[Git][security-tracker-team/security-tracker][master] stretch triage
Moritz Muehlenhoff
jmm at debian.org
Fri Oct 12 21:03:39 BST 2018
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ec8c21a1 by Moritz Muehlenhoff at 2018-10-12T20:02:35Z
stretch triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -626,6 +626,7 @@ CVE-2018-18056
RESERVED
CVE-2018-1000810 (The Rust Programming Language Standard Library version 1.29.0, 1.28.0, ...)
- rustc <unfixed>
+ [stretch] - rustc <ignored> (Can be fixed along in future rustc update for ESR68)
NOTE: https://blog.rust-lang.org/2018/09/21/Security-advisory-for-std.html
NOTE: https://groups.google.com/forum/#!topic/rustlang-security-announcements/CmSuTm-SaU0
NOTE: Fixed upstream in 1.29.1
@@ -1732,7 +1733,8 @@ CVE-2018-17568 (utils/ut_rpc.c in ViaBTC Exchange Server before 2018-08-21 has a
NOT-FOR-US: ViaBTC Exchange Server
CVE-2018-17567 (Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 ...)
{DLA-1541-1}
- - jekyll <unfixed> (bug #909933)
+ - jekyll <unfixed> (low; bug #909933)
+ [stretch] - jekyll <no-dsa> (Minor issue)
NOTE: https://github.com/jekyll/jekyll/pull/7224
NOTE: https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/
CVE-2018-17566 (In ThinkPHP 5.1.24, the inner function delete can be used for SQL ...)
@@ -1971,6 +1973,7 @@ CVE-2018-17456 (Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2
CVE-2018-17455 [IDOR merge request approvals]
RESERVED
- gitlab <unfixed>
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/
CVE-2018-17454 [Persistent XSS on issue details]
RESERVED
@@ -1985,6 +1988,7 @@ CVE-2018-17453 [GRPC::Unknown logging token disclosure]
CVE-2018-17452 [validate_localhost function in url_blocker.rb could be bypassed]
RESERVED
- gitlab <unfixed>
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/
CVE-2018-17451 [Slack integration CSRF Oauth2]
RESERVED
@@ -5056,13 +5060,16 @@ CVE-2018-16048 (An issue was discovered in GitLab Community and Enterprise Editi
NOTE: https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/
CVE-2018-16051 (An issue was discovered in GitLab Community and Enterprise Edition ...)
- gitlab <unfixed>
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://gitlab.com/gitlab-org/gitlab-ee/issues/6012
NOTE: https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/
CVE-2018-XXXX [gitlab: Missing CSRF in System Hooks]
- gitlab <unfixed>
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/
CVE-2018-16049 (An issue was discovered in GitLab Community and Enterprise Edition ...)
- gitlab <unfixed>
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/46967
NOTE: https://gitlab.com/gitlab-org/gitlab-ce/issues/49272
NOTE: https://about.gitlab.com/2018/08/28/security-release-gitlab-11-dot-2-dot-2-released/
@@ -6850,6 +6857,7 @@ CVE-2018-15474 (** DISPUTED ** CSV Injection (aka Excel Macro Injection or Formu
CVE-2018-15472 [Diff formatter DoS in Sidekiq jobs]
RESERVED
- gitlab <unfixed>
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://about.gitlab.com/2018/10/01/security-release-gitlab-11-dot-3-dot-1-released/
CVE-2018-15467
RESERVED
@@ -8894,6 +8902,7 @@ CVE-2018-14604 (An issue was discovered in GitLab Community and Enterprise Editi
NOTE: https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/
CVE-2018-14603 (An issue was discovered in GitLab Community and Enterprise Edition ...)
- gitlab <unfixed>
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://about.gitlab.com/2018/07/26/security-release-gitlab-11-dot-1-dot-2-released/
CVE-2018-14602 (An issue was discovered in GitLab Community and Enterprise Edition ...)
- gitlab <unfixed>
@@ -9606,6 +9615,7 @@ CVE-2018-14365
RESERVED
CVE-2018-14364 (GitLab Community and Enterprise Edition before 10.7.7, 10.8.x before ...)
- gitlab 10.7.7+dfsg-2 (bug #904026)
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://about.gitlab.com/2018/07/17/critical-security-release-gitlab-11-dot-0-dot-4-released/
CVE-2018-14363 (An issue was discovered in NeoMutt before 2018-07-16. newsrc.c does not ...)
