[Git][security-tracker-team/security-tracker][master] 3 commits: jasper: Remove no-dsa tags. These issues will be fixed in an upcoming DLA.

Markus Koschany apo at debian.org
Mon Nov 19 22:13:26 GMT 2018 

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9507defe by Markus Koschany at 2018-11-19T22:02:56Z
jasper: Remove no-dsa tags. These issues will be fixed in an upcoming DLA.

- - - - -
b074ccc4 by Markus Koschany at 2018-11-19T22:12:06Z
jasper: Update some NOTES. Link to proposed solutions.

- - - - -
74fa68f2 by Markus Koschany at 2018-11-19T22:13:06Z
Merge branch 'master' of salsa.debian.org:security-tracker-team/security-tracker

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -62525,9 +62525,9 @@ CVE-2017-14133
 	RESERVED
 CVE-2017-14132 (JasPer 2.0.13 allows remote attackers to cause a denial of service ...)
 	- jasper <removed> (low)
-	[jessie] - jasper <ignored> (Minor issue)
 	[wheezy] - jasper <ignored> (Minor issue)
 	NOTE: https://github.com/mdadams/jasper/issues/147
+	NOTE: The suggested fix by thoger addresses the reported issue.
 CVE-2017-14131
 	RESERVED
 CVE-2017-14130 (The _bfd_elf_parse_attributes function in elf-attrs.c in the Binary ...)
@@ -63557,9 +63557,9 @@ CVE-2017-13749 (There is a reachable assertion abort in the function jpc_pi_next
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485285
 CVE-2017-13748 (There are lots of memory leaks in JasPer 2.0.12, triggered in the ...)
 	- jasper <removed> (low)
-	[jessie] - jasper <ignored> (Minor issue)
 	[wheezy] - jasper <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485287
+	NOTE: Fixed by https://github.com/mdadams/jasper/pull/159 but still no upstream comment.
 CVE-2017-13747 (There is a reachable assertion abort in the function jpc_floorlog2() in ...)
 	- jasper <removed> (unimportant)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1485282
@@ -106639,7 +106639,6 @@ CVE-2016-8691 (The jpc_dec_process_siz function in libjasper/jpc/jpc_dec.c in Ja
 	NOTE: Not suitable for code injection, hardly denial of service
 CVE-2016-8690 (The bmp_getdata function in libjasper/bmp/bmp_dec.c in JasPer before ...)
 	- jasper <removed> (low; bug #841112)
-	[jessie] - jasper <no-dsa> (Minor issue)
 	[wheezy] - jasper <no-dsa> (Minor issue)
 	NOTE: CVE ID for the first and fifth items of http://www.openwall.com/lists/oss-security/2016/08/23/6 post
 	NOTE: https://blogs.gentoo.org/ago/2016/10/16/jasper-two-null-pointer-dereference-in-bmp_getdata-bmp_dec-c/
@@ -144648,7 +144647,6 @@ CVE-2015-5222 (Red Hat OpenShift Enterprise 3.0.0.0 does not properly check ...)
 	NOT-FOR-US: OpenShift
 CVE-2015-5221 (Use-after-free vulnerability in the mif_process_cmpt function in ...)
 	- jasper <removed> (bug #796253)
-	[jessie] - jasper <no-dsa> (Minor issue)
 	[wheezy] - jasper <no-dsa> (Minor issue)
 	[squeeze] - jasper <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2015/08/20/4
@@ -144713,12 +144711,9 @@ CVE-2015-5204 (CRLF injection vulnerability in the Apache Cordova File Transfer
 	NOT-FOR-US: Apache Cordova Android File Transfer Plugin
 CVE-2015-5203 (Double free vulnerability in the jasper_image_stop_load function in ...)
 	- jasper <removed> (bug #796107)
-	[jessie] - jasper <no-dsa> (Minor issue)
 	[wheezy] - jasper <no-dsa> (Minor issue)
 	[squeeze] - jasper <no-dsa> (Minor issue)
-	NOTE: Analysis/More information: https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c3
-	NOTE: The patch http://sf.net/projects/mancha/files/sec/jasper-1.900.1_CVE-2015-5203.diff
-	NOTE: breaks ABI.
+	NOTE: Analysis/More information/Fixing commits: https://bugzilla.redhat.com/show_bug.cgi?id=1254242#c11
 CVE-2015-5202 (Red Hat Satellite 6 allows remote authenticated users with privileged ...)
 	NOT-FOR-US: Satellite6
 CVE-2015-5201



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/241e073027bbf82b485e90ab63fc383a810deb89...74fa68f26563641425695d39d1ddeb4aab7eb60f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/241e073027bbf82b485e90ab63fc383a810deb89...74fa68f26563641425695d39d1ddeb4aab7eb60f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181119/8ae27fea/attachment.html>

More information about the debian-security-tracker-commits mailing list