-2+deb9u1
NOTE: https://lists.xapian.org/pipermail/xapian-discuss/2018-July/009652.html
CVE-2018-0498
RESERVED
@@ -37556,7 +37556,7 @@ CVE-2018-0497
RESERVED
CVE-2018-0496 (Directory traversal issues in the D-Mod extractor in DFArc and DFArc2 ...)
- freedink-dfarc 3.14-1
- [stretch] - freedink-dfarc <no-dsa> (Minor issue)
+ [stretch] - freedink-dfarc 3.12-1+deb9u1
[jessie] - freedink-dfarc <no-dsa> (Minor issue)
NOTE: https://savannah.gnu.org/forum/forum.php?forum_id=9169
NOTE: https://git.savannah.gnu.org/cgit/freedink/dfarc.git/commit/?id=40cc957f52e772f45125126439ba9333cf2d2998
@@ -42209,7 +42209,7 @@ CVE-2017-15923 (Konversation 1.4.x, 1.5.x, 1.6.x, and 1.7.x before 1.7.3 allow r
CVE-2017-15922 (In GNU Libextractor 1.4, there is an out-of-bounds read in the ...)
{DLA-1198-1}
- libextractor 1:1.6-2 (low; bug #880016)
- [stretch] - libextractor <no-dsa> (Minor issue)
+ [stretch] - libextractor 1:1.3-4+deb9u1
[jessie] - libextractor 1:1.3-2+deb8u1
NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00008.html
NOTE: Fixed by: https://gnunet.org/git/libextractor.git/commit/?id=d4d488b0e5ab13dda241d688d87a07816368f117
@@ -42997,21 +42997,21 @@ CVE-2017-15603
CVE-2017-15602 (In GNU Libextractor 1.4, there is an integer signedness error for the ...)
{DLA-1198-1}
- libextractor 1:1.6-1 (low)
- [stretch] - libextractor <no-dsa> (Minor issue)
+ [stretch] - libextractor 1:1.3-4+deb9u1
[jessie] - libextractor 1:1.3-2+deb8u1
NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html
NOTE: Fixed by https://gnunet.org/git/libextractor.git/commit/?id=ffab889c1710c7646af9ed360c796a2a0a619efc
CVE-2017-15601 (In GNU Libextractor 1.4, there is a heap-based buffer overflow in the ...)
{DLA-1198-1}
- libextractor 1:1.6-1 (low)
- [stretch] - libextractor <no-dsa> (Minor issue)
+ [stretch] - libextractor 1:1.3-4+deb9u1
[jessie] - libextractor 1:1.3-2+deb8u1
NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00006.html
NOTE: Fixed by https://gnunet.org/git/libextractor.git/commit/?id=f813535dad4ad860b989952a46266a1469801091
CVE-2017-15600 (In GNU Libextractor 1.4, there is a NULL Pointer Dereference in the ...)
{DLA-1198-1}
- libextractor 1:1.6-1 (low)
- [stretch] - libextractor <no-dsa> (Minor issue)
+ [stretch] - libextractor 1:1.3-4+deb9u1
[jessie] - libextractor 1:1.3-2+deb8u1
NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1501695
@@ -44030,7 +44030,7 @@ CVE-2017-15268 (Qemu through 2.10.0 allows remote attackers to cause a memory le
CVE-2017-15267 (In GNU Libextractor 1.4, there is a NULL Pointer Dereference in ...)
{DLA-1198-1}
- libextractor 1:1.6-1 (bug #878314)
- [stretch] - libextractor <no-dsa> (Minor issue)
+ [stretch] - libextractor 1:1.3-4+deb9u1
[jessie] - libextractor 1:1.3-2+deb8u1
NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00003.html
NOTE: http://openwall.com/lists/oss-security/2017/10/11/1
@@ -44039,7 +44039,7 @@ CVE-2017-15267 (In GNU Libextractor 1.4, there is a NULL Pointer Dereference in
CVE-2017-15266 (In GNU Libextractor 1.4, there is a Divide-By-Zero in ...)
{DLA-1198-1}
- libextractor 1:1.6-1 (bug #878314)
- [stretch] - libextractor <no-dsa> (Minor issue)
+ [stretch] - libextractor 1:1.3-4+deb9u1
[jessie] - libextractor 1:1.3-2+deb8u1
NOTE: http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00002.html
NOTE: http://openwall.com/lists/oss-security/2017/10/11/1
@@ -52287,7 +52287,7 @@ CVE-2017-12628 (The JMX server embedded in Apache James, also used by the comman
CVE-2017-12627 (In Apache Xerces-C XML Parser library before 3.2.1, processing of ...)