{DSA-4277-1 DLA-1455-1}
@@ -13849,9 +13859,11 @@ CVE-2018-XXXX [gitlab: Activity feed publicly displaying internal project names]
NOTE: https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
CVE-2018-XXXX [gitlab: Content injection via username]
- gitlab 10.7.7+dfsg-2 (bug #902726)
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
CVE-2018-12606 (An issue was discovered in GitLab Community Edition and Enterprise ...)
- gitlab 10.7.7+dfsg-2 (bug #902726)
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/
CVE-2018-12605 (An issue was discovered in GitLab Community Edition and Enterprise ...)
- gitlab 10.7.7+dfsg-2 (bug #902726)
@@ -16789,6 +16801,7 @@ CVE-2018-XXXX [gitlab: Removing public deploy keys regression]
CVE-2017-0921 (GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and ...)
[experimental] - gitlab 10.7.5+dfsg-1
- gitlab 10.7.7+dfsg-2 (bug #900522)
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://about.gitlab.com/2018/05/29/security-release-gitlab-10-dot-8-dot-2-released/
CVE-2018-XXXX [gitlab: Persistent XSS - Selecting users as allowed merge request approvers]
[experimental] - gitlab 10.7.5+dfsg-1
@@ -22689,6 +22702,7 @@ CVE-2018-9286
RESERVED
CVE-2018-9243 (GitLab Community and Enterprise Editions version 8.4 up to 10.4 are ...)
- gitlab 10.6.3+dfsg-1 (bug #894869)
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/
CVE-2018-9244 (GitLab Community and Enterprise Editions version 9.2 up to 10.4 are ...)
- gitlab 10.6.3+dfsg-1 (bug #894868)
@@ -22696,6 +22710,7 @@ CVE-2018-9244 (GitLab Community and Enterprise Editions version 9.2 up to 10.4 a
NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/
CVE-2018-XXXX [Confidential issue comments in Slack, Mattermost, and webhook integrations]
- gitlab 10.6.3+dfsg-1 (bug #894867)
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://about.gitlab.com/2018/04/04/security-release-gitlab-10-dot-6-dot-3-released/
CVE-2018-9285 (Main_Analysis_Content.asp in /apply.cgi on ASUS RT-AC66U, RT-AC68U, ...)
NOT-FOR-US: ASUS
@@ -24062,6 +24077,7 @@ CVE-2018-8802 (SQL injection vulnerability in the management interface in ePorta
NOT-FOR-US: ePortal Manager in Unisys ClearPath MCP OS systems
CVE-2018-8801 (GitLab Community and Enterprise Editions version 8.3 up to 10.x before ...)
- gitlab 10.5.6+dfsg-1 (bug #893905)
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/
CVE-2018-8800
RESERVED
@@ -98053,6 +98069,7 @@ CVE-2017-0920 (GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, a
NOTE: https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/
CVE-2017-0919 (GitLab Community and Enterprise Editions before 10.1.6, 10.2.6, and ...)
- gitlab 10.5.5+dfsg-1
+ [stretch] - gitlab <ignored> (Scheduled for removal in next point release)
NOTE: https://hackerone.com/reports/301137
NOTE: Fixed in 10.1.6, 10.2.6, and 10.3.4
CVE-2017-0918 (Gitlab Community Edition version 10.3 is vulnerable to a path ...)
@@ -210973,6 +210990,7 @@ CVE-2012-3156 (Unspecified vulnerability in the MySQL Server component in Oracle
- mysql-5.5 5.5.28+dfsg-1 (bug #690778)
CVE-2012-3155 (Unspecified vulnerability in the CORBA ORB component in Sun GlassFish ...)
- glassfish <removed> (bug #692035)
+ [stretch] - glassfish <ignored> (Only used a build dep, specific details withheld)
[jessie] - glassfish <end-of-life>
[wheezy] - glassfish <end-of-life>
NOTE: Oracle doesn't provide any useful public information to fix the package without importing a new upstream version.
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec8c21a153044ede8b7f7fc6e55215731a342b3e
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ec8c21a153044ede8b7f7fc6e55215731a342b3e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20181012/f6269d96/attachment.html>
More information about the debian-security-tracker-commits
mailing list