[Git][security-tracker-team/security-tracker][master] 2 commits: NFUs
Moritz Muehlenhoff
jmm at debian.org
Sat Jul 14 19:45:16 BST 2018
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
fbcc1760 by Moritz Muehlenhoff at 2018-07-14T20:41:35+02:00
NFUs
- - - - -
c4a9edfd by Moritz Muehlenhoff at 2018-07-14T20:44:48+02:00
imagemagick DSA
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -60,15 +60,15 @@ CVE-2018-1000211 (Doorkeeper version 4.2.0 and later contains a Incorrect Access
NOTE: https://github.com/doorkeeper-gem/doorkeeper/issues/891
NOTE: https://github.com/doorkeeper-gem/doorkeeper/pull/1119
CVE-2018-1000210 (YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object ...)
- TODO: check
+ NOT-FOR-US: YamlDotNet
CVE-2018-1000209 (Sensu, Inc. Sensu Core version Before version 1.4.2-3 contains a ...)
- TODO: check
+ NOT-FOR-US: Sensu
CVE-2018-1000208 (MODX Revolution version <=2.6.4 contains a Directory Traversal ...)
NOT-FOR-US: MODX Revolution
CVE-2018-1000207 (MODX Revolution version <=2.6.4 contains a Incorrect Access Control ...)
NOT-FOR-US: MODX Revolution
CVE-2018-1000206 (JFrog Artifactory version since 5.11 contains a Cross ite Request ...)
- TODO: check
+ NOT-FOR-US: JFrog Artifactory
CVE-2018-14054 (A double free exists in the MP4StringProperty class in mp4property.cpp ...)
- mp4v2 <unfixed>
NOTE: http://www.openwall.com/lists/oss-security/2018/07/13/1
@@ -8611,7 +8611,7 @@ CVE-2018-10633 (Universal Robots Robot Controllers Version CB 3.1, SW Version ..
CVE-2018-10632
RESERVED
CVE-2018-10631 (Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician ...)
- TODO: check
+ NOT-FOR-US: Medtronic
CVE-2018-10630
RESERVED
CVE-2018-10629
@@ -9976,7 +9976,7 @@ CVE-2018-10103
CVE-2018-10099
RESERVED
CVE-2018-10098 (In MicroWorld eScan Internet Security Suite (ISS) for Business ...)
- TODO: check
+ NOT-FOR-US: MicroWorld eScan
CVE-2018-10097 (XSS exists in Domain Trader 2.5.3 via the recoverlogin.php ...)
NOT-FOR-US: Domain Trader
CVE-2018-1000171
@@ -10212,7 +10212,7 @@ CVE-2018-9991 (Frog CMS 0.9.5 has XSS via the /admin/?/user/add Name or Username
CVE-2018-9990 (In Zulip Server versions before 1.7.2, there was an XSS issue with ...)
- zulip-server <itp> (bug #800052)
CVE-2018-10018 (The GDASPAMLib.AntiSpam ActiveX control ASK\GDASpam.dll in G DATA ...)
- TODO: check
+ NOT-FOR-US: GDASPAMLib.AntiSpam ActiveX control
CVE-2018-10017 (soundlib/Snd_fx.cpp in OpenMPT before 1.27.07.00 and libopenmpt before ...)
- libopenmpt 0.3.8-1 (bug #895406)
[stretch] - libopenmpt <no-dsa> (Minor issue)
@@ -12471,13 +12471,13 @@ CVE-2018-9072
CVE-2018-9071
RESERVED
CVE-2018-9070 (For the Lenovo Smart Assistant Android app versions earlier than ...)
- TODO: check
+ NOT-FOR-US: Lenovo
CVE-2018-9069
RESERVED
CVE-2018-9068
RESERVED
CVE-2018-9067 (The Lenovo Help Android app versions earlier than 6.1.2.0327 had ...)
- TODO: check
+ NOT-FOR-US: Lenovo
CVE-2018-9066
RESERVED
CVE-2018-9065
@@ -13076,7 +13076,7 @@ CVE-2018-8849 (Medtronic N'Vision Clinician Programmer 8840 N'Vision Clinician .
