[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Sat Apr 20 23:37:19 BST 2019 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f4dfa4fa by Moritz Muehlenhoff at 2019-04-20T22:36:57Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -9,11 +9,11 @@ CVE-2019-11375 (Msvod v10 has a CSRF vulnerability to change user information vi
 CVE-2019-11374 (74CMS v5.0.1 has a CSRF vulnerability to add a new admin user via the  ...)
 	NOT-FOR-US: 74CMS
 CVE-2019-11373 (An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer ...)
-	- libmediainfo <unfixed> (low)
+	- libmediainfo <unfixed> (low; bug #927672)
 	NOTE: https://github.com/MediaArea/MediaInfoLib/pull/1111
 	NOTE: https://sourceforge.net/p/mediainfo/bugs/1101/
 CVE-2019-11372 (An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test ...)
-	- libmediainfo <unfixed> (low)
+	- libmediainfo <unfixed> (low; bug #927672)
 	NOTE: https://github.com/MediaArea/MediaInfoLib/pull/1111
 	NOTE: https://sourceforge.net/p/mediainfo/bugs/1101/
 CVE-2019-11371 (BWA (aka Burrow-Wheeler Aligner) 0.7.17 r1198 has a Buffer Overflow vi ...)
@@ -698,6 +698,7 @@ CVE-2019-11066
 	RESERVED
 CVE-2019-11065 (Gradle versions from 1.4 to 5.3.1 use an insecure HTTP URL to download ...)
 	- gradle <unfixed> (bug #926923)
+	[buster] - gradle <no-dsa> (Minor issue)
 	[stretch] - gradle <no-dsa> (Minor issue)
 	NOTE: https://github.com/gradle/gradle/pull/8927
 CVE-2019-11071 (SPIP 3.1 before 3.1.10 and 3.2 before 3.2.4 allows authenticated visit ...)
@@ -16140,7 +16141,8 @@ CVE-2018-20671 (load_specific_debug_section in objdump.c in GNU Binutils through
 CVE-2018-20670
 	RESERVED
 CVE-2019-5008 (hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dere ...)
-	- qemu <unfixed> (bug #927439)
+	- qemu <unfixed> (low; bug #927439)
+	[stretch] - qemu <ignored> (Minor issue)
 	- qemu-kvm <removed>
 	NOTE: https://fakhrizulkifli.github.io/posts/2019/01/03/CVE-2019-5008/
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=ad280559c68360c9f1cd7be063857853759e6a73 (4.0.0-rc0)	
@@ -18367,7 +18369,7 @@ CVE-2019-3903
 	RESERVED
 CVE-2019-3902 [path-checking logic bypass vie symlinks and subrepositories]
 	RESERVED
-	- mercurial 4.9-1
+	- mercurial 4.9-1 (bug #927674)
 	NOTE: https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.9_.282019-02-01.29
 CVE-2019-3901 [perf_event_open() and execve() race in setuid programs allows a data leak]
 	RESERVED
@@ -36461,6 +36463,7 @@ CVE-2018-17020 (ASUS GT-AC5300 devices with firmware through 3.0.0.4.384_32738 a
 	NOT-FOR-US: ASUS GT-AC5300 devices
 CVE-2018-17019 (In Bro through 2.5.5, there is a DoS in IRC protocol names command par ...)
 	- bro <unfixed> (bug #908779)
+	[buster] - bro <no-dsa> (Minor issue)
 	[stretch] - bro <no-dsa> (Minor issue)
 	NOTE: https://github.com/bro/bro/commit/c2b18849f8bb833253538f5dfedb4ed1dc176a30
 CVE-2018-17018 (An issue was discovered on TP-Link TL-WR886N 6.0 2.3.4 and TL-WR886N 7 ...)
@@ -37150,6 +37153,7 @@ CVE-2018-16808 (An issue was discovered in Dolibarr through 7.0.0. There is Stor
 	NOTE: https://github.com/Dolibarr/dolibarr/issues/9449
 CVE-2018-16807 (In Bro through 2.5.5, there is a memory leak potentially leading to Do ...)
 	- bro <unfixed> (low; bug #908614)
+	[buster] - bro <no-dsa> (Minor issue)
 	[stretch] - bro <no-dsa> (Minor issue)
 	NOTE: https://github.com/bro/bro/commit/34d0cf886ca16c665f673a299e295b2a2bc14533
 CVE-2018-16806 (A Pektron Passive Keyless Entry and Start (PKES) system, as used on th ...)
@@ -72777,7 +72781,7 @@ CVE-2017-18010 (The E-goi Smart Marketing SMS and Newsletters Forms plugin befor
 	NOT-FOR-US: E-goi Smart Marketing SMS and Newsletters Forms plugin for WordPress
 CVE-2017-18009 (In OpenCV 3.3.1, a heap-based buffer over-read exists in the function  ...)
 	[experimental] - opencv 3.4.4+dfsg-1~exp1
-	- opencv <unfixed> (bug #924884)
+	- opencv 3.2.0+dfsg-6 (bug #924884)
 	[stretch] - opencv <not-affected> (Vulnerable code introduced later)
 	[jessie] - opencv <not-affected> (Vulnerable code introduced later)
 	[wheezy] - opencv <not-affected> (Vulnerable code introduced later)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4dfa4fa27cbee96cb03f5f1020387398d4f2cfa

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f4dfa4fa27cbee96cb03f5f1020387398d4f2cfa
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190420/56d17b43/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list