{DLA-1328-1}
- xerces-c 3.2.1+debian-1 (bug #894050)
- [stretch] - xerces-c <no-dsa> (Minor issue; can be fixed via point release)
+ [stretch] - xerces-c 3.1.4+debian-2+deb9u1
[jessie] - xerces-c 3.1.1-5.1+deb8u4
NOTE: https://svn.apache.org/viewvc?view=revision&revision=1819998
NOTE: https://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt
@@ -62297,27 +62297,27 @@ CVE-2017-9258 (The TDStretch::processSamples function in ...)
CVE-2017-9257 (The mp4ff_read_ctts function in common/mp4ff/mp4atom.c in Freeware ...)
{DLA-1077-1}
- faad2 2.8.1-1 (low; bug #867724)
- [stretch] - faad2 <no-dsa> (Minor issue)
+ [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
[jessie] - faad2 2.7-8+deb8u1
CVE-2017-9256 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware ...)
{DLA-1077-1}
- faad2 2.8.1-1 (low; bug #867724)
- [stretch] - faad2 <no-dsa> (Minor issue)
+ [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
[jessie] - faad2 2.7-8+deb8u1
CVE-2017-9255 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware ...)
{DLA-1077-1}
- faad2 2.8.1-1 (low; bug #867724)
- [stretch] - faad2 <no-dsa> (Minor issue)
+ [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
[jessie] - faad2 2.7-8+deb8u1
CVE-2017-9254 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware ...)
{DLA-1077-1}
- faad2 2.8.1-1 (low; bug #867724)
- [stretch] - faad2 <no-dsa> (Minor issue)
+ [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
[jessie] - faad2 2.7-8+deb8u1
CVE-2017-9253 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware ...)
{DLA-1077-1}
- faad2 2.8.1-1 (low; bug #867724)
- [stretch] - faad2 <no-dsa> (Minor issue)
+ [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
[jessie] - faad2 2.7-8+deb8u1
CVE-2016-10377 (In Open vSwitch (OvS) 2.5.0, a malformed IP packet can cause the switch ...)
- openvswitch 2.6.1+git20161123-1
@@ -62440,32 +62440,32 @@ CVE-2017-9224 (An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-
CVE-2017-9223 (The mp4ff_read_stts function in common/mp4ff/mp4atom.c in Freeware ...)
{DLA-1077-1}
- faad2 2.8.1-1 (low; bug #867724)
- [stretch] - faad2 <no-dsa> (Minor issue)
+ [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
[jessie] - faad2 2.7-8+deb8u1
CVE-2017-9222 (The mp4ff_parse_tag function in common/mp4ff/mp4meta.c in Freeware ...)
{DLA-1077-1}
- faad2 2.8.1-1 (low; bug #867724)
- [stretch] - faad2 <no-dsa> (Minor issue)
+ [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
[jessie] - faad2 2.7-8+deb8u1
CVE-2017-9221 (The mp4ff_read_mdhd function in common/mp4ff/mp4atom.c in Freeware ...)
{DLA-1077-1}
- faad2 2.8.1-1 (low; bug #867724)
- [stretch] - faad2 <no-dsa> (Minor issue)
+ [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
[jessie] - faad2 2.7-8+deb8u1
CVE-2017-9220 (The mp4ff_read_stco function in common/mp4ff/mp4atom.c in Freeware ...)
{DLA-1077-1}
- faad2 2.8.1-1 (low; bug #867724)
- [stretch] - faad2 <no-dsa> (Minor issue)
+ [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
[jessie] - faad2 2.7-8+deb8u1
CVE-2017-9219 (The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware ...)
{DLA-1077-1}
- faad2 2.8.1-1 (low; bug #867724)
- [stretch] - faad2 <no-dsa> (Minor issue)
+ [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
[jessie] - faad2 2.7-8+deb8u1
CVE-2017-9218 (The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware ...)
{DLA-1077-1}
- faad2 2.8.1-1 (low; bug #867724)
- [stretch] - faad2 <no-dsa> (Minor issue)
+ [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
[jessie] - faad2 2.7-8+deb8u1
CVE-2017-9217 (systemd-resolved through 233 allows remote attackers to cause a denial ...)
