[Git][security-tracker-team/security-tracker][master] stretch triage

Thu Sep 20 19:57:46 BST 2018

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d085fc39 by Moritz Muehlenhoff at 2018-09-20T18:57:20Z
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -334,6 +334,7 @@ CVE-2018-17183 (Artifex Ghostscript before 9.25 allowed a user-writable error ex
 	NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624
 CVE-2018-17095 (An issue has been discovered in mpruett Audio File Library (aka ...)
 	- audiofile <unfixed>
+	[stretch] - audiofile <no-dsa> (Minor issue)
 	[jessie] - audiofile <postponed> (Can be fixed along in future DLA)
 	NOTE: https://github.com/mpruett/audiofile/issues/50
 	NOTE: https://github.com/mpruett/audiofile/issues/51
@@ -422,6 +423,7 @@ CVE-2018-17058
 	RESERVED
 CVE-2018-17057 (An issue was discovered in TCPDF before 6.2.22. Attackers can trigger ...)
 	- tcpdf <unfixed> (bug #908866)
+	[stretch] - tcpdf <no-dsa> (Minor issue)
 	[jessie] - tcpdf <ignored> (Minor issue)
 	NOTE: https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26e
 	NOTE: Was considered minor for jessie since arbitrary deserialization
@@ -1560,6 +1562,7 @@ CVE-2018-1000673
 	REJECTED
 CVE-2018-1000671 (sympa version 6.2.16 and later contains a CWE-601: URL Redirection to ...)
 	- sympa <unfixed> (bug #908165)
+	[stretch] - sympa <no-dsa> (Minor issue)
 	NOTE: https://github.com/sympa-community/sympa/issues/268
 	NOTE: https://github.com/sympa-community/sympa/commit/c6ce32a6c203070702eac45a4442a17d2bf7b0c1
 	NOTE: https://github.com/sympa-community/sympa/commit/03314a9baf7f7903283253829877afd0ae50e325
@@ -6169,6 +6172,7 @@ CVE-2018-14637
 	RESERVED
 CVE-2018-14636 (Live-migrated instances are briefly able to inspect traffic for other ...)
 	- neutron <unfixed> (low)
+	[stretch] - neutron <no-dsa> (Minor issue)
 	[jessie] - neutron <ignored> (Minor issue)
 CVE-2018-14635 (When using the Linux bridge ml2 driver, non-privileged tenants are ...)
 	- neutron 2:13.0.0-1
@@ -7218,6 +7222,7 @@ CVE-2018-14321
 	RESERVED
 CVE-2018-14320 (This vulnerability allows remote attackers to disclose sensitive ...)
 	- libpodofo <unfixed>
+	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <ignored> (Minor issue)
 	NOTE: https://www.zerodayinitiative.com/advisories/ZDI-18-1046/
 CVE-2018-14319
@@ -7814,8 +7819,7 @@ CVE-2018-14044 (The RateTransposer::setChannels function in RateTransposer.cpp i
 CVE-2018-14043 (mstdlib (aka the M Standard Library for C) 1.2.0 has incorrect file ...)
 	NOT-FOR-US: mstdlib
 CVE-2018-14042 (In Bootstrap before 4.1.2, XSS is possible in the data-container ...)
-	- twitter-bootstrap <unfixed>
-	[jessie] - twitter-bootstrap <not-affected> (Vulnerable code not present)
+	- twitter-bootstrap <not-affected> (Vulnerable code not present)
 	- twitter-bootstrap3 <unfixed> (bug #907414)
 	[jessie] - twitter-bootstrap3 <not-affected> (Vulnerable code not present)
 	NOTE: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/
@@ -7824,8 +7828,7 @@ CVE-2018-14042 (In Bootstrap before 4.1.2, XSS is possible in the data-container
 	NOTE: https://github.com/twbs/bootstrap/pull/26630
 	NOTE: https://github.com/twbs/bootstrap/pull/26630/commits/efca80bb5bb34546a2e7a9488b89f71457d2ad92
 CVE-2018-14041 (In Bootstrap before 4.1.2, XSS is possible in the data-target property ...)
-	- twitter-bootstrap <unfixed>
-	[jessie] - twitter-bootstrap <not-affected> (Vulnerable code not present)
+	- twitter-bootstrap <not-affected> (Vulnerable code not present)
 	- twitter-bootstrap3 <unfixed> (bug #907414)
 	[jessie] - twitter-bootstrap3 <not-affected> (Vulnerable code not present)
 	NOTE: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/
@@ -7835,8 +7838,7 @@ CVE-2018-14041 (In Bootstrap before 4.1.2, XSS is possible in the data-target pr
 	NOTE: https://github.com/twbs/bootstrap/pull/26630/commits/3229efc0811df29765c1d0a949c85362378b0628
 CVE-2018-14040 (In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent ...)
 	{DLA-1479-1}
-	- twitter-bootstrap <unfixed>
-	[jessie] - twitter-bootstrap <not-affected> (Vulnerable code not present)
+	- twitter-bootstrap <not-affected> (Vulnerable code not present)
 	- twitter-bootstrap3 <unfixed> (bug #907414)
 	NOTE: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/
 	NOTE: https://github.com/twbs/bootstrap/issues/26423
@@ -11112,11 +11114,10 @@ CVE-2018-1000522
 CVE-2018-1000521 (BigTree-CMS contains a Cross Site Scripting (XSS) vulnerability in ...)
 	NOT-FOR-US: BigTree-CMS
 CVE-2018-1000520 (ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite Allows ...)
-	- mbedtls <unfixed> (low)
-	[stretch] - mbedtls <no-dsa> (Minor issue)
-	- polarssl <removed>
-	[jessie] - polarssl <no-dsa> (Minor issue)
+	- mbedtls <unfixed> (unimportant)
+	- polarssl <removed> (unimportant)
 	NOTE: https://github.com/ARMmbed/mbedtls/issues/1561
+	NOTE: No security impact
 CVE-2018-1000519 (aio-libs aiohttp-session contains a Session Fixation vulnerability in ...)
 	NOT-FOR-US: aio-libs aiohttp-session
 CVE-2018-1000518 (aaugustin websockets version 4 contains a CWE-409: Improper Handling ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ asterisk
 --
 ceph
 --
+hylafax (jmm)
+--
 gitlab
 --
 ghostscript
@@ -75,6 +77,10 @@ passenger
 php7.0
   wait until more severe issues have come up
 --
+smarty3
+--
+spamassassin
+--
 sssd
   Maintainer prepared an update and proposed debdiff, acked for upload, but update needs further testing before release.
 --
@@ -82,3 +88,5 @@ symfony
 --
 wesnoth-1.12
 --
+wireshark
+--



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d085fc39adb3955d57b0a42cb221f14ebe4b94eb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d085fc39adb3955d57b0a42cb221f14ebe4b94eb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180920/8c8f3028/attachment-0001.html>
