[Git][security-tracker-team/security-tracker][master] stretch triage
Moritz Muehlenhoff
jmm at debian.org
Fri Jul 20 07:08:56 BST 2018
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2906ee00 by Moritz Muehlenhoff at 2018-07-20T08:08:26+02:00
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -307,6 +307,7 @@ CVE-2018-14338 (samples/geotag.cpp in the example code of Exiv2 0.26 misuses the
NOTE: Issue in example code of Exiv2
CVE-2018-14337 (The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 ...)
- mruby <unfixed> (bug #903985)
+ [stretch] - mruby <no-dsa> (Minor issue)
NOTE: https://github.com/mruby/mruby/issues/4062
NOTE: https://github.com/mruby/mruby/commit/695f29cd604787f43be1af16e38d13610bf8312b
NOTE: https://github.com/mruby/mruby/commit/adb1eae912659d680a9c5b7832e22cf73d36a69a
@@ -328,11 +329,9 @@ CVE-2018-14331 (An issue was discovered in XiaoCms X1 v20140305. There is a CSRF
CVE-2018-14330
RESERVED
CVE-2018-14329 (In HTSlib 1.8, a race condition in cram/cram_io.c might allow local ...)
- - htslib <unfixed>
- [jessie] - htslib <no-dsa> (Minor issue, ignored by upstream)
+ - htslib <unfixed> (unimportant)
NOTE: https://github.com/samtools/htslib/issues/736
- NOTE: Upstream closed the issue, reasoning that fixing the issue would
- NOTE: cause another set of problems.
+ NOTE: Neutralised by kernel hardening
CVE-2018-14328
RESERVED
CVE-2018-14327
@@ -4386,6 +4385,7 @@ CVE-2018-12582 (An issue was discovered in AKCMS 6.1. CSRF can add an admin acco
NOT-FOR-US: AKCMS
CVE-2018-12581 (An issue was discovered in js/designer/move.js in phpMyAdmin before ...)
- phpmyadmin <unfixed> (low)
+ [stretch] - phpmyadmin <not-affected> (Vulnerable code not present)
[jessie] - phpmyadmin <not-affected> (vulnerable code not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2018-3/
NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6943fff87324bd54c3a37a5160a5fb77498c355e
@@ -7249,11 +7249,13 @@ CVE-2018-11491
RESERVED
CVE-2018-11490 (The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly ...)
- giflib <unfixed> (bug #904114)
+ [stretch] - giflib <no-dsa> (Minor issue)
NOTE: https://github.com/pts/sam2p/issues/38
NOTE: https://sourceforge.net/p/giflib/bugs/113/
NOTE: Issue was reported against sam2p but issue is in dgif_lib.c from giflib.
CVE-2018-11489 (The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly ...)
- giflib <unfixed> (bug #904113)
+ [stretch] - giflib <no-dsa> (Minor issue)
NOTE: https://github.com/pts/sam2p/issues/37
NOTE: https://sourceforge.net/p/giflib/bugs/112/
NOTE: Issue was reported against sam2p but issue is in dgif_lib.c from giflib.
@@ -10672,6 +10674,7 @@ CVE-2018-10189 (An issue was discovered in Mautic 1.x and 2.x before 2.13.0. It
NOT-FOR-US: Mautic
CVE-2018-10188 (phpMyAdmin 4.8.0 before 4.8.0-1 has CSRF, allowing an attacker to ...)
- phpmyadmin <unfixed> (bug #896490)
+ [stretch] - phpmyadmin <not-affected> (Only affects 4.8.x)
[jessie] - phpmyadmin <not-affected> (vulnerable code not present)
[wheezy] - phpmyadmin <not-affected> (vulnerable code not present)
NOTE: https://www.phpmyadmin.net/security/PMASA-2018-2/
@@ -32090,6 +32093,7 @@ CVE-2018-2599 (Vulnerability in the Java SE, Java SE Embedded, JRockit component
[wheezy] - openjdk-6 <end-of-life>
CVE-2018-2598 (Vulnerability in the MySQL Workbench component of Oracle MySQL ...)
- mysql-workbench <unfixed> (bug #904112)
+ [stretch] - mysql-workbench <no-dsa> (Exact details undisclosed, but marginal CVSS score)
CVE-2018-2597 (Vulnerability in the Oracle Hospitality Cruise Dining Room Management ...)
NOT-FOR-US: Oracle
CVE-2018-2596 (Vulnerability in the Oracle WebCenter Content component of Oracle ...)
@@ -46081,6 +46085,7 @@ CVE-2017-14989 (A use-after-free in RenderFreetype in MagickCore/annotate.c in .
NOTE: ImageMagick-6: https://github.com/ImageMagick/ImageMagick/commit/28bad01242898d7f863deedbfa8502c348293093
CVE-2017-14988 (Header::readfrom in IlmImf/ImfHeader.cpp in OpenEXR 2.2.0 allows remote ...)
- openexr <unfixed> (bug #878551)
+ [stretch] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr <postponed> (Should be fixed along in future update)
NOTE: https://github.com/openexr/openexr/issues/248
CVE-2017-14987
@@ -53432,7 +53437,7 @@ CVE-2017-12597 (OpenCV (Open Source Computer Vision Library) through 3.3 has an
NOTE: https://github.com/opencv/opencv/issues/9309
CVE-2017-12596 (In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read ...)
- openexr 2.2.0-11.1 (bug #877352)
- [stretch] - opencv <no-dsa> (Minor issue)
+ [stretch] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr 1.6.1-6+deb7u1
NOTE: https://github.com/openexr/openexr/issues/238
NOTE: Upstream fix https://github.com/openexr/openexr/commit/f09f5f26c1924c4f7e183428ca79c9881afaf53c
@@ -63833,36 +63838,43 @@ CVE-2017-9117 (In LibTIFF 4.0.7, the program processes BMP images without verify
CVE-2017-9116 (In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress function ...)
{DLA-1083-1}
- openexr 2.2.0-11.1 (bug #864078)
+ [stretch] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9115 (In OpenEXR 2.2.0, an invalid write of size 2 in the = operator function ...)
- openexr <unfixed> (bug #873885)
+ [stretch] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9114 (In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in ...)
- openexr <unfixed> (bug #873885)
+ [stretch] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9113 (In OpenEXR 2.2.0, an invalid write of size 1 in the bufferedReadPixels ...)
- openexr <unfixed> (bug #873885)
+ [stretch] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9112 (In OpenEXR 2.2.0, an invalid read of size 1 in the getBits function in ...)
{DLA-1083-1}
- openexr 2.2.0-11.1 (bug #864078)
+ [stretch] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9111 (In OpenEXR 2.2.0, an invalid write of size 8 in the storeSSE function ...)
- openexr <unfixed> (bug #873885)
+ [stretch] - openexr <no-dsa> (Minor issue)
[wheezy] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9110 (In OpenEXR 2.2.0, an invalid read of size 2 in the hufDecode function ...)
{DLA-1083-1}
- openexr 2.2.0-11.1 (bug #864078)
+ [stretch] - openexr <no-dsa> (Minor issue)
NOTE: http://www.openwall.com/lists/oss-security/2017/05/12/5
NOTE: https://github.com/openexr/openexr/issues/232
CVE-2017-9109
=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -31,6 +31,8 @@ graphicsmagick
intel-microcode
wait for regressions in unstable before releasing to stretch
--
+jetty9 (jmm)
+--
knot-resolver
--
libidn
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2906ee00712bb63ed15949f4bbc8b252ea453699
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2906ee00712bb63ed15949f4bbc8b252ea453699
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180720/299f15b9/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list