CVE-2018-8848
RESERVED
CVE-2018-8847 (Eaton 9000X DriveA versions 2.0.29 and prior has a stack-based buffer ...)
- TODO: check
+ NOT-FOR-US: Eaton
CVE-2018-8846
RESERVED
CVE-2018-8845 (In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess ...)
@@ -16551,7 +16551,7 @@ CVE-2018-7536 (An issue was discovered in Django 2.0 before 2.0.3, 1.11 before .
NOTE: https://www.djangoproject.com/weblog/2018/mar/06/security-releases/
NOTE: Patch https://github.com/django/django/commit/abf89d729f210c692a50e0ad3f75fb6bec6fae16
CVE-2018-7535 (An issue was discovered in TotalAV v4.1.7. An unprivileged user could ...)
- TODO: check
+ NOT-FOR-US: TotalAV
CVE-2018-7534 (In Stealth Authorization Server before 3.3.017.0 in Unisys Stealth ...)
NOT-FOR-US: Stealth Authorization Server
CVE-2018-7533 (An Incorrect Default Permissions issue was discovered in OSIsoft PI ...)
@@ -18332,7 +18332,7 @@ CVE-2018-6971
CVE-2018-6970
RESERVED
CVE-2018-6969 (VMware Tools (10.x and prior before 10.3.0) contains an out-of-bounds ...)
- TODO: check
+ NOT-FOR-US: VMware
CVE-2018-6968 (The VMware AirWatch Agent for Android prior to 8.2 and AirWatch Agent ...)
NOT-FOR-US: VMware AirWatch Agent
CVE-2018-6967 (VMware ESXi (6.7 before ESXi670-201806401-BG), Workstation (14.x ...)
@@ -34685,7 +34685,7 @@ CVE-2018-1257 (Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x p
CVE-2018-1256 (Spring Cloud SSO Connector, version 2.1.2, contains a regression which ...)
NOT-FOR-US: Spring Cloud SSO Connector
CVE-2018-1255 (RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 ...)
- TODO: check
+ NOT-FOR-US: RSA
CVE-2018-1254 (RSA Authentication Manager Security Console, versions 8.3 P1 and ...)
NOT-FOR-US: RSA Authentication Manager Security Console
CVE-2018-1253 (RSA Authentication Manager Operation Console, versions 8.3 P1 and ...)
@@ -34705,7 +34705,7 @@ CVE-2018-1247 (RSA Authentication Manager Security Console, version 8.3 and earl
CVE-2018-1246
RESERVED
CVE-2018-1245 (RSA Identity Lifecycle and Governance versions 7.0.1, 7.0.2 and 7.1.0 ...)
- TODO: check
+ NOT-FOR-US: RSA
CVE-2018-1244 (Dell EMC iDRAC7/iDRAC8, versions prior to 2.60.60.60, and iDRAC9 ...)
NOT-FOR-US: EMC
CVE-2018-1243 (Dell EMC iDRAC6, versions prior to 2.91, iDRAC7/iDRAC8, versions prior ...)
@@ -41805,127 +41805,127 @@ CVE-2016-10605 (dalek-browser-ie is Internet Explorer bindings for DalekJS. ...)
CVE-2016-10604 (dalek-browser-chrome is Google Chrome bindings for DalekJS. ...)
NOT-FOR-US: dalek-browser-chrome
CVE-2016-10603 (air-sdk is a NPM wrapper for the Adobe AIR SDK. air-sdk downloads ...)
- TODO: check
+ NOT-FOR-US: air-sdk
CVE-2016-10602 (haxe is a cross-platform toolkit haxe downloads zipped resources over ...)
NOT-FOR-US: Haxe node module, different from src:haxe
CVE-2016-10601 (webdrvr is a npm wrapper for Selenium Webdriver including Chromedriver ...)
- TODO: check
+ NOT-FOR-US: webdrvr
CVE-2016-10600 (webrtc-native uses WebRTC from chromium project. webrtc-native ...)
