[Git][security-tracker-team/security-tracker][master] buster triage

Sun Apr 21 21:40:03 BST 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e7d70537 by Moritz Muehlenhoff at 2019-04-21T20:39:39Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1554,7 +1554,9 @@ CVE-2019-10742
 CVE-2019-10741 (K-9 Mail v5.600 can include the original quoted HTML code of a special ...)
 	NOT-FOR-US: K-9 Mail
 CVE-2019-10740 (In Roundcube Webmail 1.3.4, an attacker in possession of S/MIME or PGP ...)
-	- roundcube <unfixed>
+	- roundcube <unfixed> (bug #927713)
+	[buster] - roundcube <postponed> (Revisit when fixed upstream)
+	[stretch] - roundcube <postponed> (Revisit when fixed upstream)
 	NOTE: https://github.com/roundcube/roundcubemail/issues/6638
 CVE-2019-10739
 	RESERVED
@@ -3174,7 +3176,7 @@ CVE-2019-10046
 CVE-2019-10045
 	RESERVED
 CVE-2019-10044 (Telegram Desktop before 1.5.12 on Windows, and the Telegram applicatio ...)
-	- telegram-desktop <unfixed>
+	- telegram-desktop <unfixed> (bug #927711)
 	NOTE: https://github.com/blazeinfosec/advisories/blob/master/telegram-advisory.txt
 CVE-2019-10043
 	RESERVED
@@ -4635,6 +4637,7 @@ CVE-2019-9752 (An issue was discovered in Open Ticket Request System (OTRS) 5.x
 	NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/d4e3dfbaa054762b29df54705aa412685dd37e15
 CVE-2019-9751 (An issue was discovered in Open Ticket Request System (OTRS) 6.x befor ...)
 	- otrs2 6.0.17-1
+	[buster] - otrs2 <no-dsa> (Non-free not supported)
 	[stretch] - otrs2 <no-dsa> (Non-free not supported)
 	[jessie] - otrs2 <not-affected> (Vulnerable code not present)
 	NOTE: https://community.otrs.com/security-advisory-2019-02-security-update-for-otrs-framework
@@ -18493,7 +18496,7 @@ CVE-2019-3886 (An incorrect permissions check was discovered in libvirt 4.8.0 an
 	NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=2a07c990bd9143d7a0fe8d1b6b7c763c52185240
 	NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=ae076bb40e0e150aef41361b64001138d04d6c60
 CVE-2019-3885 (A use-after-free flaw was found in pacemaker up to and including versi ...)
-	- pacemaker <unfixed>
+	- pacemaker <unfixed> (bug #927714)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
 CVE-2019-3884
 	RESERVED
@@ -29943,14 +29946,14 @@ CVE-2018-19417 (An issue was discovered in the MQTT server in Contiki-NG before
 	NOT-FOR-US: Contiki-NG
 CVE-2018-19517 (An issue was discovered in sysstat 12.1.1. The remap_struct function i ...)
 	[experimental] - sysstat 12.0.3-1
-	- sysstat <unfixed> (low; bug #914553)
+	- sysstat 12.0.3-2 (low; bug #914553)
 	[stretch] - sysstat <not-affected> (Vulnerable code introduced later)
 	[jessie] - sysstat <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/sysstat/sysstat/issues/199
 	NOTE: Fixed by: https://github.com/sysstat/sysstat/commit/fbc691eaaa10d0bcea6741d5a223dc3906106548
 CVE-2018-19416 (An issue was discovered in sysstat 12.1.1. The remap_struct function i ...)
 	[experimental] - sysstat 12.0.3-1
-	- sysstat <unfixed> (low; bug #914384)
+	- sysstat 12.0.3-2 (low; bug #914384)
 	[stretch] - sysstat <not-affected> (Vulnerable code introduced later)
 	[jessie] - sysstat <not-affected> (vulnerable code was introduced later)
 	NOTE: https://github.com/sysstat/sysstat/issues/196
@@ -36871,10 +36874,10 @@ CVE-2018-16880 (A flaw was found in the Linux kernel's handle_rx() function in t
 CVE-2018-16879 (Ansible Tower before version 3.3.3 does not set a secure channel as it ...)
