[Git][security-tracker-team/security-tracker][master] qt4 fixed
Moritz Muehlenhoff
jmm at debian.org
Fri Apr 12 22:12:19 BST 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
1ae409ce by Moritz Muehlenhoff at 2019-04-12T21:11:18Z
qt4 fixed
update patch references for ruby
mark one wordpress issue as undetermined
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -6363,8 +6363,9 @@ CVE-2019-8945
CVE-2019-8944 (An Information Exposure issue in the Terraform deployment step in Octo ...)
NOT-FOR-US: Terraform
CVE-2019-8943 (WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An a ...)
- - wordpress <unfixed> (bug #923583)
+ - wordpress <undetermined> (bug #923583)
NOTE: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
+ NOTE: The code execution angle is fixed via gd security, details on the rest are murky
CVE-2019-8942 (WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code executi ...)
{DSA-4401-1 DLA-1742-1}
- wordpress 5.0.1+dfsg1-1
@@ -7737,8 +7738,6 @@ CVE-2019-8325 [Escape sequence injection vulnerability in errors]
- ruby2.1 <removed>
- rubygems <removed>
- jruby <unfixed> (bug #925987)
- NOTE: https://bugs.ruby-lang.org/attachments/7669 (for 2.4.5)
- NOTE: https://bugs.ruby-lang.org/attachments/7670 (for 2.5.3)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b
@@ -7750,12 +7749,9 @@ CVE-2019-8324 [Installing a malicious gem may lead to arbitrary code execution]
- ruby2.1 <removed>
- rubygems <removed>
- jruby <unfixed> (bug #925987)
- NOTE: https://bugs.ruby-lang.org/attachments/7669 (for 2.4.5)
- NOTE: https://bugs.ruby-lang.org/attachments/7670 (for 2.5.3)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
- NOTE: https://github.com/rubygems/rubygems/commit/00ff3037a577889bd1e555966d9e0d17bea8d28d
- NOTE: https://github.com/rubygems/rubygems/commit/be3ad330cd1d7403389a3cc53a68b95a0a2b6491
+ NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b
CVE-2019-8323 [Escape sequence injection vulnerability in API response handling]
RESERVED
{DLA-1735-1}
@@ -7764,10 +7760,9 @@ CVE-2019-8323 [Escape sequence injection vulnerability in API response handling]
- ruby2.1 <removed>
- rubygems <removed>
- jruby <unfixed> (bug #925987)
- NOTE: https://bugs.ruby-lang.org/attachments/7669 (for 2.4.5)
- NOTE: https://bugs.ruby-lang.org/attachments/7670 (for 2.5.3)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
+ NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b
CVE-2019-8322 [Escape sequence injection vulnerability in gem owner]
RESERVED
{DLA-1735-1}
@@ -7776,10 +7771,9 @@ CVE-2019-8322 [Escape sequence injection vulnerability in gem owner]
- ruby2.1 <removed>
- rubygems <removed>
- jruby <unfixed> (bug #925987)
- NOTE: https://bugs.ruby-lang.org/attachments/7669 (for 2.4.5)
- NOTE: https://bugs.ruby-lang.org/attachments/7670 (for 2.5.3)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
+ NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b
CVE-2019-8321 [Escape sequence injection vulnerability in verbose]
RESERVED
- ruby2.5 2.5.5-1
@@ -7788,10 +7782,9 @@ CVE-2019-8321 [Escape sequence injection vulnerability in verbose]
[jessie] - ruby2.1 <not-affected> (Vulnerable code introduced later)
- rubygems <removed>
- jruby <unfixed> (bug #925987)
- NOTE: https://bugs.ruby-lang.org/attachments/7669 (for 2.4.5)
- NOTE: https://bugs.ruby-lang.org/attachments/7670 (for 2.5.3)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
+ NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b
CVE-2019-8320 [Delete directory using symlink when decompressing tar]
RESERVED
{DLA-1735-1}
@@ -7800,11 +7793,9 @@ CVE-2019-8320 [Delete directory using symlink when decompressing tar]
- ruby2.1 <removed>
- rubygems <removed>
- jruby <unfixed> (bug #925987)
- NOTE: https://bugs.ruby-lang.org/attachments/7669 (for 2.4.5)
- NOTE: https://bugs.ruby-lang.org/attachments/7670 (for 2.5.3)
NOTE: https://www.ruby-lang.org/en/news/2019/03/05/multiple-vulnerabilities-in-rubygems/
NOTE: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
- NOTE: Patch needs further work: https://github.com/rubygems/rubygems/pull/2722
+ NOTE: https://github.com/rubygems/rubygems/commit/56c0bbb69e4506bda7ef7f447dfec5db820df20b
CVE-2019-8319 (An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1 ...)
