[Git][security-tracker-team/security-tracker][master] more stretch triage
Moritz Muehlenhoff
jmm at debian.org
Fri Jun 22 10:07:44 BST 2018
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d06ab61e by Moritz Muehlenhoff at 2018-06-22T11:06:14+02:00
more stretch triage
mark remaining jasperreports issues to undetermined, we really need to
find a solution for that one (probably excluding it from stable is
the sanest approach approach until upstream fixes their mess)
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -598,9 +598,10 @@ CVE-2018-12425
CVE-2018-12424
RESERVED
CVE-2018-12422 (** DISPUTED ** addressbook/backends/ldap/e-book-backend-ldap.c in ...)
- - evolution-data-server <unfixed> (bug #901665)
+ - evolution-data-server <unfixed> (unimportant; bug #901665)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=796174
NOTE: https://gitlab.gnome.org/GNOME/evolution-data-server/commit/34bad6173
+ NOTE: non-issue, to be rejected
CVE-2018-12421 (LTB (aka LDAP Tool Box) Self Service Password before 1.3 allows a ...)
NOT-FOR-US: LTB Self Service Password
CVE-2018-12420 (IceHrm before 23.0.1.OS has a risky usage of a hashed password in a ...)
@@ -1941,6 +1942,7 @@ CVE-2018-12066 (BIRD Internet Routing Daemon before 1.6.4 allows local users to
NOTE: Fixed by: https://gitlab.labs.nic.cz/labs/bird/commit/e8bc64e308586b6502090da2775af84cd760ed0d
CVE-2018-1002209 [arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file]
- libquazip <unfixed>
+ [stretch] - libquazip <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1593011
TODO: further checks, should be fixedin 0.7.6
CVE-2018-1002204 [nodejs-adm-zip: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file]
@@ -2190,19 +2192,24 @@ CVE-2018-11733
CVE-2018-11732
RESERVED
CVE-2018-11731 (The libfsntfs_mft_entry_read_attributes function in ...)
- - libfsntfs <unfixed>
+ - libfsntfs <unfixed> (low)
+ [stretch] - libfsntfs <no-dsa> (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2018/Jun/17
CVE-2018-11730 (The libfsntfs_security_descriptor_values_free function in ...)
- - libfsntfs <unfixed>
+ - libfsntfs <unfixed> (low)
+ [stretch] - libfsntfs <no-dsa> (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2018/Jun/17
CVE-2018-11729 (The libfsntfs_mft_entry_read_header function in libfsntfs_mft_entry.c ...)
- - libfsntfs <unfixed>
+ - libfsntfs <unfixed> (low)
+ [stretch] - libfsntfs <no-dsa> (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2018/Jun/17
CVE-2018-11728 (The libfsntfs_reparse_point_values_read_data function in ...)
- - libfsntfs <unfixed>
+ - libfsntfs <unfixed> (low)
+ [stretch] - libfsntfs <no-dsa> (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2018/Jun/17
CVE-2018-11727 (The libfsntfs_attribute_read_from_mft function in ...)
- - libfsntfs <unfixed>
+ - libfsntfs <unfixed> (low)
+ [stretch] - libfsntfs <no-dsa> (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2018/Jun/17
CVE-2018-11726 (The mobi_decode_font_resource function in util.c in Libmobi 0.3 allows ...)
NOT-FOR-US: Libmobi
@@ -2211,7 +2218,8 @@ CVE-2018-11725 (The mobi_parse_index_entry function in index.c in Libmobi 0.3 al
CVE-2018-11724 (The mobi_pk1_decrypt function in encryption.c in Libmobi 0.3 allows ...)
NOT-FOR-US: Libmobi
CVE-2018-11723 (The libpff_name_to_id_map_entry_read function in ...)
- - libpff <unfixed> (bug #901967)
+ - libpff <unfixed> (low; bug #901967)
+ [stretch] - libpff <no-dsa> (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2018/Jun/15
CVE-2018-11722 (WUZHI CMS 4.1.0 has a SQL Injection in api/uc.php via the 'code' ...)
