[Git][security-tracker-team/security-tracker][master] Triage results.

Ola Lundqvist opal at debian.org
Tue Nov 13 20:15:51 GMT 2018 

Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ce1b4087 by Ola Lundqvist at 2018-11-13T20:15:35Z
Triage results.

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -314,16 +314,19 @@ CVE-2018-19216 (Netwide Assembler (NASM) before 2.13.02 has a use-after-free in
 	TODO: Something is not correct about this CVE, the upstream bug is 3392425, but commit references 3392525, and the former is really fixed in 2.13.02 but the latter is unfixed in 2.13.02 and even 2.13.03.
 CVE-2018-19215 (Netwide Assembler (NASM) 2.14rc16 has a heap-based buffer over-read in ...)
 	- nasm <unfixed>
+	[jessie] - nasm <ignored> (Minor issue)
 	NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392525
 	NOTE: https://repo.or.cz/nasm.git/commit/4b5b737d4991578b1918303dc0fd9c9ab5c7ce4f
 	TODO: check
 CVE-2018-19214 (Netwide Assembler (NASM) 2.14rc15 has a heap-based buffer over-read in ...)
 	- nasm <unfixed>
+	[jessie] - nasm <ignored> (Minor issue)
 	NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392521
 	NOTE: https://repo.or.cz/nasm.git/commit/661f723d39e03ca6eb05d7376a43ca33db478354
 	TODO: check
 CVE-2018-19213 (Netwide Assembler (NASM) through 2.14rc16 has memory leaks that may ...)
 	- nasm <unfixed>
+	[jessie] - nasm <ignored> (Minor issue)
 	NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392524
 	TODO: check
 CVE-2018-19212 (In libwebm through 2018-10-03, there is an abort caused by ...)
@@ -520,6 +523,7 @@ CVE-2018-19121 (An issue has been found in libIEC61850 v1.3. It is a SEGV in ...
 	NOT-FOR-US: libIEC61850
 CVE-2018-19141 (Open Ticket Request System (OTRS) 4.0.x before 4.0.33 and 5.0.x before ...)
 	- otrs2 6.0.1-1
+	[jessie] - otrs2 <ignored> (Minor issue)
 	NOTE: https://community.otrs.com/security-advisory-2018-09-security-update-for-otrs-framework/
 	NOTE: Only the 4.x and 5.x series are affected (and possibly earlier versions).
 	NOTE: Add workaround and mark first 6.x version as fixing version
@@ -537,6 +541,7 @@ CVE-2018-19120 [HTML Thumbnailer automatic remote file access]
 	[stretch] - kio-extras <no-dsa> (Minor issue)
 	- kde-runtime <unfixed> (bug #913596)
 	[stretch] - kde-runtime <no-dsa> (Minor issue)
+	[jessie] - kde-runtime <ignored> (Minor issue)
 	NOTE: https://www.kde.org/info/security/advisory-20181012-1.txt
 CVE-2018-19119
 	RESERVED
@@ -571,11 +576,13 @@ CVE-2018-19109 (tianti 2.3 allows remote authenticated users to bypass intended
 CVE-2018-19108 (In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PSD ...)
 	- exiv2 <unfixed> (bug #913272)
 	[stretch] - exiv2 <no-dsa> (Minor issue)
+	[jessie] - exiv2 <ignored> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/426
 	NOTE: https://github.com/Exiv2/exiv2/pull/518
 CVE-2018-19107 (In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from ...)
 	- exiv2 <unfixed> (bug #913273)
 	[stretch] - exiv2 <no-dsa> (Minor issue)
+	[jessie] - exiv2 <ignored> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/427
 	NOTE: https://github.com/Exiv2/exiv2/pull/518
 CVE-2018-19106


=====================================
data/dla-needed.txt
=====================================
@@ -23,6 +23,8 @@ jasper (apo)
   NOTE: 20181104: consider fixing no-dsa issues too because the package is used
   NOTE: by almost 50 % of sponsors. (apo)
 --
+keepalived
+--
 libapache-mod-jk (Roberto C. Sánchez)
   NOTE: 20181104: I contacted the security team and asked about upgrading the
   NOTE: package to the latest upstream version because the changes are rather
@@ -57,6 +59,8 @@ openjpeg2 (Hugo Lefeuvre)
 --
 openssl (Thorsten Alteholz)
 --
+otrs2
+--
 pdns (Abhijith PA)
 --
 qemu (Santiago)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ce1b40877cc2bc0597185461bd92da6027d2749d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ce1b40877cc2bc0597185461bd92da6027d2749d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181113/91981542/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list