[Git][security-tracker-team/security-tracker][master] stretch triage

Wed Apr 24 18:47:20 BST 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
7ae96d6a by Moritz Muehlenhoff at 2019-04-24T17:46:45Z
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -61,7 +61,9 @@ CVE-2019-11473 (coders/xwd.c in GraphicsMagick 1.3.31 allows attackers to cause
 	NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/5402c5cbd8bd
 	NOTE: http://hg.graphicsmagick.org/hg/GraphicsMagick/rev/944dcbc457f8
 CVE-2019-11472 (ReadXWDImage in coders/xwd.c in the XWD image parsing component of Ima ...)
-	- imagemagick <unfixed> (bug #927828)
+	- imagemagick <unfixed> (low; bug #927828)
+	[buster] - imagemagick <ignored> (Minor issue)
+	[stretch] - imagemagick <ignored> (Minor issue)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1546
 	NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f663dfb8431c97d95682a2b533cca1c8233d21b4
 CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::set_al ...)
@@ -69,7 +71,9 @@ CVE-2019-11471 (libheif 1.4.0 has a use-after-free in heif::HeifContext::Image::
 	NOTE: https://github.com/strukturag/libheif/commit/995a4283d8ed2d0d2c1ceb1a577b993df2f0e014
 	NOTE: https://github.com/strukturag/libheif/issues/123
 CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows attack ...)
-	- imagemagick <unfixed> (bug #927830)
+	- imagemagick <unfixed> (low; bug #927830)
+	[buster] - imagemagick <ignored> (Minor issue)
+	[stretch] - imagemagick <ignored> (Minor issue)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1472
 	NOTE: https://github.com/ImageMagick/ImageMagick6/commit/a0473b29add9521ffd4c74f6f623b418811762b0
 CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrol ...)
@@ -298,10 +302,12 @@ CVE-2019-11374 (74CMS v5.0.1 has a CSRF vulnerability to add a new admin user vi
 	NOT-FOR-US: 74CMS
 CVE-2019-11373 (An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer ...)
 	- libmediainfo <unfixed> (low; bug #927672)
+	[stretch] - libmediainfo <no-dsa> (Minor issue)
 	NOTE: https://github.com/MediaArea/MediaInfoLib/pull/1111
 	NOTE: https://sourceforge.net/p/mediainfo/bugs/1101/
 CVE-2019-11372 (An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test ...)
 	- libmediainfo <unfixed> (low; bug #927672)
+	[stretch] - libmediainfo <no-dsa> (Minor issue)
 	NOTE: https://github.com/MediaArea/MediaInfoLib/pull/1111
 	NOTE: https://sourceforge.net/p/mediainfo/bugs/1101/
 CVE-2019-11371 (BWA (aka Burrow-Wheeler Aligner) 0.7.17 r1198 has a Buffer Overflow vi ...)
@@ -1055,12 +1061,14 @@ CVE-2019-11036
 CVE-2019-11035 (When processing certain files, PHP EXIF extension in versions 7.1.x be ...)
 	- php7.3 7.3.4-1
 	- php7.0 <removed>
+	[stretch] - php7.0 <postponed> (Fix along in future update)
 	- php5 <removed>
 	NOTE: Fixed in 7.1.28, 7.2.17, 7.3.4
 	NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77831
 CVE-2019-11034 (When processing certain files, PHP EXIF extension in versions 7.1.x be ...)
 	- php7.3 7.3.4-1
 	- php7.0 <removed>
+	[stretch] - php7.0 <postponed> (Fix along in future update)
 	- php5 <removed>
 	NOTE: Fixed in 7.1.28, 7.2.17, 7.3.4
 	NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77753
@@ -1094,10 +1102,10 @@ CVE-2019-11024 (The load_pnm function in frompnm.c in libsixel.a in libsixel 1.8
 	NOTE: https://github.com/saitoha/libsixel/issues/85
 	NOTE: Negligible security impact
 CVE-2019-11023 (The agroot() function in cgraph\obj.c in libcgraph.a in Graphviz 2.39. ...)
-	- graphviz <unfixed> (bug #926724)
-	[jessie] - graphviz <postponed> (Minor issue; clean crash / DoS)
+	- graphviz <unfixed> (unimportant; bug #926724)
 	NOTE: https://gitlab.com/graphviz/graphviz/issues/1517
 	NOTE: https://gitlab.com/graphviz/graphviz/commit/839085f8026afd6f6920a0c31ad2a9d880d97932
+	NOTE: Crash in CLI tool, no security impact
 CVE-2019-11022
 	RESERVED
 CVE-2019-11021
@@ -1950,6 +1958,8 @@ CVE-2019-10715
 	RESERVED
