[Git][security-tracker-team/security-tracker][master] 2 commits: Spice in wheezy is affected. The question is whether it is worth fixing in wheezy or not.
Ola Lundqvist
opal at debian.org
Sat May 12 19:28:19 BST 2018
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker
Commits:
75cccfc3 by Ola Lundqvist at 2018-05-12T20:16:39+02:00
Spice in wheezy is affected. The question is whether it is worth fixing in wheezy or not.
- - - - -
d5f58df1 by Ola Lundqvist at 2018-05-12T20:27:50+02:00
Decided to ignore blender vulnerability as the advice is that not even oldstable will be fixed.
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -45034,8 +45034,8 @@ CVE-2017-12195
RESERVED
NOT-FOR-US: OpenShift
CVE-2017-12194 (A flaw was found in the way spice-client processed certain messages ...)
- - spice-gtk <undetermined>
- - spice <undetermined>
+ - spice-gtk 0.12
+ - spice 0.11
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1240165
TODO: check for details
CVE-2017-12193 (The assoc_array_insert_into_terminal_node function in lib/assoc_array.c ...)
@@ -45387,30 +45387,37 @@ CVE-2017-12106 (A memory corruption vulnerability exists in the .TGA parsing ...
NOT-FOR-US: Computerinsel Photoline
CVE-2017-12105 (An exploitable integer overflow exists in the way that the Blender ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0457
CVE-2017-12104 (An exploitable integer overflow exists in the way that the Blender ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e6df02861e17f75d4dd243776f35208681b78465
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0456
CVE-2017-12103 (An exploitable integer overflow exists in the way that the Blender ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e6df02861e17f75d4dd243776f35208681b78465
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0455
CVE-2017-12102 (An exploitable integer overflow exists in the way that the Blender ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e6df02861e17f75d4dd243776f35208681b78465
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0454
CVE-2017-12101 (An exploitable integer overflow exists in the ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0453
CVE-2017-12100 (An exploitable integer overflow exists in the 'multires_load_old_dm' ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0452
CVE-2017-12099 (An exploitable integer overflow exists in the upgrade of the legacy ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0451
CVE-2017-12098 (An exploitable cross site scripting (XSS) vulnerability exists in the ...)
@@ -45443,6 +45450,7 @@ CVE-2017-12087 (An exploitable heap overflow vulnerability exists in the tinysvc
NOTE: https://bugs.launchpad.net/ubuntu/+source/shairport-sync/+bug/1729668
CVE-2017-12086 (An exploitable integer overflow exists in the ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0438
CVE-2017-12085 (An exploitable routing vulnerability exists in the Circle with Disney ...)
@@ -45453,10 +45461,12 @@ CVE-2017-12083 (An exploitable information disclosure vulnerability exists in th
NOT-FOR-US: Circle with Disney
CVE-2017-12082 (An exploitable integer overflow exists in the 'CustomData' Mesh ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0434
CVE-2017-12081 (An exploitable integer overflow exists in the upgrade of a legacy Mesh ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/e04d7c49dca9dc7bbf1cbe446b612aaa5ba12581
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0433
CVE-2017-12080 (An information exposure vulnerability in default HTTP configuration ...)
@@ -73984,6 +73994,7 @@ CVE-2017-2919 (An exploitable stack based buffer overflow vulnerability exists i
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0426
CVE-2017-2918 (An exploitable integer overflow exists in the Image loading ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
NOTE: :https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0425
CVE-2017-2917 (An exploitable vulnerability exists in the notifications functionality ...)
@@ -74009,43 +74020,53 @@ CVE-2017-2909 (An infinite loop programming error exists in the DNS server ...)
[wheezy] - smplayer <not-affected> (Vulnerable code not present)
CVE-2017-2908 (An exploitable integer overflow exists in the thumbnail functionality ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/07aed404cfb2759f97c60b9f64d8a9392dabaf1a
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0415
CVE-2017-2907 (An exploitable integer overflow exists in the animation playing ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0414
CVE-2017-2906 (An exploitable integer overflow exists in the animation playing ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0413
CVE-2017-2905 (An exploitable integer overflow exists in the bmp loading ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0412
CVE-2017-2904 (An exploitable integer overflow exists in the RADIANCE loading ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0411
CVE-2017-2903 (An exploitable integer overflow exists in the DPX loading ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0410
CVE-2017-2902 (An exploitable integer overflow exists in the DPX loading ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0409
CVE-2017-2901 (An exploitable integer overflow exists in the IRIS loading ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/829916f4e57a2d1580ff3b625f6bb909b9144a20
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0408
CVE-2017-2900 (An exploitable integer overflow exists in the PNG loading ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0407
CVE-2017-2899 (An exploitable integer overflow exists in the TIFF loading ...)
- blender 2.79.a+dfsg0-1
+ [wheezy] - blender <ignored> (Vulnerable but not ignored)
NOTE: https://git.blender.org/gitweb/gitweb.cgi/blender.git/commit/d30cc1ea0b9ba64d8a1e22105528b6cb8077692c
NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0406
CVE-2017-2898 (An exploitable vulnerability exists in the signature verification of ...)
=====================================
data/dla-needed.txt
=====================================
--- a/data/dla-needed.txt
+++ b/data/dla-needed.txt
@@ -12,12 +12,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues
--
apache2 (Roberto C. Sánchez)
--
-blender
- NOTE: 20180511: The question is whether it is worth the effort to fix the problem. The package is
- NOTE: 20180511: clearly vulnerable and the vulnerability is rather severe (code execution) but
- NOTE: 20180511: the likelihood of possible exploit in practice is quite small. Sent a mail to the
- NOTE: 20180511: whole team for advice. (ola)
---
cups (Thorsten Alteholz)
NOTE: 20180318: not clear whether patch is fine, so no email to maintainer sent (alteholz)
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bdc64bc24d551893bd225f4aaafd97930dc03019...d5f58df10def62fac2bb69ed9465da2964a07d80
---
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/bdc64bc24d551893bd225f4aaafd97930dc03019...d5f58df10def62fac2bb69ed9465da2964a07d80
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180512/eca65f82/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list