NOT-FOR-US: WUZHI CMS
@@ -19486,17 +19494,17 @@ CVE-2018-5433 (The TIBCO Administrator server component of TIBCO Software Inc.'s
CVE-2018-5432 (The TIBCO Administrator server component of of TIBCO Software Inc.'s ...)
TODO: check
CVE-2018-5431 (The domain designer component of TIBCO Software Inc.'s TIBCO ...)
- - jasperreports <unfixed>
+ - jasperreports <undetermined>
[jessie] - jasperreports <end-of-life> (not supported in Jessie)
[wheezy] - jasperreports <end-of-life> (not supported in Wheezy)
NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5431
CVE-2018-5430 (The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports ...)
- - jasperreports <unfixed>
+ - jasperreports <undetermined>
[jessie] - jasperreports <end-of-life> (not supported in Jessie)
[wheezy] - jasperreports <end-of-life> (not supported in Wheezy)
NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430
CVE-2018-5429 (A vulnerability in the report scripting component of TIBCO Software ...)
- - jasperreports <unfixed>
+ - jasperreports <undetermined>
[jessie] - jasperreports <end-of-life> (not supported in Jessie)
[wheezy] - jasperreports <end-of-life> (not supported in Wheezy)
NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429
@@ -20013,11 +20021,13 @@ CVE-2018-5270 (** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver fil
CVE-2018-5269 (In OpenCV 3.3.1, an assertion failure happens in ...)
{DLA-1354-1}
- opencv <unfixed> (bug #886675)
+ [stretch] - opencv <ignored> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/10540
NOTE: 2.4 backport: https://patch-diff.githubusercontent.com/raw/opencv/opencv/pull/10901.patch
CVE-2018-5268 (In OpenCV 3.3.1, a heap-based buffer overflow happens in ...)
{DLA-1354-1}
- opencv <unfixed> (bug #886674)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/10541
NOTE: 2.4 backport: https://patch-diff.githubusercontent.com/raw/opencv/opencv/pull/10901.patch
CVE-2018-5267 (Cobham Sea Tel 121 build 222701 devices allow remote attackers to ...)
@@ -23500,6 +23510,7 @@ CVE-2017-1000451 (fs-git is a file system like api for git repository. The fs-gi
CVE-2017-1000450 (In opencv/modules/imgcodecs/src/utils.cpp, functions FillUniColor and ...)
{DLA-1235-1}
- opencv <unfixed> (bug #886282)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9723
NOTE: https://github.com/blendin/pocs/blob/master/opencv/0.OOB_Write_FillUniColor
NOTE: https://github.com/opencv/opencv/pull/9726
@@ -24970,6 +24981,7 @@ CVE-2017-17787 (In GIMP 2.8.22, there is a heap-based buffer over-read in ...)
CVE-2017-17760 (OpenCV 3.3.1 has a Buffer Overflow in the cv::PxMDecoder::readData ...)
{DLA-1235-1}
- opencv <unfixed> (bug #885843)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/10351
NOTE: https://github.com/opencv/opencv/pull/10369/commits/7bbe1a53cfc097b82b1589f7915a2120de39274c
CVE-2017-17759 (Conarc iChannel allows remote attackers to obtain sensitive ...)
@@ -47815,14 +47827,17 @@ CVE-2017-12865 (Stack-based buffer overflow in "dnsproxy.c" in connman
CVE-2017-12864 (In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function ReadNumber did ...)
{DLA-1117-1}
- opencv <unfixed> (bug #875345)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9372
CVE-2017-12863 (In opencv/modules/imgcodecs/src/grfmt_pxm.cpp, function ...)
{DLA-1117-1}
- opencv <unfixed> (bug #875344)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9371
CVE-2017-12862 (In modules/imgcodecs/src/grfmt_pxm.cpp, the length of buffer ...)
{DLA-1117-1}
- opencv <unfixed> (bug #875342)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9370
CVE-2017-12861 (The Epson "EasyMP" software is designed to remotely stream a users ...)