- TODO: check
+ NOT-FOR-US: webrtc-native
CVE-2016-10599 (sauce-connect is a Node.js wrapper over the SauceLabs SauceConnect.jar ...)
- TODO: check
+ NOT-FOR-US: sauce-connect
CVE-2016-10598 (arrayfire-js is a module for ArrayFire for the Node.js platform. ...)
- TODO: check
+ NOT-FOR-US: arrayfire-js
CVE-2016-10597 (cobalt-cli downloads resources over HTTP, which leaves it vulnerable ...)
- TODO: check
+ NOT-FOR-US: cobalt-cli
CVE-2016-10596 (imageoptim is a Node.js wrapper for some images compression ...)
- TODO: check
+ NOT-FOR-US: imageoptim
CVE-2016-10595 (jdf-sass is a fork from node-sass, jdf use only. jdf-sass downloads ...)
- TODO: check
+ NOT-FOR-US: jdf-sass
CVE-2016-10594 (ipip is a Node.js module to query geolocation information for an IP or ...)
- TODO: check
+ NOT-FOR-US: ibip
CVE-2016-10593 (ibapi is an Interactive Brokers API addon for NodeJS. ibapi downloads ...)
- TODO: check
+ NOT-FOR-US: ibapi
CVE-2016-10592 (jser-stat is a JSer.info stat library. jser-stat downloads data ...)
- TODO: check
+ NOT-FOR-US: jser-stat
CVE-2016-10591 (Prince is a Node API for executing XML/HTML to PDF renderer PrinceXML ...)
- TODO: check
+ NOT-FOR-US: Prince Node API
CVE-2016-10590 (cue-sdk-node is a Corsair Cue SDK wrapper for node.js. cue-sdk-node ...)
- TODO: check
+ NOT-FOR-US: cue-sdk-node
CVE-2016-10589 (selenium-binaries downloads Selenium related binaries for your OS. ...)
- TODO: check
+ NOT-FOR-US: selenium-binaries
CVE-2016-10588 (nw is an installer for nw.js. nw downloads zipped resources over HTTP, ...)
- TODO: check
+ NOT-FOR-US: nw
CVE-2016-10587 (wasdk is a toolkit for creating WebAssembly modules. wasdk downloads ...)
- TODO: check
+ NOT-FOR-US: wasdk
CVE-2016-10586 (macaca-chromedriver is a Node.js wrapper for the selenium ...)
- TODO: check
+ NOT-FOR-US: macaca-chromedriver
CVE-2016-10585 (libxl provides Node bindings for the libxl library for reading and ...)
- TODO: check
+ NOT-FOR-US: libxl node bindings
CVE-2016-10584 (dalek-browser-chrome-canary provides Google Chrome bindings for ...)
- TODO: check
+ NOT-FOR-US: dalek-browser-chrome-canary
CVE-2016-10583 (closure-utils is Utilities for Closure Library based projects. ...)
- TODO: check
+ NOT-FOR-US: closure-utils
CVE-2016-10582 (closurecompiler is a Closure Compiler for node.js. closurecompiler ...)
- TODO: check
+ NOT-FOR-US: closurecompiler
CVE-2016-10581 (Steroids is PhoneGap on Steroids, providing native UI elements, ...)
- TODO: check
+ NOT-FOR-US: PhoneGap on Steroids
CVE-2016-10580 (nodewebkit is an installer for node-webkit. nodewebkit downloads ...)
- TODO: check
+ NOT-FOR-US: nodewebkit
CVE-2016-10579 (Chromedriver is an NPM wrapper for selenium ChromeDriver. Chromedriver ...)
- TODO: check
+ NOT-FOR-US: Chromedriver
CVE-2016-10578 (unicode loads unicode data downloaded from unicode.org into nodejs. ...)
NOT-FOR-US: nodejs unicode module
CVE-2016-10577 (ibm_db is an asynchronous/synchronous interface for node.js to IBM DB2 ...)
