[Git][security-tracker-team/security-tracker][master] stretch triage

Moritz Muehlenhoff jmm at debian.org
Thu Jun 21 23:26:13 BST 2018 

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
918cff8e by Moritz Muehlenhoff at 2018-06-22T00:25:51+02:00
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -540,7 +540,8 @@ CVE-2018-12439 (MatrixSSL through 3.9.5 Open allows a memory-cache side-channel 
 CVE-2018-12438 (The Elliptic Curve Cryptography library (aka sunec or libsunec) allows ...)
 	TODO: check
 CVE-2018-12437 (LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ...)
-	- libtomcrypt <unfixed> (bug #901626)
+	- libtomcrypt <unfixed> (low; bug #901626)
+	[stretch] - libtomcrypt <no-dsa> (Minor issue)
 	NOTE: https://github.com/libtom/libtomcrypt/issues/407
 CVE-2018-12436 (wolfcrypt/src/ecc.c in wolfSSL before 3.15.1.patch allows a ...)
 	- wolfssl <unfixed> (bug #901627)
@@ -1444,10 +1445,12 @@ CVE-2018-12037
 CVE-2018-12036 (OWASP Dependency-Check before 3.2.0 allows attackers to write to ...)
 	NOT-FOR-US: OWASP Dependency-Check
 CVE-2018-12035 (In YARA 3.7.1 and prior, parsing a specially crafted compiled rule ...)
-	- yara 3.7.1-3
+	- yara 3.7.1-3 (low)
+	[stretch] - yara <no-dsa> (Minor issue)
 	NOTE: https://github.com/VirusTotal/yara/issues/891
 CVE-2018-12034 (In YARA 3.7.1 and prior, parsing a specially crafted compiled rule ...)
-	- yara 3.7.1-3
+	- yara 3.7.1-3 (low)
+	[stretch] - yara <no-dsa> (Minor issue)
 	NOTE: https://github.com/VirusTotal/yara/issues/891
 CVE-2018-12033
 	RESERVED
@@ -12285,11 +12288,13 @@ CVE-2018-7691
 CVE-2018-7690
 	RESERVED
 CVE-2018-7689 (Lack of permission checks in the InitializeDevelPackage function in ...)
-	- open-build-service <unfixed>
+	- open-build-service <unfixed> (low)
+	[stretch] - open-build-service <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1094819
 	NOTE: https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b
 CVE-2018-7688 (A missing permission check in the review handling of openSUSE Open ...)
-	- open-build-service <unfixed>
+	- open-build-service <unfixed> (low)
+	[stretch] - open-build-service <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1094820
 	NOTE: https://github.com/openSUSE/open-build-service/commit/b15cf19e9e01115f653c76ffdc8f54cd97566553
 CVE-2018-7687 (The Micro Focus Client for OES before version 2 SP4 IR8a has a ...)
@@ -18429,15 +18434,18 @@ CVE-2018-5807
 	RESERVED
 CVE-2018-5806 [NULL pointer dereference in leaf_hdr_load_raw() function in internal/dcraw_common.cpp]
 	RESERVED
-	- libraw 0.18.8-1
+	- libraw 0.18.8-1 (low)
+	[stretch] - libraw <no-dsa> (Minor issue)
 	NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03
 CVE-2018-5805 [Stack-based buffer overflow in quicktake_100_load_raw() function in internal/dcraw_common.cpp]
 	RESERVED
-	- libraw 0.18.8-1
+	- libraw 0.18.8-1 (low)
+	[stretch] - libraw <no-dsa> (Minor issue)
 	NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03
 CVE-2018-5804 [type confusion error in identify() function in internal/dcraw_common.cpp]
 	RESERVED
-	- libraw 0.18.8-1
+	- libraw 0.18.8-1 (low)
+	[stretch] - libraw <no-dsa> (Minor issue)
 	NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-03
 CVE-2018-5803 (In the Linux Kernel before version 4.15.8, 4.14.25, 4.9.87, 4.4.121, ...)
 	{DSA-4188-1 DSA-4187-1 DLA-1369-1}


=====================================
data/dsa-needed.txt
=====================================
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -44,6 +44,8 @@ lava-server
 libidn
   santiago proposed debdiffs for jessie and stretch
 --
+libspring-java
+--
 linux
   Wait until more issues have piled up
 --
@@ -55,6 +57,9 @@ mercurial
 mosquitto (seb)
   2018-02-27: Roger Light provided a debdiff targetting stretch, needs review
 --
+mupdf
+  leaf package, might be a candidate for simply moving to 1.13 in stretch
+--
 openjpeg2 (luciano)
 --
 passenger
@@ -67,6 +72,10 @@ ruby2.3
   Santiago will prepare an update
   work-in-progress: https://salsa.debian.org/ruby-team/ruby/tree/stretch-security-wip
 --
+ruby-rack-protection (jmm)
+-
+ruby-sprockets
+--
 sssd
   Maintainer prepared an update and proposed debdiff, acked for upload, but update needs further testing before release.
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/918cff8e407e264a4dd7edbc191da68e20f08539

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/918cff8e407e264a4dd7edbc191da68e20f08539
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180621/20f11c0b/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list