[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2017-10799,graphicsmagick: Remove Jessie no-dsa tag.

Sat Apr 13 21:35:31 BST 2019


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
51b1683f by Markus Koschany at 2019-04-13T20:31:49Z
CVE-2017-10799,graphicsmagick: Remove Jessie no-dsa tag.

- - - - -
49547c4c by Markus Koschany at 2019-04-13T20:34:09Z
CVE-2019-11005,graphicsmagick: Jessie is not affected.

- - - - -
8d663e3c by Markus Koschany at 2019-04-13T20:35:17Z
Reserve DLA-1755-1 for graphicsmagick

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -505,6 +505,7 @@ CVE-2019-11006 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a heap-base
 	NOTE: https://sourceforge.net/p/graphicsmagick/bugs/598/
 CVE-2019-11005 (In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based buf ...)
 	- graphicsmagick <unfixed>
+	[jessie] - graphicsmagick <not-affected> (The vulnerable code is not present)
 	NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/b6fb77d7d54d
 	NOTE: https://sourceforge.net/p/graphicsmagick/bugs/600/
 CVE-2019-11004 (In Materialize through 1.0.0, XSS is possible via the Toast feature. ...)
@@ -103119,7 +103120,6 @@ CVE-2017-10800 (When GraphicsMagick 1.3.25 processes a MATLAB image in coders/ma
 CVE-2017-10799 (When GraphicsMagick 1.3.25 processes a DPX image (with metadata indica ...)
 	{DSA-4321-1 DLA-1045-1}
 	- graphicsmagick 1.3.26-1 (bug #867077)
-	[jessie] - graphicsmagick <no-dsa> (Minor issue)
 	NOTE: http://hg.code.sf.net/p/graphicsmagick/code/rev/f10b9bb3ca62
 CVE-2017-10798 (In ObjectPlanet Opinio before 7.6.4, there is XSS. ...)
 	NOT-FOR-US: ObjectPlanet Opinio


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[13 Apr 2019] DLA-1755-1 graphicsmagick - security update
+	{CVE-2017-10799 CVE-2019-11006 CVE-2019-11007 CVE-2019-11008 CVE-2019-11009 CVE-2019-11010}
+	[jessie] - graphicsmagick 1.3.20-3+deb8u6
 [13 Apr 2019] DLA-1628-2 jasper - regression update
 	[jessie] - jasper 1.900.1-debian1-2.4+deb8u6
 [09 Apr 2019] DLA-1754-1 samba - security update


=====================================
data/dla-needed.txt
=====================================
@@ -47,8 +47,6 @@ gradle
   NOTE: 20190412: unless you believe http->https would cause significant breakage;
   NOTE: 20190412: ajax.googleapis.com's SSL cert appears well supported in jessie
 --
-graphicsmagick (Markus Koschany)
---
 hdf5 (Hugo Lefeuvre)
   NOTE: requires some prior triage, almost all cves undetermined.
   NOTE: contacted hdf5 upstream, received information, currently updating the tracker.



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f56e07085bb5a1a28e77844a11050c53083cde55...8d663e3cdeac1e231ebff3321ed4d9dc65d3bbbe

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/f56e07085bb5a1a28e77844a11050c53083cde55...8d663e3cdeac1e231ebff3321ed4d9dc65d3bbbe
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190413/dddc3efa/attachment.html>