[experimental] - systemd 233-8
@@ -65542,7 +65542,7 @@ CVE-2017-8110 (www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev
NOT-FOR-US: modified eCommerce Shopsoftware
CVE-2017-8109 (The salt-ssh minion code in SaltStack Salt 2016.11 before 2016.11.4 ...)
- salt 2016.11.5+ds-1 (bug #861219)
- [stretch] - salt <no-dsa> (Minor issue)
+ [stretch] - salt 2016.11.2+ds-1+deb9u2
[jessie] - salt <not-affected> (Vulnerable code not present)
NOTE: https://github.com/saltstack/salt/issues/40075
NOTE: https://github.com/saltstack/salt/pull/40609
@@ -68256,7 +68256,7 @@ CVE-2017-7400 (OpenStack Horizon 9.x through 9.1.1, 10.x through 10.0.2, and 11.
NOTE: https://launchpad.net/bugs/1667086
CVE-2016-10317 (The fill_threshhold_buffer function in base/gxht_thresh.c in Artifex ...)
- ghostscript 9.22~dfsg-2.1 (bug #860869)
- [stretch] - ghostscript <no-dsa> (Minor issue)
+ [stretch] - ghostscript 9.20~dfsg-3.2+deb9u2
[jessie] - ghostscript 9.06~dfsg-2+deb8u7
[wheezy] - ghostscript <no-dsa> (Not directly reproducible, to re-evaluate once the upstream fix is known)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=697459
@@ -73317,7 +73317,7 @@ CVE-2017-5754 (Systems with microprocessors utilizing speculative execution and
{DSA-4120-1 DSA-4082-1 DSA-4078-1 DLA-1232-1}
- linux 4.14.12-1
- nvidia-graphics-drivers 384.111-1 (bug #886852)
- [stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [stretch] - nvidia-graphics-drivers 384.111-4~deb9u1
[jessie] - nvidia-graphics-drivers 340.106-1
[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx 340.106-1
@@ -73336,7 +73336,7 @@ CVE-2017-5753 (Systems with microprocessors utilizing speculative execution and
{DSA-4188-1 DSA-4187-1 DLA-1423-1 DLA-1422-1}
- linux 4.15.11-1
- nvidia-graphics-drivers 384.111-1 (bug #886852)
- [stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [stretch] - nvidia-graphics-drivers 384.111-4~deb9u1
[jessie] - nvidia-graphics-drivers 340.106-1
[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx 340.106-1
@@ -73428,6 +73428,7 @@ CVE-2017-5715 (Systems with microprocessors utilizing speculative execution and
{DSA-4213-1 DSA-4188-1 DSA-4187-1 DLA-1422-1 DLA-1369-1}
- linux 4.15.11-1
- intel-microcode 3.20180425.1
+ [stretch] - intel-microcode 3.20180425.1~deb9u1
[jessie] - intel-microcode 3.20180425.1~deb8u1
NOTE: https://spectreattack.com/
NOTE: https://xenbits.xen.org/xsa/advisory-254.html
@@ -73451,7 +73452,7 @@ CVE-2017-5715 (Systems with microprocessors utilizing speculative execution and
[jessie] - virtualbox <end-of-life> (DSA-3699-1)
[wheezy] - virtualbox <end-of-life> (DSA 3454)
- nvidia-graphics-drivers 384.111-1 (bug #886852)
- [stretch] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [stretch] - nvidia-graphics-drivers 384.111-4~deb9u1
[jessie] - nvidia-graphics-drivers 340.106-1
[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
- nvidia-graphics-drivers-legacy-340xx 340.106-1
@@ -141270,7 +141271,7 @@ CVE-2015-1418 (The do_ed_script function in pch.c in GNU patch through 2.7.6, an
CVE-2018-1000156 (GNU Patch version 2.7.6 contains an input validation vulnerability ...)
