[Secure-testing-commits] [Git][security-tracker-team/security-tracker][master] Add more fixes from 9.4

Salvatore Bonaccorso carnil at debian.org
Sat Mar 10 10:03:11 UTC 2018


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2309a8eb by Salvatore Bonaccorso at 2018-03-10T11:02:24+01:00
Add more fixes from 9.4

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2152,7 +2152,7 @@ CVE-2018-1000086
 CVE-2018-1000085 [Out-of-bounds heap read in XAR parser]
 	RESERVED
 	- clamav 0.99.3~beta1+dfsg-1
-	[stretch] - clamav <no-dsa> (clamav is updated via -updates)
+	[stretch] - clamav 0.99.4+dfsg-1+deb9u1
 	[jessie] - clamav <no-dsa> (clamav is updated via -updates)
 	NOTE: https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6
 	NOTE: http://www.openwall.com/lists/oss-security/2017/09/29/4
@@ -2536,7 +2536,7 @@ CVE-2018-7181
 CVE-2017-18190 (A localhost.localdomain whitelist entry in valid_host() in ...)
 	{DLA-1288-1}
 	- cups 2.2.3-2
-	[stretch] - cups <no-dsa> (Minor issue, can be fixed via pu)
+	[stretch] - cups 2.2.1-8+deb9u1
 	[jessie] - cups <no-dsa> (Minor issue, can be fixed via pu)
 	NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1048
 	NOTE: https://github.com/apple/cups/commit/afa80cb2b457bf8d64f775bed307588610476c41 (v2.2.2)
@@ -3812,7 +3812,7 @@ CVE-2018-6658
 CVE-2018-6758 (The uwsgi_expand_path function in core/utils.c in Unbit uWSGI through ...)
 	{DLA-1275-1}
 	- uwsgi 2.0.15-10.2 (bug #889753)
-	[stretch] - uwsgi <no-dsa> (Minor issue)
+	[stretch] - uwsgi 2.0.14+20161117-3+deb9u1
 	[jessie] - uwsgi <no-dsa> (Minor issue)
 	NOTE: http://lists.unbit.it/pipermail/uwsgi/2018-February/008835.html
 	NOTE: https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe
@@ -4226,7 +4226,7 @@ CVE-2018-6561 (dijit.Editor in Dojo Toolkit 1.13 allows XSS via the onload attri
 	NOTE: https://github.com/imsebao/404team/blob/master/dijit_editor_xss.md
 CVE-2018-6560 (In dbus-proxy/flatpak-proxy.c in Flatpak before 0.8.9, and 0.9.x and ...)
 	- flatpak 0.10.3-1 (bug #888842)
-	[stretch] - flatpak <no-dsa> (Minor issue; will be fixed via point release)
+	[stretch] - flatpak 0.8.9-0+deb9u1
 	NOTE: https://github.com/flatpak/flatpak/commit/52346bf187b5a7f1c0fe9075b328b7ad6abe78f6
 CVE-2018-6559
 	RESERVED
@@ -5300,18 +5300,19 @@ CVE-2017-1000474 (Soyket Chowdhury Vehicle Sales Management System version 2017-
 	NOT-FOR-US: Soyket Chowdhury Vehicle Sales Management System
 CVE-2018-6198 (w3m through 0.5.3 does not properly handle temporary files when the ...)
 	- w3m 0.5.3-36 (bug #888097; unimportant)
+	[stretch] - w3m 0.5.3-34+deb9u1
 	NOTE: https://github.com/tats/w3m/commit/18dcbadf2771cdb0c18509b14e4e73505b242753
 	NOTE: Neutralised by kernel hardening
 CVE-2018-6197 (w3m through 0.5.3 is prone to a NULL pointer dereference flaw in ...)