NOT-FOR-US: D-Link
CVE-2019-8318 (An issue was discovered on D-Link DIR-878 devices with firmware 1.12A1 ...)
@@ -25463,7 +25454,7 @@ CVE-2018-19873 (An issue was discovered in Qt before 5.11.3. QBmpHandler has a b
{DSA-4374-1 DLA-1627-1}
[experimental] - qtbase-opensource-src 5.11.3+dfsg-1
- qtbase-opensource-src 5.11.3+dfsg-2 (low)
- - qt4-x11 <unfixed> (low; bug #923003)
+ - qt4-x11 4:4.8.7+dfsg-18 (low; bug #923003)
[stretch] - qt4-x11 <no-dsa> (Minor issue)
[jessie] - qt4-x11 <ignored> (Minor issue)
NOTE: https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/
@@ -25473,14 +25464,14 @@ CVE-2018-19872 (An issue was discovered in Qt 5.11. A malformed PPM image causes
- qtbase-opensource-src 5.11.2+dfsg-3 (low)
[stretch] - qtbase-opensource-src <no-dsa> (Minor issue)
[jessie] - qtbase-opensource-src <no-dsa> (Minor issue)
- - qt4-x11 <unfixed>
+ - qt4-x11 4:4.8.7+dfsg-18
NOTE: https://bugreports.qt.io/browse/QTBUG-69449
NOTE: qt4-x11: POC doesn't crash on neither jessie nor stretch, it's possibly incomplete; patch applies though
CVE-2018-19871 (An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontr ...)
- qtimageformats-opensource-src 5.11.3-2 (low)
[stretch] - qtimageformats-opensource-src <no-dsa> (Minor issue)
[jessie] - qtimageformats-opensource-src <postponed> (Minor issue)
- - qt4-x11 <unfixed> (low; bug #923003)
+ - qt4-x11 4:4.8.7+dfsg-18 (low; bug #923003)
[stretch] - qt4-x11 <no-dsa> (Minor issue)
[jessie] - qt4-x11 <postponed> (Minor issue)
NOTE: https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/
@@ -25491,7 +25482,7 @@ CVE-2018-19870 (An issue was discovered in Qt before 5.11.3. A malformed GIF ima
{DSA-4374-1 DLA-1627-1}
[experimental] - qtbase-opensource-src 5.11.3+dfsg-1
- qtbase-opensource-src 5.11.3+dfsg-2 (low)
- - qt4-x11 <unfixed> (low; bug #923003)
+ - qt4-x11 4:4.8.7+dfsg-18 (low; bug #923003)
[stretch] - qt4-x11 <no-dsa> (Minor issue)
[jessie] - qt4-x11 <ignored> (Minor issue)
NOTE: https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/
@@ -25504,7 +25495,7 @@ CVE-2018-19869 (An issue was discovered in Qt before 5.11.3. A malformed SVG ima
- qtsvg-opensource-src 5.11.3-2 (low)
[stretch] - qtsvg-opensource-src <no-dsa> (Minor issue)
[jessie] - qtsvg-opensource-src <no-dsa> (Minor issue)
- - qt4-x11 <unfixed> (low)
+ - qt4-x11 4:4.8.7+dfsg-18 (low)
[stretch] - qt4-x11 <no-dsa> (Minor issue)
[jessie] - qt4-x11 <no-dsa> (Minor issue)
NOTE: https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/
@@ -40006,7 +39997,7 @@ CVE-2018-15518 (QXmlStream in Qt 5.x before 5.11.3 has a double-free or corrupti
{DSA-4374-1 DLA-1627-1}
[experimental] - qtbase-opensource-src 5.11.3+dfsg-1
- qtbase-opensource-src 5.11.3+dfsg-2
- - qt4-x11 <unfixed>
+ - qt4-x11 4:4.8.7+dfsg-18
NOTE: https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/
NOTE: https://codereview.qt-project.org/#/c/236691/
CVE-2018-15517 (The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r00 ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1ae409ce85e8d2dfa85b99f4aed38ab19939715f
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/1ae409ce85e8d2dfa85b99f4aed38ab19939715f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190412/235567ad/attachment.html>
More information about the debian-security-tracker-commits
mailing list