{DLA-1348-1}
- patch 2.7.6-2 (bug #894993)
- [stretch] - patch <no-dsa> (Can be fixed via point release)
+ [stretch] - patch 2.7.5-1+deb9u1
[jessie] - patch 2.7.5-1+deb8u1
NOTE: Upstream bug: https://savannah.gnu.org/bugs/?53566
NOTE: https://rachelbythebay.com/w/2018/04/05/bangpatch/
=====================================
data/next-point-update.txt
=====================================
--- a/data/next-point-update.txt
+++ b/data/next-point-update.txt
@@ -1,93 +1,3 @@
-CVE-2017-5753
- [stretch] - nvidia-graphics-drivers 384.111-4~deb9u1
-CVE-2017-5754
- [stretch] - nvidia-graphics-drivers 384.111-4~deb9u1
-CVE-2017-5715
- [stretch] - nvidia-graphics-drivers 384.111-4~deb9u1
-CVE-2017-17440
- [stretch] - libextractor 1:1.3-4+deb9u1
-CVE-2017-15266
- [stretch] - libextractor 1:1.3-4+deb9u1
-CVE-2017-15267
- [stretch] - libextractor 1:1.3-4+deb9u1
-CVE-2017-15600
- [stretch] - libextractor 1:1.3-4+deb9u1
-CVE-2017-15601
- [stretch] - libextractor 1:1.3-4+deb9u1
-CVE-2017-15602
- [stretch] - libextractor 1:1.3-4+deb9u1
-CVE-2017-15922
- [stretch] - libextractor 1:1.3-4+deb9u1
-CVE-2017-1000494
- [stretch] - miniupnpd 1.8.20140523-4.1+deb9u1
-CVE-2018-7667
- [stretch] - adminer 4.2.5-3+deb9u1
-CVE-2018-1000159
- [stretch] - tlslite-ng 0.6.0-1+deb9u1
-CVE-2018-1000156
- [stretch] - patch 2.7.5-1+deb9u1
-CVE-2017-8109
- [stretch] - salt 2016.11.2+ds-1+deb9u2
-CVE-2018-1059
- [stretch] - dpdk 16.11.6-1+deb9u1
-CVE-2017-12627
- [stretch] - xerces-c 3.1.4+debian-2+deb9u1
-CVE-2016-10317
- [stretch] - ghostscript 9.20~dfsg-3.2+deb9u2
-CVE-2018-10194
- [stretch] - ghostscript 9.20~dfsg-3.2+deb9u2
-CVE-2017-9218
- [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
-CVE-2017-9219
- [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
-CVE-2017-9220
- [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
-CVE-2017-9221
- [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
-CVE-2017-9222
- [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
-CVE-2017-9223
- [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
-CVE-2017-9253
- [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
-CVE-2017-9254
- [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
-CVE-2017-9255
- [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
-CVE-2017-9256
- [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
-CVE-2017-9257
- [stretch] - faad2 2.8.0~cvs20161113-1+deb9u1
-CVE-2018-1302
- [stretch] - apache2 2.4.25-3+deb9u5
-CVE-2018-10689
- [stretch] - blktrace 1.1.0-2+deb9u1
-CVE-2018-11410
- [stretch] - liblouis 3.0.0-3+deb9u2
-CVE-2018-11440
- [stretch] - liblouis 3.0.0-3+deb9u4
-CVE-2018-11577
- [stretch] - liblouis 3.0.0-3+deb9u4
-CVE-2018-11683
- [stretch] - liblouis 3.0.0-3+deb9u4
-CVE-2018-11684
- [stretch] - liblouis 3.0.0-3+deb9u4
-CVE-2018-11685
- [stretch] - liblouis 3.0.0-3+deb9u4
-CVE-2018-12085
- [stretch] - liblouis 3.0.0-3+deb9u4
-CVE-2017-5715
- [stretch] - intel-microcode 3.20180425.1~deb9u1
-CVE-2018-10360
- [stretch] - file 1:5.30-1+deb9u2
-CVE-2018-0496
- [stretch] - freedink-dfarc 3.12-1+deb9u1
-CVE-2018-10857
- [stretch] - git-annex 6.20170101-1+deb9u2
-CVE-2018-10859
- [stretch] - git-annex 6.20170101-1+deb9u2
-CVE-2018-0499
- [stretch] - xapian-core 1.4.3-2+deb9u1
CVE-2017-12424
[stretch] - shadow 1:4.4-4.1+deb9u1
CVE-2015-XXXX [busybox: pointer misuse unziping files]
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d3a79cc0ce1d31172ee1aa57f0bfccf241b9ae34
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d3a79cc0ce1d31172ee1aa57f0bfccf241b9ae34
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180714/6942144a/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list