[Git][security-tracker-team/security-tracker][master] 9 commits: add 389-ds-base

Thu Apr 25 10:41:16 BST 2019


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f8a92b7b by Thorsten Alteholz at 2019-04-25T09:29:16Z
add 389-ds-base

- - - - -
a0acb243 by Thorsten Alteholz at 2019-04-25T09:30:56Z
add graphicsmagick

- - - - -
7129fed3 by Thorsten Alteholz at 2019-04-25T09:31:53Z
add mercurial

- - - - -
d41c6596 by Thorsten Alteholz at 2019-04-25T09:33:03Z
mark CVE-2017-16119 as ignored for jessei

- - - - -
35aff85d by Thorsten Alteholz at 2019-04-25T09:34:13Z
add kdepim

- - - - -
c221bba1 by Thorsten Alteholz at 2019-04-25T09:35:14Z
mark CVE-2019-11372 as no-dsa for jessie

- - - - -
165e689f by Thorsten Alteholz at 2019-04-25T09:35:34Z
mark CVE-2019-11373 as no-dsa for jessie

- - - - -
3f61d187 by Thorsten Alteholz at 2019-04-25T09:37:27Z
add jquery

- - - - -
ab2e0e19 by Thorsten Alteholz at 2019-04-25T09:38:23Z
follow security team with ignored for CVE-2018-3979

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -347,11 +347,13 @@ CVE-2019-11374 (74CMS v5.0.1 has a CSRF vulnerability to add a new admin user vi
 CVE-2019-11373 (An out-of-bounds read in File__Analyze::Get_L8 in File__Analyze_Buffer ...)
 	- libmediainfo <unfixed> (low; bug #927672)
 	[stretch] - libmediainfo <no-dsa> (Minor issue)
+	[jessie] - libmediainfo <no-dsa> (Minor issue)
 	NOTE: https://github.com/MediaArea/MediaInfoLib/pull/1111
 	NOTE: https://sourceforge.net/p/mediainfo/bugs/1101/
 CVE-2019-11372 (An out-of-bounds read in MediaInfoLib::File__Tags_Helper::Synched_Test ...)
 	- libmediainfo <unfixed> (low; bug #927672)
 	[stretch] - libmediainfo <no-dsa> (Minor issue)
+	[jessie] - libmediainfo <no-dsa> (Minor issue)
 	NOTE: https://github.com/MediaArea/MediaInfoLib/pull/1111
 	NOTE: https://sourceforge.net/p/mediainfo/bugs/1101/
 CVE-2019-11371 (BWA (aka Burrow-Wheeler Aligner) 0.7.17 r1198 has a Buffer Overflow vi ...)
@@ -72557,6 +72559,7 @@ CVE-2018-3979 (A remote denial-of-service vulnerability exists in the way the No
 	- xserver-xorg-video-nouveau <unfixed> (low)
 	[buster] - xserver-xorg-video-nouveau <ignored> (Minor issue)
 	[stretch] - xserver-xorg-video-nouveau <ignored> (Minor issue)
+	[jessie] - xserver-xorg-video-nouveau <ignored> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2018-0647
 CVE-2018-3978 (An exploitable out-of-bounds write vulnerability exists in the Word Do ...)
 	NOT-FOR-US: Atlantis Word Processor
@@ -87520,6 +87523,7 @@ CVE-2017-16120 (liyujing is a static file server. liyujing is vulnerable to a di
 CVE-2017-16119 (Fresh is a module used by the Express.js framework for HTTP response f ...)
 	- node-fresh <unfixed> (bug #927715)
 	[stretch] - node-fresh <ignored> (Nodejs in stretch not covered by security support)
+	[jessie] - node-fresh <ignored> (Nodejs in jessie not covered by security support)
 	NOTE: https://nodesecurity.io/advisories/526
 CVE-2017-16118 (The forwarded module is used by the Express.js framework to handle the ...)
 	NOT-FOR-US: forwarded nodejs module


=====================================
data/dla-needed.txt
=====================================
@@ -9,6 +9,8 @@ To pick an issue, simply add your name behind it. To learn more about how
 this list is updated have a look at
 https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
+--
+389-ds-base
 --
 axis
 --
@@ -42,6 +44,8 @@ gradle
   NOTE: 20190412: unless you believe http->https would cause significant breakage;
   NOTE: 20190412: ajax.googleapis.com's SSL cert appears well supported in jessie
 --
+graphicsmagick
+--
 hdf5 (Hugo Lefeuvre)
   NOTE: requires some prior triage, almost all cves undetermined.
   NOTE: contacted hdf5 upstream, received information, currently updating the tracker.
@@ -59,8 +63,14 @@ imagemagick (Roberto C. Sánchez)
 jinja2 (Hugo Lefeuvre)
   NOTE: 20190416: https://lists.debian.org/debian-lts/2019/04/msg00107.html
 --
+jquery
+  NOTE: 20190425: probably embedded versions need to be checked as well
+--
 jruby
 --
+kdepim
+  NOTE: 20190425: not yet fixed upstream
+--
 libav
   NOTE: 20190401: There are currently 20 CVE issues known for libav in jessie,
   NOTE: 20190401: 11 tagged as <no-dsa>. These issues have been triaged, no patch
@@ -88,6 +98,8 @@ linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)
 --
+mercurial
+--
 polarssl
   NOTE: 20181207: Not 100% sure if vulnerable. Upstream would prefer us to move to latest version, etc. (!). (lamby)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/09527ef7c3695dfba968c7032e53cbb7f160e800...ab2e0e193264278637d90bc0c48dedf14e139824

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/09527ef7c3695dfba968c7032e53cbb7f160e800...ab2e0e193264278637d90bc0c48dedf14e139824
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190425/16323bfb/attachment-0001.html>
