[Git][security-tracker-team/security-tracker][master] 3 commits: Do not specifically list CVE-2018-9251 for DLA-1524-1

Thu Sep 27 21:18:43 BST 2018

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
99399308 by Salvatore Bonaccorso at 2018-09-27T20:12:15Z
Do not specifically list CVE-2018-9251 for DLA-1524-1

The CVE-2018-9251 is caused due to an incomplete fix for CVE-2017-18258,
which was adressed completely in the update. As such libxml2 in jessie
was never affected by CVE-2018-9251 itself.

- - - - -
49fc6de3 by Salvatore Bonaccorso at 2018-09-27T20:17:46Z
Process NFUs

- - - - -
2fbefd07 by Salvatore Bonaccorso at 2018-09-27T20:18:01Z
Add CVE-2018-15836/openswan

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2801,7 +2801,7 @@ CVE-2018-16366 (An issue discovered in idreamsoft iCMS V7.0.10. ...)
 CVE-2018-16365 (An issue discovered in idreamsoft iCMS V7.0.10. ...)
 	NOT-FOR-US: idreamsoft iCMS
 CVE-2018-16364 (A serialization vulnerability in Zoho ManageEngine Applications ...)
-	TODO: check
+	NOT-FOR-US: Zoho ManageEngine Applications Manager
 CVE-2018-16363 (The mndpsingh287 File Manager plugin V2.9 for WordPress has XSS via ...)
 	NOT-FOR-US: mndpsingh287 File Manager plugin for WordPress
 CVE-2018-16362 (An issue was discovered in the Source Integration plugin before 1.5.9 ...)
@@ -4148,7 +4148,9 @@ CVE-2018-15838
 CVE-2018-15837
 	RESERVED
 CVE-2018-15836 (In Openswan before 2.6.50.1, IKEv2 signature verification is ...)
-	TODO: check
+	- openswan <removed>
+	NOTE: https://github.com/xelerance/Openswan/commit/0b460be9e287fd335c8ce58129c67bf06065ef51
+	NOTE: https://lists.openswan.org/pipermail/users/2018-August/023761.html
 CVE-2018-15835
 	RESERVED
 CVE-2018-15834 (In radare2 before 2.9.0, a heap overflow vulnerability exists in the ...)
@@ -4913,7 +4915,7 @@ CVE-2018-15533 (A reflected cross-site scripting vulnerability exists in Geutebr
 CVE-2018-15532
 	RESERVED
 CVE-2018-15531 (JavaMelody before 1.74.0 has XXE via parseSoapMethodName in ...)
-	TODO: check
+	NOT-FOR-US: JavaMelody
 CVE-2018-15530
 	RESERVED
 CVE-2018-15529 (A command injection vulnerability in maintenance.cgi in Mutiny ...)
@@ -6418,7 +6420,7 @@ CVE-2018-14825 (On Honeywell Mobile Computers (CT60 running Android OS 7.1, CN80
 CVE-2018-14824
 	RESERVED
 CVE-2018-14823 (Fuji Electric V-Server 4.0.3.0 and prior, A stack-based buffer ...)
-	TODO: check
+	NOT-FOR-US: Fuji Electric V-Server
 CVE-2018-14822
 	RESERVED
 CVE-2018-14821 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. This ...)
@@ -6426,27 +6428,27 @@ CVE-2018-14821 (Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. T
 CVE-2018-14820
 	RESERVED
 CVE-2018-14819 (Fuji Electric V-Server 4.0.3.0 and prior, An out-of-bounds read ...)
-	TODO: check
+	NOT-FOR-US: Fuji Electric V-Server
 CVE-2018-14818
 	RESERVED
 CVE-2018-14817 (Fuji Electric V-Server 4.0.3.0 and prior, An integer underflow ...)
-	TODO: check
+	NOT-FOR-US: Fuji Electric V-Server
 CVE-2018-14816
 	RESERVED
 CVE-2018-14815 (Fuji Electric V-Server 4.0.3.0 and prior, Several out-of-bounds write ...)
-	TODO: check
+	NOT-FOR-US: Fuji Electric V-Server
 CVE-2018-14814
 	RESERVED
 CVE-2018-14813 (Fuji Electric V-Server 4.0.3.0 and prior, A heap-based buffer overflow ...)
-	TODO: check
+	NOT-FOR-US: Fuji Electric V-Server
 CVE-2018-14812
 	RESERVED
 CVE-2018-14811 (Fuji Electric V-Server 4.0.3.0 and prior, Multiple untrusted pointer ...)
-	TODO: check
+	NOT-FOR-US: Fuji Electric V-Server
 CVE-2018-14810
 	RESERVED
 CVE-2018-14809 (Fuji Electric V-Server 4.0.3.0 and prior, A use after free ...)
-	TODO: check
+	NOT-FOR-US: Fuji Electric V-Server
 CVE-2018-14808
 	RESERVED
 CVE-2018-14807
@@ -7968,7 +7970,7 @@ CVE-2018-14329 (In HTSlib 1.8, a race condition in cram/cram_io.c might allow lo
 CVE-2018-14328 (Brynamics "Online Trade - Online trading and cryptocurrency investment ...)
 	NOT-FOR-US: Brynamics "Online Trade - Online trading and cryptocurrency investment system"
 CVE-2018-14327 (The installer for the Alcatel OSPREY3_MINI Modem component on EE ...)
-	TODO: check
+	NOT-FOR-US: Alcatel
 CVE-2018-14324 (The demo feature in Oracle GlassFish Open Source Edition 5.0 has TCP ...)
 	- glassfish <not-affected> (Vulnerable code not included, only builds a few classes)
 CVE-2018-14323
@@ -21025,7 +21027,6 @@ CVE-2018-9252 (JasPer 2.0.14 allows denial of service via a reachable assertion
 	NOTE: https://github.com/mdadams/jasper/issues/173
 	NOTE: Negligable impact
 CVE-2018-9251 (The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is ...)
-	{DLA-1524-1}
 	- libxml2 <not-affected> (Fix for CVE-2017-18258 not applied, cf. bug #895195)
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=794914
 	NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74


=====================================
data/DLA/list
=====================================
@@ -1,5 +1,5 @@
 [27 Sep 2018] DLA-1524-1 libxml2 - security update
-	{CVE-2017-18258 CVE-2018-9251 CVE-2018-14404 CVE-2018-14567}
+	{CVE-2017-18258 CVE-2018-14404 CVE-2018-14567}
 	[jessie] - libxml2 2.9.1+dfsg1-5+deb8u7
 [27 Sep 2018] DLA-1523-1 asterisk - security update
 	{CVE-2018-17281}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b9c4ee5e11b8e6894a5ee1d92cbacaa18cd40631...2fbefd07fd8f9af4f18b6ebaf6b1b18073d98ef0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/b9c4ee5e11b8e6894a5ee1d92cbacaa18cd40631...2fbefd07fd8f9af4f18b6ebaf6b1b18073d98ef0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180927/b644462f/attachment.html>
