[Git][security-tracker-team/security-tracker][master] 3 commits: Do not specifically list CVE-2018-9251 for DLA-1524-1
Salvatore Bonaccorso
carnil at debian.org
Thu Sep 27 21:18:43 BST 2018
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
99399308 by Salvatore Bonaccorso at 2018-09-27T20:12:15Z
Do not specifically list CVE-2018-9251 for DLA-1524-1
The CVE-2018-9251 is caused due to an incomplete fix for CVE-2017-18258,
which was adressed completely in the update. As such libxml2 in jessie
was never affected by CVE-2018-9251 itself.
- - - - -
49fc6de3 by Salvatore Bonaccorso at 2018-09-27T20:17:46Z
Process NFUs
- - - - -
2fbefd07 by Salvatore Bonaccorso at 2018-09-27T20:18:01Z
Add CVE-2018-15836/openswan
- - - - -
2 changed files:
- data/CVE/list
- data/DLA/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2801,7 +2801,7 @@ CVE-2018-16366 (An issue discovered in idreamsoft iCMS V7.0.10. ...)
CVE-2018-16365 (An issue discovered in idreamsoft iCMS V7.0.10. ...)
NOT-FOR-US: idreamsoft iCMS
CVE-2018-16364 (A serialization vulnerability in Zoho ManageEngine Applications ...)
- TODO: check
+ NOT-FOR-US: Zoho ManageEngine Applications Manager
CVE-2018-16363 (The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via ...)
NOT-FOR-US: mndpsingh287 File Manager plugin for WordPress
CVE-2018-16362 (An issue was discovered in the Source Integration plugin before 1.5.9 ...)
@@ -4148,7 +4148,9 @@ CVE-2018-15838
CVE-2018-15837
RESERVED
CVE-2018-15836 (In Openswan before 2.6.50.1, IKEv2 signature verification is ...)
- TODO: check
+ - openswan <removed>
+ NOTE: https://github.com/xelerance/Openswan/commit/0b460be9e287fd335c8ce58129c67bf06065ef51
+ NOTE: https://lists.openswan.org/pipermail/users/2018-August/023761.html
CVE-2018-15835
RESERVED
CVE-2018-15834 (In radare2 before 2.9.0, a heap overflow vulnerability exists in the ...)
@@ -4913,7 +4915,7 @@ CVE-2018-15533 (A reflected cross-site scripting vulnerability exists in Geutebr
CVE-2018-15532
RESERVED
CVE-2018-15531 (JavaMelody before 1.74.0 has XXE via parseSoapMethodName in ...)
- TODO: check
+ NOT-FOR-US: JavaMelody
CVE-2018-15530
RESERVED
CVE-2018-15529 (A command injection vulnerability in maintenance.cgi in Mutiny ...)
@@ -6418,7 +6420,7 @@ CVE-2018-14825 (On Honeywell Mobile Computers (CT60 running Android OS 7.1, CN80
CVE-2018-14824
RESERVED
CVE-2018-14823 (Fuji Electric V-Server 4.0.3.0 and prior, A stack-based buffer ...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14822
RESERVED
CVE-2018-14821 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This ...)
@@ -6426,27 +6428,27 @@ CVE-2018-14821 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. T
CVE-2018-14820
RESERVED
CVE-2018-14819 (Fuji Electric V-Server 4.0.3.0 and prior, An out-of-bounds read ...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14818
RESERVED
CVE-2018-14817 (Fuji Electric V-Server 4.0.3.0 and prior, An integer underflow ...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14816
RESERVED
CVE-2018-14815 (Fuji Electric V-Server 4.0.3.0 and prior, Several out-of-bounds write ...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14814
RESERVED
CVE-2018-14813 (Fuji Electric V-Server 4.0.3.0 and prior, A heap-based buffer overflow ...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14812
RESERVED
CVE-2018-14811 (Fuji Electric V-Server 4.0.3.0 and prior, Multiple untrusted pointer ...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14810
RESERVED
CVE-2018-14809 (Fuji Electric V-Server 4.0.3.0 and prior, A use after free ...)
- TODO: check
+ NOT-FOR-US: Fuji Electric V-Server
CVE-2018-14808
RESERVED
CVE-2018-14807
@@ -7968,7 +7970,7 @@ CVE-2018-14329 (In HTSlib 1.8, a race condition in cram/cram_io.c might allow lo
CVE-2018-14328 (Brynamics "Online Trade - Online trading and cryptocurrency investment ...)
NOT-FOR-US: Brynamics "Online Trade - Online trading and cryptocurrency investment system"
CVE-2018-14327 (The installer for the Alcatel OSPREY3_MINI Modem component on EE ...)
- TODO: check
+ NOT-FOR-US: Alcatel
CVE-2018-14324 (The demo feature in Oracle GlassFish Open Source Edition 5.0 has TCP ...)
- glassfish <not-affected> (Vulnerable code not included, only builds a few classes)
CVE-2018-14323
@@ -21025,7 +21027,6 @@ CVE-2018-9252 (JasPer 2.0.14 allows denial of service via a reachable assertion
NOTE: https://github.com/mdadams/jasper/issues/173
NOTE: Negligable impact
CVE-2018-9251 (The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is ...)
- {DLA-1524-1}
- libxml2 <not-affected> (Fix for CVE-2017-18258 not applied, cf. bug #895195)
NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794914
NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74
=====================================
data/DLA/list
=====================================
@@ -1,5 +1,5 @@
[27 Sep 2018] DLA-1524-1 libxml2 - security update
- {CVE-2017-18258 CVE-2018-9251 CVE-2018-14404 CVE-2018-14567}
+ {CVE-2017-18258 CVE-2018-14404 CVE-2018-14567}
[jessie] - libxml2 2.9.1+dfsg1-5+deb8u7
[27 Sep 2018] DLA-1523-1 asterisk - security update
{CVE-2018-17281}
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b9c4ee5e11b8e6894a5ee1d92cbacaa18cd40631...2fbefd07fd8f9af4f18b6ebaf6b1b18073d98ef0
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b9c4ee5e11b8e6894a5ee1d92cbacaa18cd40631...2fbefd07fd8f9af4f18b6ebaf6b1b18073d98ef0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180927/b644462f/attachment.html>
More information about the debian-security-tracker-commits
mailing list