 	NOT-FOR-US: Ansible Tower
 CVE-2018-16878 (A flaw was found in pacemaker up to and including version 2.0.1. An in ...)
-	- pacemaker <unfixed>
+	- pacemaker <unfixed> (bug #927714)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
 CVE-2018-16877 (A flaw was found in the way pacemaker's client-server authentication w ...)
-	- pacemaker <unfixed>
+	- pacemaker <unfixed> (bug #927714)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/1
 CVE-2018-16876 (ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a infor ...)
 	{DSA-4396-1}
@@ -52912,6 +52915,7 @@ CVE-2018-10894 (It was found that SAML authentication in Keycloak 3.4.3.Final in
 	NOT-FOR-US: Keycloak
 CVE-2018-10893 (Multiple integer overflow and buffer overflow issues were discovered i ...)
 	- spice-gtk <unfixed> (bug #904161)
+	[buster] - spice-gtk <no-dsa> (Minor issue)
 	[stretch] - spice-gtk <no-dsa> (Minor issue)
 	[jessie] - spice-gtk <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1598234
@@ -81098,7 +81102,7 @@ CVE-2018-1110 [Improper Input Validation]
 	NOTE: http://www.openwall.com/lists/oss-security/2018/04/23/2
 CVE-2018-1109
 	RESERVED
-	- node-braces <unfixed>
+	- node-braces <unfixed> (bug #927716)
 	[stretch] - node-braces <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://snyk.io/vuln/npm:braces:20180219
 	NOTE: https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
@@ -87248,7 +87252,7 @@ CVE-2017-16121 (datachannel-client is a signaling implementation for DataChannel
 CVE-2017-16120 (liyujing is a static file server. liyujing is vulnerable to a director ...)
 	NOT-FOR-US: liyujing
 CVE-2017-16119 (Fresh is a module used by the Express.js framework for HTTP response f ...)
-	- node-fresh <unfixed>
+	- node-fresh <unfixed> (bug #927715)
 	[stretch] - node-braces <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://nodesecurity.io/advisories/526
 CVE-2017-16118 (The forwarded module is used by the Express.js framework to handle the ...)
@@ -87443,7 +87447,7 @@ CVE-2017-16028 (react-native-meteor-oauth is a library for Oauth2 login to a Met
 CVE-2017-16027
 	RESERVED
 CVE-2017-16026 (Request is an http client. If a request is made using ```multipart```, ...)
-	- node-request <unfixed> (bug #901708)
+	- node-request 2.88.1-1 (bug #901708)
 	[stretch] - node-request <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://github.com/request/request/issues/1904
 	NOTE: https://nodesecurity.io/advisories/309
@@ -108813,6 +108817,7 @@ CVE-2017-9116 (In OpenEXR 2.2.0, an invalid read of size 1 in the uncompress fun
 	NOTE: https://github.com/openexr/openexr/issues/232
 CVE-2017-9115 (In OpenEXR 2.2.0, an invalid write of size 2 in the = operator functio ...)
 	- openexr <unfixed> (bug #873885)
+	[buster] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <no-dsa> (Minor issue)
 	[jessie] - openexr <no-dsa> (Minor issue)
 	[wheezy] - openexr <no-dsa> (Minor issue)
@@ -108820,6 +108825,7 @@ CVE-2017-9115 (In OpenEXR 2.2.0, an invalid write of size 2 in the = operator fu
 	NOTE: https://github.com/openexr/openexr/issues/232
 CVE-2017-9114 (In OpenEXR 2.2.0, an invalid read of size 1 in the refill function in  ...)
 	- openexr <unfixed> (bug #873885)
+	[buster] - openexr <no-dsa> (Minor issue)
 	[stretch] - openexr <no-dsa> (Minor issue)
 	[jessie] - openexr <no-dsa> (Minor issue)
 	[wheezy] - openexr <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7d70537a49b4f0a6c19b211cd359614e4fd8a10

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e7d70537a49b4f0a6c19b211cd359614e4fd8a10
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190421/1b605605/attachment.html>