 CVE-2019-10714 (LocaleLowercase in MagickCore/locale.c in ImageMagick before 7.0.8-32  ...)
 	- imagemagick <unfixed>
+	[buster] - imagemagick <ignored> (Minor issue)
+	[stretch] - imagemagick <ignored> (Minor issue)
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1495
 	NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/aa6a769bd85f6750c26e53e53dcd8a2678745501
 	TODO: check, potentially only introduced in later versions than present in unstable as LocaleLowercase not present, but check if present before refactoring
@@ -9711,6 +9721,7 @@ CVE-2019-7722 (PMD 5.8.1 and earlier processes XML external entities in ruleset
 	NOT-FOR-US: PMD
 CVE-2019-XXXX [fuse mount exposes backup to unauthorized users]
 	- borgbackup 1.1.9-1 (bug #922080)
+	[stretch] - borgbackup <no-dsa> (Minor issue)
 	NOTE: https://github.com/borgbackup/borg/issues/3903
 CVE-2019-7721 (lib/NCCms.class.php in nc-cms 3.5 allows upload of .php files via the  ...)
 	NOT-FOR-US: nc-cms
@@ -30570,6 +30581,7 @@ CVE-2019-0223 (While investigating bug PROTON-2014, we discovered that under som
 	TODO: check details
 CVE-2019-0222 (In Apache ActiveMQ 5.0.0 - 5.15.8, unmarshalling corrupt MQTT frame ca ...)
 	- activemq <unfixed> (bug #925964)
+	[stretch] - activemq <no-dsa> (Minor issue)
 	[jessie] - activemq <not-affected> (MQTT support not enabled)
 	NOTE: http://activemq.apache.org/security-advisories.data/CVE-2019-0222-announcement.txt
 CVE-2019-0221
@@ -54878,6 +54890,7 @@ CVE-2018-10245 (A Full Path Disclosure vulnerability in AWStats through 7.6 allo
 	NOTE: Path disclosure for awstats negligible within Debian
 CVE-2018-10244 (Suricata version 4.0.4 incorrectly handles the parsing of an EtherNet/ ...)
 	- suricata 1:4.0.5-1
+	[stretch] - suricata <no-dsa> (Minor issue)
 	[jessie] - suricata <not-affected> (EtherNet/IP and CIP support introduced in 3.2beta1)
 	NOTE: https://redmine.openinfosecfoundation.org/issues/2545
 	NOTE: https://redmine.openinfosecfoundation.org/issues/2543
@@ -54887,6 +54900,7 @@ CVE-2018-10243 (htp_parse_authorization_digest in htp_parsers.c in LibHTP 0.5.26
 	{DLA-1751-1}
 	- libhtp 1:0.5.28-1
 	- suricata 1:4.0.0-1
+	[stretch] - suricata <no-dsa> (Minor issue)
 	NOTE: suricata used the embedded copy of libhtp up to before 1:4.0.0-1.
 	NOTE: https://github.com/OISF/libhtp/issues/169
 	NOTE: https://github.com/OISF/libhtp/commit/eefd4b7d2be663f6067362f29c81e6edf909145a
@@ -54894,6 +54908,7 @@ CVE-2018-10243 (htp_parse_authorization_digest in htp_parsers.c in LibHTP 0.5.26
 CVE-2018-10242 (Suricata version 4.0.4 incorrectly handles the parsing of the SSH bann ...)
 	{DLA-1751-1}
 	- suricata 1:4.0.5-1
+	[stretch] - suricata <no-dsa> (Minor issue)
 	NOTE: https://redmine.openinfosecfoundation.org/issues/2544
 	NOTE: https://redmine.openinfosecfoundation.org/issues/2542
 	NOTE: https://github.com/OISF/suricata/commit/9ba89a31efc89ec5cb72326dbcb9166b098f3ea0
@@ -87453,7 +87468,7 @@ CVE-2017-16120 (liyujing is a static file server. liyujing is vulnerable to a di
 	NOT-FOR-US: liyujing
 CVE-2017-16119 (Fresh is a module used by the Express.js framework for HTTP response f ...)
 	- node-fresh <unfixed> (bug #927715)
-	[stretch] - node-braces <ignored> (Nodejs in stretch not covered by security support)
+	[stretch] - node-fresh <ignored> (Nodejs in stretch not covered by security support)
 	NOTE: https://nodesecurity.io/advisories/526
 CVE-2017-16118 (The forwarded module is used by the Express.js framework to handle the ...)
 	NOT-FOR-US: forwarded nodejs module


=====================================
data/dsa-needed.txt
=====================================
@@ -24,6 +24,8 @@ glusterfs
 --
 graphicsmagick
 --
+imagemagick (jmm)
+--
 koji
 --
 libidn



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ae96d6ab56a4670967ddc11845de990020a84ff

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7ae96d6ab56a4670967ddc11845de990020a84ff
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190424/f26811f6/attachment-0001.html>