NOT-FOR-US: ibm_db node.js module
CVE-2016-10576 (Fuseki server wrapper and management API in fuseki before 1.0.1 ...)
- TODO: check
+ NOT-FOR-US: Fuseki
CVE-2016-10575 (Kindlegen is a simple Node.js wrapper of the official kindlegen ...)
- TODO: check
+ NOT-FOR-US: Kindlegen
CVE-2016-10574 (apk-parser3 is a module to extract Android Manifest info from an APK ...)
- TODO: check
+ NOT-FOR-US: apk-parser3
CVE-2016-10573 (baryton-saxophone is a module to install and launch Selenium Server ...)
- TODO: check
+ NOT-FOR-US: baryton-saxophone
CVE-2016-10572 (mongodb-instance before 0.0.3 installs mongodb locally. ...)
- TODO: check
+ NOT-FOR-US: mongodb-instance
CVE-2016-10571 (bkjs-wand is imagemagick wand support for node.js and backendjs ...)
- TODO: check
+ NOT-FOR-US: bkjs-wand
CVE-2016-10570 (pngcrush-installer is an installer for Pngcrush. pngcrush-installer ...)
- TODO: check
+ NOT-FOR-US: pngcrush-installer
CVE-2016-10569 (embedza is a module to create HTML snippets/embeds from URLs using ...)
- TODO: check
+ NOT-FOR-US: embedza
CVE-2016-10568 (geoip-lite-country is a stripped down version of geoip-lite, ...)
- TODO: check
+ NOT-FOR-US: geoip-lite-country
CVE-2016-10567 (product-monitor is a HTML/JavaScript template for monitoring a product ...)
- TODO: check
+ NOT-FOR-US: product-monitor
CVE-2016-10566 (install-nw is a module which quickly and robustly installs and caches ...)
- TODO: check
+ NOT-FOR-US: install-nw
CVE-2016-10565 (operadriver is a Opera Driver for Selenium. operadriver versions below ...)
- TODO: check
+ NOT-FOR-US: operadriver
CVE-2016-10564 (apk-parser is a tool to extract Android Manifest info from an APK ...)
- TODO: check
+ NOT-FOR-US: apk-parser
CVE-2016-10563 (During the installation process, the go-ipfs-deps module before 0.4.4 ...)
- TODO: check
+ NOT-FOR-US: go-ipfs-deps
CVE-2016-10562 (iedriver is an NPM wrapper for Selenium IEDriver. iedriver versions ...)
- TODO: check
+ NOT-FOR-US: iedriver
CVE-2016-10561 (Bitty is a development web server tool that functions similar to ...)
- TODO: check
+ NOT-FOR-US: Bitty
CVE-2016-10560 (galenframework-cli is the node wrapper for the Galen Framework. ...)
- TODO: check
+ NOT-FOR-US: galenframework-cli
CVE-2016-10559 (selenium-download downloads the latest versions of the selenium ...)
- TODO: check
+ NOT-FOR-US: selenium-download
CVE-2016-10558 (aerospike is an Aerospike add-on module for Node.js. aerospike ...)
- TODO: check
+ NOT-FOR-US: aerospike
CVE-2016-10557 (appium-chromedriver is a Node.js wrapper around Chromedriver. Versions ...)
- TODO: check
+ NOT-FOR-US: appium-chromedriver
CVE-2016-10556 (sequelize is an Object-relational mapping, or a middleman to convert ...)
- TODO: check
+ NOT-FOR-US: sequelize
CVE-2016-10555 (Since "algorithm" isn't enforced in jwt.decode()in jwt-simple 0.3.0 ...)
NOT-FOR-US: nodejs-jwt-simple
CVE-2016-10554 (sequelize is an Object-relational mapping, or a middleman to convert ...)
- TODO: check
+ NOT-FOR-US: sequelize
CVE-2016-10553 (sequelize is an Object-relational mapping, or a middleman to convert ...)
- TODO: check
+ NOT-FOR-US: sequelize
CVE-2016-10552 (igniteui 0.0.5 and earlier downloads JavaScript and CSS resources over ...)