 	- w3m 0.5.3-36 (low)
-	[stretch] - w3m <no-dsa> (Minor issue)
+	[stretch] - w3m 0.5.3-34+deb9u1
 	[jessie] - w3m <no-dsa> (Minor issue)
 	[wheezy] - w3m <no-dsa> (Minor issue)
 	NOTE: https://github.com/tats/w3m/issues/89
 	NOTE: https://github.com/tats/w3m/commit/7fdc83b0364005a0b5ed869230dd81752ba022e8
 CVE-2018-6196 (w3m through 0.5.3 is prone to an infinite recursion flaw in ...)
 	- w3m 0.5.3-36 (low)
-	[stretch] - w3m <no-dsa> (Minor issue)
+	[stretch] - w3m 0.5.3-34+deb9u1
 	[jessie] - w3m <no-dsa> (Minor issue)
 	[wheezy] - w3m <no-dsa> (Minor issue)
 	NOTE: https://github.com/tats/w3m/issues/88
@@ -21574,7 +21575,7 @@ CVE-2018-0203 (A vulnerability in the SMTP relay of Cisco Unity Connection could
 CVE-2018-0202 [Out-of-bounds access in the PDF parser]
 	RESERVED
 	- clamav <unfixed>
-	[stretch] - clamav <no-dsa> (clamav is updated via -updates)
+	[stretch] - clamav 0.99.4+dfsg-1+deb9u1
 	[jessie] - clamav <no-dsa> (clamav is updated via -updates)
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11973
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11980
@@ -22004,7 +22005,7 @@ CVE-2017-16928 (The arq_updater binary in Arq 5.10 and earlier for Mac allows lo
 CVE-2017-16927 (The scp_v0s_accept function in sesman/libscp/libscp_v0.c in the session ...)
 	{DLA-1203-1}
 	- xrdp 0.9.4-3 (bug #882463)
-	[stretch] - xrdp <no-dsa> (Minor issue)
+	[stretch] - xrdp 0.9.1-9+deb9u2
 	[jessie] - xrdp <no-dsa> (Minor issue)
 	NOTE: Proposed pull request: https://github.com/neutrinolabs/xrdp/pull/958
 	NOTE: https://groups.google.com/forum/#!topic/xrdp-devel/PmVfMuy_xBA
@@ -22322,7 +22323,7 @@ CVE-2017-16867 (Amazon Key through 2017-11-16 mishandles Cloud Cam 802.11 ...)
 	NOT-FOR-US: Amazon Key
 CVE-2017-1000248 (Redis-store <=v1.3.0 allows unsafe objects to be loaded from redis ...)
 	- ruby-redis-store 1.1.6-2 (bug #882034)
-	[stretch] - ruby-redis-store <no-dsa> (Minor issue)
+	[stretch] - ruby-redis-store 1.1.6-1+deb9u1
 	NOTE: https://github.com/redis-store/redis-store/commit/e0c1398d54a9661c8c70267c3a925ba6b192142e
 CVE-2017-1000247 (British Columbia Institute of Technology CodeIgniter 3.1.3 is ...)
 	NOT-FOR-US: CodeIgniter
@@ -25427,7 +25428,7 @@ CVE-2017-15917 (In Paessler PRTG Network Monitor 17.3.33.2830, it's possible to 
 	NOT-FOR-US: Paessler PRTG Network Monitor
 CVE-2017-15908 (In systemd 223 through 235, a remote DNS server can respond with a ...)
 	- systemd 235-3 (bug #880026)
-	[stretch] - systemd <no-dsa> (Minor issue; systemd-resolved not enabled by default)
+	[stretch] - systemd 232-25+deb9u2
 	[jessie] - systemd <not-affected> (Vulnerable code introduced later)
 	[wheezy] - systemd <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1725351
@@ -25457,7 +25458,7 @@ CVE-2017-15907 (SQL injection vulnerability in phpCollab 2.5.1 and earlier allow
 	NOT-FOR-US: phpCollab
 CVE-2017-15906 (The process_open function in sftp-server.c in OpenSSH before 7.6 does ...)
