[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Sat Apr 20 22:54:18 BST 2019 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d1aa257f by Moritz Muehlenhoff at 2019-04-20T21:53:56Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1497,6 +1497,8 @@ CVE-2019-10736
 	RESERVED
 CVE-2019-10735 (In Claws Mail 3.14.1, an attacker in possession of S/MIME or PGP encry ...)
 	- claws-mail <unfixed> (low; bug #926705)
+	[buster] - claws-mail <postponed> (Revisit when fixed upstream)
+	[stretch] - claws-mail <postponed> (Revisit when fixed upstream)
 	NOTE: https://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=4159
 CVE-2019-10734 (In KDE Trojita 0.7, an attacker in possession of S/MIME or PGP encrypt ...)
 	- trojita <itp> (bug #795701)
@@ -1505,6 +1507,9 @@ CVE-2019-10733
 	RESERVED
 CVE-2019-10732 (In KDE KMail 5.2.3, an attacker in possession of S/MIME or PGP encrypt ...)
 	- kmail <unfixed> (bug #926996)
+	[buster] - kmail <postponed> (Revisit when fixed upstream)
+	- kdepim <removed>
+	[stretch] - kdepim <postponed> (Revisit when fixed upstream)
 	NOTE: https://bugs.kde.org/show_bug.cgi?id=404698
 CVE-2019-10731
 	RESERVED
@@ -18630,6 +18635,7 @@ CVE-2019-3830 (A vulnerability was found in ceilometer before version 12.0.0.0rc
 	[jessie] - ceilometer <not-affected> (vulnerable code is not present)
 	NOTE: https://bugs.launchpad.net/ceilometer/+bug/1811098/
 	NOTE: Introduced in https://github.com/openstack/ceilometer/commit/50415c0d08a3199d2280f3638dd121779585f0fe (10.0.0.0)
+	NOTE: Fixed in https://github.com/openstack/ceilometer/commit/8881a42af169a2d7c912b1434911f978883c83f3
 CVE-2019-3829 (A vulnerability was found in gnutls versions from 3.5.8 before 3.6.7.  ...)
 	[experimental] - gnutls28 3.6.7-1
 	- gnutls28 3.6.7-2
@@ -19979,14 +19985,14 @@ CVE-2018-20535 (There is a use-after-free at asm/preproc.c (function pp_getline)
 	NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392530
 	NOTE: Crash in CLI tool, no security impact
 CVE-2018-20534 (** DISPUTED ** There is an illegal address access at ext/testcase.c in ...)
-	- libsolv <unfixed> (low; bug #923002)
-	[stretch] - libsolv <ignored> (Minor issue)
-	[jessie] - libsolv <ignored> (Minor issue)
+	- libsolv <unfixed> (unimportant; bug #923002)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652604
 	NOTE: https://github.com/openSUSE/libsolv/pull/291
 	NOTE: https://github.com/openSUSE/libsolv/commit/4830af9d979d3685de538b80fbeba51ad590525e
+	NOTE: Only affects the test suite
 CVE-2018-20533 (There is a NULL pointer dereference at ext/testcase.c (function testca ...)
 	- libsolv <unfixed> (low; bug #923002)
+	[buster] - libsolv <no-dsa> (Minor issue)
 	[stretch] - libsolv <ignored> (Minor issue)
 	[jessie] - libsolv <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652599
@@ -19994,6 +20000,7 @@ CVE-2018-20533 (There is a NULL pointer dereference at ext/testcase.c (function
 	NOTE: https://github.com/openSUSE/libsolv/commit/4830af9d979d3685de538b80fbeba51ad590525e
 CVE-2018-20532 (There is a NULL pointer dereference at ext/testcase.c (function testca ...)
 	- libsolv <unfixed> (low; bug #923002)
+	[buster] - libsolv <no-dsa> (Minor issue)
 	[stretch] - libsolv <ignored> (Minor issue)
 	[jessie] - libsolv <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652605
@@ -49177,11 +49184,13 @@ CVE-2018-12184
 	RESERVED
 CVE-2018-12183 (Stack overflow in DxeCore for EDK II may allow an unauthenticated user ...)
 	- edk2 0~20181115.85588389-1
+	[buster] - edk2 <no-dsa> (Minor issue)
 	[stretch] - edk2 <no-dsa> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://github.com/tianocore/edk2/commit/0a0d5296e448fc350de1594c49b9c0deff7fad60
 CVE-2018-12182 (Insufficient memory write check in SMM service for EDK II may allow an ...)
 	- edk2 <unfixed> (low; bug #927484)
+	[buster] - edk2 <no-dsa> (Minor issue)
 	[stretch] - edk2 <no-dsa> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free is not supported)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1136
@@ -87759,7 +87768,7 @@ CVE-2016-10544 (uws is a WebSocket server library. By sending a 256mb websocket
 CVE-2016-10543 (call is an HTTP router that is primarily used by the hapi framework. T ...)
 	NOT-FOR-US: call HTTP router
 CVE-2016-10542 (ws is a "simple to use, blazing fast and thoroughly tested websocket c ...)
-	- node-ws <unfixed>
+	- node-ws <unfixed> (bug #927671)
 	[stretch] - node-ws <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://nodesecurity.io/advisories/120
 	NOTE: https://github.com/nodejs/node/issues/7388



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1aa257f0c2e5f596ebc21d06f5f42c215d4fa8c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d1aa257f0c2e5f596ebc21d06f5f42c215d4fa8c
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190420/46fca5c6/attachment.html>

More information about the debian-security-tracker-commits mailing list