[Git][security-tracker-team/security-tracker][master] stretch triage

Moritz Muehlenhoff jmm at debian.org
Thu Apr 18 16:42:17 BST 2019



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8dd2fc06 by Moritz Muehlenhoff at 2019-04-18T15:41:49Z
stretch triage

- - - - -


3 changed files:

- data/CVE/list
- data/dsa-needed.txt
- data/next-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3068,7 +3068,7 @@ CVE-2019-9943
 	RESERVED
 CVE-2016-10743 (hostapd before 2.6 does not prevent use of the low-quality PRNG that i ...)
 	{DLA-1733-1}
-	- wpa 2:2.6-7
+	- wpa 2:2.6-7 (unimportant)
 	NOTE: https://w1.fi/cgit/hostap/commit/?id=98a516eae8260e6fd5c48ddecf8d006285da7389
 	NOTE: There was already a 2.6 upload late in 2016 but then reverted to a 2.4 based
 	NOTE: version and only reuploaded as 2:2.6-7 to unstable.
@@ -15010,8 +15010,10 @@ CVE-2019-5421 (Plataformatec Devise version 4.5.0 and earlier, using the lockabl
 	NOTE: https://github.com/plataformatec/devise/pull/4996
 CVE-2019-5420 (A remote code execution vulnerability in development mode Rails <5. ...)
 	- rails 2:5.2.2.1+dfsg-1 (bug #924521)
+	[stretch] - rails <not-affected> (Vulnerable code not present)
 	[jessie] - rails <not-affected> (vulnerable code is not present in 4.x)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/03/13/3
+	NOTE: Introduced in https://github.com/rails/rails/commit/69f976b859cae7f9d050152103da018b7f5dda6d
 CVE-2019-5419 (There is a possible denial of service vulnerability in Action View (Ra ...)
 	{DLA-1739-1}
 	- rails 2:5.2.2.1+dfsg-1 (bug #924520)
@@ -72689,6 +72691,7 @@ CVE-2018-3775 (Improper Authentication in Nextcloud Server prior to version 12.0
 	- nextcloud <itp> (bug #835086)
 CVE-2018-3774 (Incorrect parsing in url-parse <1.4.3 returns wrong hostname which  ...)
 	- node-url-parse 1.2.0-2 (bug #906058)
+	[stretch] - node-url-parse <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://hackerone.com/reports/384029
 	NOTE: https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a
 	NOTE: https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de
@@ -72834,6 +72837,7 @@ CVE-2018-3720 (assign-deep node module before 0.4.7 suffers from a Modification
 	NOT-FOR-US: assign-deep node module
 CVE-2018-3719 (mixin-deep node module before 1.3.1 suffers from a Modification of Ass ...)
 	- node-mixin-deep <unfixed> (bug #898315)
+	[stretch] - node-mixin-deep <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://nodesecurity.io/advisories/578
 CVE-2018-3718 (serve node module suffers from Improper Handling of URL Encoding by pe ...)
 	NOT-FOR-US: serve node module
@@ -80742,6 +80746,7 @@ CVE-2018-1110 [Improper Input Validation]
 CVE-2018-1109
 	RESERVED
 	- node-braces <unfixed>
+	[stretch] - node-braces <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://snyk.io/vuln/npm:braces:20180219
 	NOTE: https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
 CVE-2018-1108 (kernel drivers before version 4.17-rc1 are vulnerable to a weakness in ...)
@@ -86869,6 +86874,7 @@ CVE-2017-16130 (exxxxxxxxxxx is an Http eX Frame Google Style JavaScript Guide.
 	NOT-FOR-US: exxxxxxxxxxx
 CVE-2017-16129 (The HTTP client module superagent is vulnerable to ZIP bomb attacks. I ...)
 	- node-superagent 0.20.0+dfsg-2
+	[stretch] - node-superagent <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://github.com/visionmedia/superagent/issues/1259
 	NOTE: https://nodesecurity.io/advisories/479
 CVE-2017-16128 (The module npm-script-demo opened a connection to a command and contro ...)
@@ -86891,6 +86897,7 @@ CVE-2017-16120 (liyujing is a static file server. liyujing is vulnerable to a di
 	NOT-FOR-US: liyujing
 CVE-2017-16119 (Fresh is a module used by the Express.js framework for HTTP response f ...)
 	- node-fresh <unfixed>
+	[stretch] - node-braces <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://nodesecurity.io/advisories/526
 CVE-2017-16118 (The forwarded module is used by the Express.js framework to handle the ...)
 	NOT-FOR-US: forwarded nodejs module
@@ -87085,6 +87092,7 @@ CVE-2017-16027
 	RESERVED
 CVE-2017-16026 (Request is an http client. If a request is made using ```multipart```, ...)
 	- node-request <unfixed> (bug #901708)
+	[stretch] - node-request <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://github.com/request/request/issues/1904
 	NOTE: https://nodesecurity.io/advisories/309
 	NOTE: https://github.com/request/request/pull/2018
@@ -87481,6 +87489,7 @@ CVE-2016-10543 (call is an HTTP router that is primarily used by the hapi framew
 	NOT-FOR-US: call HTTP router
 CVE-2016-10542 (ws is a "simple to use, blazing fast and thoroughly tested websocket c ...)
 	- node-ws <unfixed>
+	[stretch] - node-ws <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://nodesecurity.io/advisories/120
 	NOTE: https://github.com/nodejs/node/issues/7388
 CVE-2016-10541 (The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -15,6 +15,8 @@ If needed, specify the release by adding a slash after the name of the source pa
 389-ds-base (fw)
   Thorsten Alteholz proposed an update
 --
+drupal7
+--
 evolution
 --
 faad2
@@ -40,7 +42,7 @@ mercurial
 nss
   Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508
 --
-rails
+openjdk-8
 --
 simplesamlphp
 --


=====================================
data/next-point-update.txt
=====================================
@@ -183,3 +183,9 @@ CVE-2019-2537
 	[stretch] - mariadb-10.1 10.1.38-0+deb9u1
 CVE-2019-2529
 	[stretch] - mariadb-10.1 10.1.38-0+deb9u1
+CVE-2019-5418
+	[stretch] - rails 2:4.2.7.1-1+deb9u1
+CVE-2019-5419
+	[stretch] - rails 2:4.2.7.1-1+deb9u1
+CVE-2018-16476
+	[stretch] - rails 2:4.2.7.1-1+deb9u1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8dd2fc06dccd8024df2ccd88fac82ae14ed5e70f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8dd2fc06dccd8024df2ccd88fac82ae14ed5e70f
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190418/ee5d9ac9/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list