 	- openssh 1:7.6p1-1 (low)
-	[stretch] - openssh <no-dsa> (Minor issue)
+	[stretch] - openssh 1:7.4p1-10+deb9u3
 	[jessie] - openssh <no-dsa> (Minor issue)
 	[wheezy] - openssh <no-dsa> (Minor issue)
 	NOTE: https://github.com/openbsd/src/commit/a6981567e8e215acc1ef690c8dbb30f2d9b00a19
@@ -36149,7 +36150,7 @@ CVE-2017-12381
 CVE-2017-12380 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
 	{DLA-1261-1}
 	- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
-	[stretch] - clamav <no-dsa> (clamav is updated via -updates)
+	[stretch] - clamav 0.99.2+dfsg-6+deb9u1
 	[jessie] - clamav <no-dsa> (clamav is updated via -updates)
 	NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11945
@@ -36157,7 +36158,7 @@ CVE-2017-12380 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ..
 CVE-2017-12379 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
 	{DLA-1261-1}
 	- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
-	[stretch] - clamav <no-dsa> (clamav is updated via -updates)
+	[stretch] - clamav 0.99.2+dfsg-6+deb9u1
 	[jessie] - clamav <no-dsa> (clamav is updated via -updates)
 	NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11944
@@ -36165,7 +36166,7 @@ CVE-2017-12379 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ..
 CVE-2017-12378 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
 	{DLA-1261-1}
 	- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
-	[stretch] - clamav <no-dsa> (clamav is updated via -updates)
+	[stretch] - clamav 0.99.2+dfsg-6+deb9u1
 	[jessie] - clamav <no-dsa> (clamav is updated via -updates)
 	NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11946
@@ -36174,7 +36175,7 @@ CVE-2017-12378 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ..
 CVE-2017-12377 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
 	{DLA-1261-1}
 	- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
-	[stretch] - clamav <no-dsa> (clamav is updated via -updates)
+	[stretch] - clamav 0.99.2+dfsg-6+deb9u1
 	[jessie] - clamav <no-dsa> (clamav is updated via -updates)
 	NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11943
@@ -36183,7 +36184,7 @@ CVE-2017-12377 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ..
 CVE-2017-12376 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
 	{DLA-1261-1}
 	- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
-	[stretch] - clamav <no-dsa> (clamav is updated via -updates)
+	[stretch] - clamav 0.99.2+dfsg-6+deb9u1
 	[jessie] - clamav <no-dsa> (clamav is updated via -updates)
 	NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11942
@@ -36191,7 +36192,7 @@ CVE-2017-12376 (ClamAV AntiVirus software versions 0.99.2 and prior contain a ..
 CVE-2017-12375 (The ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
 	{DLA-1261-1}
 	- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
-	[stretch] - clamav <no-dsa> (clamav is updated via -updates)
+	[stretch] - clamav 0.99.2+dfsg-6+deb9u1
 	[jessie] - clamav <no-dsa> (clamav is updated via -updates)
 	NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11940
@@ -36199,7 +36200,7 @@ CVE-2017-12375 (The ClamAV AntiVirus software versions 0.99.2 and prior contain 
 CVE-2017-12374 (The ClamAV AntiVirus software versions 0.99.2 and prior contain a ...)
 	{DLA-1261-1}
 	- clamav 0.99.3~beta2+dfsg-1 (bug #888484)
-	[stretch] - clamav <no-dsa> (clamav is updated via -updates)
+	[stretch] - clamav 0.99.2+dfsg-6+deb9u1
 	[jessie] - clamav <no-dsa> (clamav is updated via -updates)
 	NOTE: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11939
@@ -38842,6 +38843,7 @@ CVE-2017-11423 (The cabd_read_string function in mspack/cabd.c in libmspack 0.5a
 	{DSA-3946-1 DLA-1279-1}
 	- libmspack 0.6-1 (bug #868956)
 	- clamav 0.99.3~beta1+dfsg-1 (unimportant)
+	[stretch] - clamav 0.99.4+dfsg-1+deb9u1
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11873 (not public)
 	NOTE: https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38
 	NOTE: https://github.com/hackerlib/hackerlib-vul/tree/master/clamav-vul
@@ -54564,7 +54566,7 @@ CVE-2017-6421 (In the touch controller function in all Qualcomm products with An
 CVE-2017-6420 (The wwunpack function in libclamav/wwunpack.c in ClamAV 0.99.2 allows ...)
