[Git][security-tracker-team/security-tracker][master] CVE-2017-5854/libpodofo was not correctly fixed for stretch and wheezy
Mattia Rizzolo
mattia at debian.org
Fri Jun 15 09:23:45 BST 2018
Mattia Rizzolo pushed to branch master at Debian Security Tracker / security-tracker
Commits:
3cd07432 by Mattia Rizzolo at 2018-06-15T10:23:12+02:00
CVE-2017-5854/libpodofo was not correctly fixed for stretch and wheezy
Signed-off-by: Mattia Rizzolo <mattia at debian.org>
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -19235,6 +19235,7 @@ CVE-2018-5308 (PoDoFo 0.9.5 does not properly validate memcpy arguments in the .
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1532390
NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1870
NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1876
+ NOTE: duplicate CVE: CVE-2017-5854
CVE-2018-5307 (Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus ...)
NOT-FOR-US: Sonatype Nexus Repository Manager
CVE-2018-5306 (Multiple cross-site scripting (XSS) vulnerabilities in Sonatype Nexus ...)
@@ -69239,12 +69240,15 @@ CVE-2017-5855 (The PoDoFo::PdfParser::ReadXRefSubsection function in PdfParser.c
NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936
NOTE: upstream commit: http://sourceforge.net/p/podofo/code/1843
CVE-2017-5854 (base/PdfOutputStream.cpp in PoDoFo 0.9.4 allows remote attackers to ...)
- {DLA-929-1}
- - libpodofo 0.9.4-5 (bug #854602)
+ - libpodofo 0.9.5-9 (bug #854602)
+ [stretch] - libpodofo <no-dsa> (Minor issue)
[jessie] - libpodofo <no-dsa> (Minor issue)
+ [wheezy] - libpodofo <no-dsa> (Minor issue)
NOTE: https://blogs.gentoo.org/ago/2017/02/01/podofo-null-pointer-dereference-in-pdfoutputstream-cpp
NOTE: https://sourceforge.net/p/podofo/mailman/podofo-users/thread/12497325.VLNgGImML2%40blackgate/#msg35640936
- NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1836
+ NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1870
+ NOTE: upstream commit: https://sourceforge.net/p/podofo/code/1876
+ NOTE: duplicate CVE: CVE-2018-5308
CVE-2017-5853 (Integer overflow in base/PdfParser.cpp in PoDoFo 0.9.4 allows remote ...)
{DLA-929-1}
- libpodofo 0.9.4-5 (bug #854601)
=====================================
data/DLA/list
=====================================
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1396,7 +1396,7 @@
{CVE-2017-7957}
[wheezy] - libxstream-java 1.4.2-1+deb7u2
[29 Apr 2017] DLA-929-1 libpodofo - security update
- {CVE-2015-8981 CVE-2017-5852 CVE-2017-5853 CVE-2017-5854 CVE-2017-5886 CVE-2017-6844 CVE-2017-7379}
+ {CVE-2015-8981 CVE-2017-5852 CVE-2017-5853 CVE-2017-5886 CVE-2017-6844 CVE-2017-7379}
[wheezy] - libpodofo 0.9.0-1.1+deb7u1
[29 Apr 2017] DLA-928-1 libsndfile - security update
{CVE-2014-9496 CVE-2014-9756 CVE-2015-7805 CVE-2017-7585 CVE-2017-7586 CVE-2017-7741 CVE-2017-7742}
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3cd074320b724844e268a5c02734c7cb9931eae0
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/3cd074320b724844e268a5c02734c7cb9931eae0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180615/66583115/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list