NOT-FOR-US: Epson "EasyMP"
@@ -48631,45 +48646,56 @@ CVE-2016-10404 (XSS exists in Liferay Portal before 7.0 CE GA4 via a crafted red
CVE-2017-12606 (OpenCV (Open Source Computer Vision Library) through 3.3 has an ...)
{DLA-1117-1}
- opencv <unfixed> (bug #872044)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9309
CVE-2017-12605 (OpenCV (Open Source Computer Vision Library) through 3.3 has an ...)
{DLA-1117-1}
- opencv <unfixed> (bug #872044)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9309
CVE-2017-12604 (OpenCV (Open Source Computer Vision Library) through 3.3 has an ...)
{DLA-1117-1}
- opencv <unfixed> (bug #872044)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9309
CVE-2017-12603 (OpenCV (Open Source Computer Vision Library) through 3.3 has an invalid ...)
{DLA-1117-1}
- opencv <unfixed> (bug #872044)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9309
CVE-2017-12602 (OpenCV (Open Source Computer Vision Library) through 3.3 has a denial ...)
- opencv <unfixed> (bug #872045)
+ [stretch] - opencv <ignored> (Minor issue)
[wheezy] - opencv <ignored> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9311
CVE-2017-12601 (OpenCV (Open Source Computer Vision Library) through 3.3 has a buffer ...)
{DLA-1117-1}
- opencv <unfixed> (bug #872044)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9309
CVE-2017-12600 (OpenCV (Open Source Computer Vision Library) through 3.3 has a denial ...)
- opencv <unfixed> (bug #872045)
+ [stretch] - opencv <ignored> (Minor issue)
[wheezy] - opencv <ignored> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9311
CVE-2017-12599 (OpenCV (Open Source Computer Vision Library) through 3.3 has an ...)
{DLA-1117-1}
- opencv <unfixed> (bug #872044)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9309
CVE-2017-12598 (OpenCV (Open Source Computer Vision Library) through 3.3 has an ...)
{DLA-1117-1}
- opencv <unfixed> (bug #872044)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9309
CVE-2017-12597 (OpenCV (Open Source Computer Vision Library) through 3.3 has an ...)
{DLA-1117-1}
- opencv <unfixed> (bug #872044)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://github.com/opencv/opencv/issues/9309
CVE-2017-12596 (In OpenEXR 2.2.0, a crafted image causes a heap-based buffer over-read ...)
- openexr 2.2.0-11.1 (bug #877352)
+ [stretch] - opencv <no-dsa> (Minor issue)
[wheezy] - openexr 1.6.1-6+deb7u1
NOTE: https://github.com/openexr/openexr/issues/238
NOTE: Upstream fix https://github.com/openexr/openexr/commit/f09f5f26c1924c4f7e183428ca79c9881afaf53c
@@ -111935,12 +111961,14 @@ CVE-2016-1518 (The auto-provisioning mechanism in the Grandstream Wave app 1.0.1
NOT-FOR-US: Grandstream Wave app
CVE-2016-1517 (OpenCV 3.0.0 allows remote attackers to cause a denial of service ...)
- opencv <unfixed> (bug #872043)
+ [stretch] - opencv <ignored> (Minor issue)
[wheezy] - opencv <no-dsa> (Minor issue)
NOTE: https://arxiv.org/pdf/1701.04739.pdf
NOTE: https://github.com/opencv/opencv/issues/5956
CVE-2016-1516 (OpenCV 3.0.0 has a double free issue that allows attackers to execute ...)
{DLA-1117-1}
- opencv <unfixed> (bug #872043)
+ [stretch] - opencv <no-dsa> (Minor issue)
NOTE: https://arxiv.org/pdf/1701.04739.pdf
NOTE: https://github.com/opencv/opencv/issues/5956
CVE-2016-1515
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d06ab61e98e4331106675cac8ec9a190f930cffd
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d06ab61e98e4331106675cac8ec9a190f930cffd
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180622/1a7bee4d/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list