- TODO: check
+ NOT-FOR-US: igniteui
CVE-2016-10551 (waterline-sequel is a module that helps generate SQL statements for ...)
- TODO: check
+ NOT-FOR-US: waterline-sequel
CVE-2016-10550 (sequelize is an Object-relational mapping, or a middleman to convert ...)
- TODO: check
+ NOT-FOR-US: sequelize
CVE-2016-10549 (Sails is an MVC style framework for building realtime web ...)
- TODO: check
+ NOT-FOR-US: Sails
CVE-2016-10548 (Arbitrary code execution is possible in reduce-css-calc node module ...)
- TODO: check
+ NOT-FOR-US: reduce-css-calc
CVE-2016-10547 (Nunjucks is a full featured templating engine for JavaScript. Versions ...)
- TODO: check
+ NOT-FOR-US: Nunjucks
CVE-2016-10546 (An arbitrary code injection vector was found in PouchDB 6.0.4 and ...)
- TODO: check
+ NOT-FOR-US: PouchDB
CVE-2016-10545
REJECTED
CVE-2016-10544 (uws is a WebSocket server library. By sending a 256mb websocket ...)
- TODO: check
+ NOT-FOR-US: uws
CVE-2016-10543 (call is an HTTP router that is primarily used by the hapi framework. ...)
- TODO: check
+ NOT-FOR-US: call HTTP router
CVE-2016-10542 (ws is a "simple to use, blazing fast and thoroughly tested websocket ...)
- node-ws <unfixed> (unimportant)
NOTE: https://nodesecurity.io/advisories/120
@@ -41952,15 +41952,15 @@ CVE-2016-10537 (backbone is a module that adds in structure to a JavaScript heav
- backbone 0.5.3-1
NOTE: https://nodesecurity.io/advisories/108
CVE-2016-10536 (engine.io-client is the client for engine.io, the implementation of a ...)
- TODO: check
+ NOT-FOR-US: engine.io-client
CVE-2016-10535 (csrf-lite is a cross-site request forgery protection library for ...)
- TODO: check
+ NOT-FOR-US: csrf-lite
CVE-2016-10534 (electron-packager is a command line tool that packages Electron source ...)
- TODO: check
+ NOT-FOR-US: electron-packager
CVE-2016-10533 (express-restify-mongoose is a module to easily create a flexible REST ...)
- TODO: check
+ NOT-FOR-US: express-restify-mongoose
CVE-2016-10532 (console-io is a module that allows users to implement a web console in ...)
- TODO: check
+ NOT-FOR-US: console-io
CVE-2016-10531 (marked is an application that is meant to parse and compile markdown. ...)
- node-marked 0.3.6+dfsg-1 (unimportant)
NOTE: https://nodesecurity.io/advisories/101
=====================================
data/DSA/list
=====================================
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -1,3 +1,6 @@
+[14 Jul 2018] DSA-4245-1 imagemagick - security update
+ {CVE-2018-5248 CVE-2018-11251 CVE-2018-12599 CVE-2018-12600}
+ [stretch] - imagemagick 8:6.9.7.4+dfsg-11+deb9u5
[13 Jul 2018] DSA-4244-1 thunderbird - security update
{CVE-2018-5188 CVE-2018-12359 CVE-2018-12360 CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365 CVE-2018-12366 CVE-2018-12372 CVE-2018-12373 CVE-2018-12374}
[stretch] - thunderbird 1:52.9.1-1~deb9u1
=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -32,8 +32,6 @@ graphicsmagick
intel-microcode
Updates for spectre v3a and v4 not yet released
--
-imagemagick (jmm)
---
knot-resolver
--
libidn
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bb1cdf7f4115028605341c2c1157010a8b91b737...c4a9edfd0cdcf90f5f57eae8da1f70aed90e3dee
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bb1cdf7f4115028605341c2c1157010a8b91b737...c4a9edfd0cdcf90f5f57eae8da1f70aed90e3dee
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180714/d67616cb/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list