 	{DLA-1261-1 DLA-1105-1}
 	- clamav 0.99.3~beta1+dfsg-1
-	[stretch] - clamav <no-dsa> (Gets updated via -updates)
+	[stretch] - clamav 0.99.2+dfsg-6+deb9u1
 	[jessie] - clamav <no-dsa> (Gets updated via -updates)
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11798
 	NOTE: https://github.com/vrtadmin/clamav-devel/commit/dfc00cd3301a42b571454b51a6102eecf58407bc
@@ -54573,6 +54575,7 @@ CVE-2017-6419 (mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, al
 	{DSA-3946-1 DLA-1279-1}
 	- libmspack 0.6-1 (bug #871263)
 	- clamav 0.99.3~beta1+dfsg-1 (unimportant)
+	[stretch] - clamav 0.99.4+dfsg-1+deb9u1
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11701
 	NOTE: https://github.com/vrtadmin/clamav-devel/commit/a83773682e856ad6529ba6db8d1792e6d515d7f1
 	NOTE: ClamAV uses the libmspack system library when available. This is the
@@ -54583,7 +54586,7 @@ CVE-2017-6419 (mspack/lzxd.c in libmspack 0.5alpha, as used in ClamAV 0.99.2, al
 CVE-2017-6418 (libclamav/message.c in ClamAV 0.99.2 allows remote attackers to cause a ...)
 	{DLA-1261-1 DLA-1105-1}
 	- clamav 0.99.3~beta1+dfsg-1
-	[stretch] - clamav <no-dsa> (Gets updated via -updates)
+	[stretch] - clamav 0.99.2+dfsg-6+deb9u1
 	[jessie] - clamav <no-dsa> (Gets updated via -updates)
 	NOTE: https://bugzilla.clamav.net/show_bug.cgi?id=11797
 	NOTE: https://github.com/vrtadmin/clamav-devel/commit/586a5180287262070637c8943f2f7efd652e4a2c
@@ -56466,7 +56469,7 @@ CVE-2017-5754 (Systems with microprocessors utilizing speculative execution and 
 	[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-340xx 340.106-1
-	[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
+	[stretch] - nvidia-graphics-drivers-legacy-340xx 340.106-1~deb9u1
 	- nvidia-graphics-drivers-legacy-304xx <unfixed>
 	[stretch] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
 	[jessie] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
@@ -56484,7 +56487,7 @@ CVE-2017-5753 (Systems with microprocessors utilizing speculative execution and 
 	[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-340xx 340.106-1
-	[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
+	[stretch] - nvidia-graphics-drivers-legacy-340xx 340.106-1~deb9u1
 	- nvidia-graphics-drivers-legacy-304xx <unfixed>
 	[stretch] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
 	[jessie] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
@@ -56594,7 +56597,7 @@ CVE-2017-5715 (Systems with microprocessors utilizing speculative execution and 
 	[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-340xx 340.106-1
-	[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
+	[stretch] - nvidia-graphics-drivers-legacy-340xx 340.106-1~deb9u1
 	- nvidia-graphics-drivers-legacy-304xx <unfixed>
 	[stretch] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
 	[jessie] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2309a8eb2de74f79cdd5eee556931c3cb74c4657

---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2309a8eb2de74f79cdd5eee556931c3cb74c4657
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-commits/attachments/20180310/908652c3/attachment-0001.html>


More information about the Secure-testing-commits mailing list