[Git][security-tracker-team/security-tracker][master] stable triage

Tue Jul 17 07:02:13 BST 2018

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
617038f2 by Moritz Muehlenhoff at 2018-07-17T08:01:53+02:00
stable triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================

--- a/data/CVE/list
+++ b/data/CVE/list
@@ -168,9 +168,11 @@ CVE-2018-14241
 	RESERVED
 CVE-2018-14326 (In MP4v2 2.0.0, there is an integer overflow (with resultant memory ...)
 	- mp4v2 <unfixed>
+	[stretch] - mp4v2 <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/07/16/1
 CVE-2018-14325 (In MP4v2 2.0.0, there is an integer underflow (with resultant memory ...)
 	- mp4v2 <unfixed>
+	[stretch] - mp4v2 <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/07/16/1
 CVE-2018-14240
 	RESERVED
@@ -1207,6 +1209,7 @@ CVE-2018-1000611 (SURFnet OpenConext EngineBlock version 5.7.0 to 5.7.3 contains
 	NOT-FOR-US: SURFnet OpenConext EngineBlock
 CVE-2018-1000622 (The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 ...)
 	- rustc <unfixed>
+	[stretch] - rustc <ignored> (Minor issue, can be fixed along in future rustc update for ESR69)
 	NOTE: https://groups.google.com/forum/#!topic/rustlang-security-announcements/4ybxYLTtXuM
 CVE-2018-13787 (Certain Supermicro X11S, X10, X9, X8SI, K1SP, C9X299, C7, B1, A2, and ...)
 	NOT-FOR-US: Supermicro
@@ -3818,7 +3821,8 @@ CVE-2018-1000522
 CVE-2018-1000521 (BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in ...)
 	NOT-FOR-US: BigTree-CMS
 CVE-2018-1000520 (ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite Allows ...)
-	- mbedtls <unfixed>
+	- mbedtls <unfixed> (low)
+	[stretch] - mbedtls <no-dsa> (Minor issue)
 	- polarssl <removed>
 	NOTE: https://github.com/ARMmbed/mbedtls/issues/1561
 CVE-2018-1000519 (aio-libs aiohttp-session contains a Session Fixation vulnerability in ...)
@@ -32229,6 +32233,7 @@ CVE-2017-17690
 	RESERVED
 CVE-2017-17689 (The S/MIME specification allows a Cipher Block Chaining (CBC) ...)
 	- thunderbird <unfixed> (bug #898631)
+	[stretch] - thunderbird <postponed> (Wait until fixed in upstream release)
 	- evolution <unfixed> (bug #898633)
 	- kmail <unfixed> (bug #898634)
 	- kf5-messagelib <unfixed> (bug #899127)
@@ -37468,7 +37473,8 @@ CVE-2018-0739 (Constructed ASN.1 types with a recursive definition (such as can 
 	{DSA-4158-1 DSA-4157-1 DLA-1330-1}
 	- openssl 1.1.0h-1
 	- openssl1.0 1.0.2o-1
-	- libtomcrypt 1.18.2-1
+	- libtomcrypt 1.18.2-1 (low)
+	[stretch] - libtomcrypt <no-dsa> (Minor issue)
 	NOTE: https://www.openssl.org/news/secadv/20180327.txt
 	NOTE: OpenSSL_1_1_0-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=2ac4c6f7b2b2af20c0e2b0ba05367e454cd11b33
 	NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/?p=openssl.git;a=commit;h=9310d45087ae546e27e61ddf8f6367f29848220d


=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -51,7 +51,6 @@ mailman
 mariadb-10.1/stable
 --
 mercurial
-  2018-06-07: jessie update proposed by anarcat in https://lists.debian.org/87y3fr75kk.fsf@angela.anarc.at
 --
 mosquitto (seb)
   2018-02-27: Roger Light provided a debdiff targetting stretch, needs review



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/617038f2a055c00cdd92b9384e3c9a85fe8cbb86

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/617038f2a055c00cdd92b9384e3c9a85fe8cbb86
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180717/07263c0d/attachment.html>
