[Git][security-tracker-team/security-tracker][master] 6 commits: Mark CVE-2019-11191 as unimportant

Salvatore Bonaccorso carnil at debian.org
Thu Apr 25 22:20:05 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
aa913c31 by Salvatore Bonaccorso at 2019-04-25T21:19:43Z
Mark CVE-2019-11191 as unimportant

Maybe the CVE should be rejected. Triage in kernel-sec showed that it's
basically a non-issue as only ELF support ASLR.

- - - - -
2df2d85f by Salvatore Bonaccorso at 2019-04-25T21:19:43Z
Mark CVE-2019-10124 as not-affected for jessie

- - - - -
b5bdd77d by Salvatore Bonaccorso at 2019-04-25T21:19:44Z
Mark CVE-2019-8980 as not-affected for jessie

- - - - -
0d6df073 by Salvatore Bonaccorso at 2019-04-25T21:19:44Z
Mark CVE-2019-3887/linux as not-affected for stretch and jessie

The vulnerability was introduced in later versions only.

- - - - -
74fd191a by Salvatore Bonaccorso at 2019-04-25T21:19:45Z
Ignore CVE-2019-3874/linux for stretch and jessie

- - - - -
09ac9b14 by Salvatore Bonaccorso at 2019-04-25T21:19:45Z
Ignore CVe-2019-2025/linux for stretch and jessie

Binder was not enabled in those versions.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -819,7 +819,7 @@ CVE-2019-11192
 CVE-2019-11189
 	RESERVED
 CVE-2019-11191 (The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and i ...)
-	- linux <unfixed>
+	- linux <unfixed> (unimportant)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/04/03/4
 CVE-2019-11190 (The Linux kernel before 4.8 allows local users to bypass ASLR on setui ...)
 	- linux 4.8.5-1
@@ -3314,6 +3314,7 @@ CVE-2019-10125 (An issue was discovered in aio_poll() in fs/aio.c in the Linux k
 	NOTE: https://git.kernel.org/linus/84c4e1f89fefe70554da0ab33be72c9be7994379
 CVE-2019-10124 (An issue was discovered in the hwpoison implementation in mm/memory-fa ...)
 	- linux <unfixed>
+	[jessie] - linux <not-affected> (Vulnerable code not present)
 	NOTE: https://git.kernel.org/linus/46612b751c4941c5c0472ddf04027e877ae5990f
 CVE-2019-10123
 	RESERVED
@@ -7065,6 +7066,7 @@ CVE-2018-1002161 [SQL injection in multiple remote calls]
 	NOTE: https://pagure.io/koji/issue/1183
 CVE-2019-8980 (A memory leak in the kernel_read_file function in fs/exec.c in the Lin ...)
 	- linux 4.19.28-1
+	[jessie] - linux <not-affected> (Vulnerable code not present)
 	NOTE: https://lore.kernel.org/lkml/20190219021038.11340-1-yuehaibing@huawei.com/
 	NOTE: https://lore.kernel.org/lkml/20190219022512.GW2217@ZenIV.linux.org.uk/
 CVE-2019-8979 (Kohana through 3.3.6 has SQL Injection when the order_by() parameter c ...)
@@ -18850,6 +18852,8 @@ CVE-2019-3888
 	RESERVED
 CVE-2019-3887 (A flaw was found in the way KVM hypervisor handled x2APIC Machine Spec ...)
 	- linux <unfixed>
+	[stretch] - linux <not-affected> (Vulnerability introduced later)
+	[jessie] - linux <not-affected> (Vulnerability introduced later)
 	NOTE: Fixed by: https://git.kernel.org/linus/acff78477b9b4f26ecdf65733a4ed77fe837e9dc
 	NOTE: Fixed by: https://git.kernel.org/linus/c73f4c998e1fd4249b9edfa39e23f4fda2b9b041
 CVE-2016-10746 (libvirt-domain.c in libvirt before 1.3.1 supports virDomainGetTime API ...)
@@ -18910,6 +18914,8 @@ CVE-2019-3875
 	RESERVED
 CVE-2019-3874 (The SCTP socket buffer used by a userspace application is not accounte ...)
 	- linux <unfixed>
+	[stretch] - linux <ignored> (Minor issue)
+	[jessie] - linux <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1686373
 CVE-2019-3873
 	RESERVED
@@ -24900,6 +24906,8 @@ CVE-2019-2026 (In updateAssistMenuItems of Editor.java, there is a possible esca
 CVE-2019-2025 [binder: fix race that allows malicious free of live buffer]
 	RESERVED
 	- linux 4.19.9-1
+	[stretch] - linux <ignored> (Binder is not enabled)
+	[jessie] - linux <ignored> (Binder is not enabled)
 	NOTE: Fixed by: https://git.kernel.org/linus/7bada55ab50697861eee6bb7d60b41e68a961a9c (4.20-rc5)
 CVE-2019-2024 [media: em28xx: Fix use-after-free when disconnecting]
 	RESERVED



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/765cccb6f469bd3121c6e6a88566edd5c697e8f6...09ac9b1401e2fa0d779731e22921bb000062a047

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/765cccb6f469bd3121c6e6a88566edd5c697e8f6...09ac9b1401e2fa0d779731e22921bb000062a047
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190425/f3633838/attachment.html>

More information about the debian-security-tracker-commits mailing list