[Git][security-tracker-team/security-tracker][master] Merge accepted changes from 9.9 point release into stretch
Salvatore Bonaccorso
carnil at debian.org
Sat Apr 27 10:22:55 BST 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
b280d31e by Salvatore Bonaccorso at 2019-04-27T09:21:43Z
Merge accepted changes from 9.9 point release into stretch
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -695,8 +695,8 @@ CVE-2019-11358 (jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other
{DSA-4434-1}
- drupal7 <removed> (bug #927330)
- jquery 3.3.1~dfsg-2 (bug #927385)
+ [stretch] - jquery 3.1.1-2+deb9u1
- node-jquery 2.2.4+dfsg-4 (bug #927466)
- [stretch] - jquery <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://www.drupal.org/sa-core-2019-006
NOTE: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
NOTE: https://github.com/DanielRuf/snyk-js-jquery-174006?files=1
@@ -3033,7 +3033,7 @@ CVE-2019-10270
RESERVED
CVE-2019-10269 (BWA (aka Burrow-Wheeler Aligner) before 2019-01-23 has a stack-based b ...)
- bwa 0.7.17-3 (low; bug #926014)
- [stretch] - bwa <no-dsa> (Minor issue)
+ [stretch] - bwa 0.7.15-2+deb9u1
[jessie] - bwa <not-affected> (vulnerable code is not present)
NOTE: https://github.com/lh3/bwa/pull/232
NOTE: https://github.com/lh3/bwa/commit/20d0a13092aa4cb73230492b05f9697d5ef0b88e
@@ -3527,7 +3527,7 @@ CVE-2019-10064
RESERVED
CVE-2019-10063 (Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1 ...)
- flatpak 1.2.3-2 (bug #925541)
- [stretch] - flatpak <no-dsa> (Minor issue; can be fixed via point release)
+ [stretch] - flatpak 0.8.9-0+deb9u3
NOTE: https://github.com/flatpak/flatpak/issues/2782
NOTE: https://github.com/flatpak/flatpak/commit/a9107feeb4b8275b78965b36bf21b92d5724699e
CVE-2019-10062
@@ -8559,7 +8559,7 @@ CVE-2019-8332
CVE-2019-8331 (In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in t ...)
- twitter-bootstrap4 4.3.1+dfsg2-1
- twitter-bootstrap3 3.4.1+dfsg-1
- [stretch] - twitter-bootstrap3 <no-dsa> (Minor issue)
+ [stretch] - twitter-bootstrap3 3.3.7+dfsg-2+deb9u2
[jessie] - twitter-bootstrap3 <no-dsa> (Minor issue)
- twitter-bootstrap <unfixed>
[stretch] - twitter-bootstrap <no-dsa> (Minor issue; XSS in developer-issued input when HTML is enabled)
@@ -10386,25 +10386,25 @@ CVE-2019-7542
CVE-2018-20763 (In GPAC 0.7.1 and earlier, gf_text_get_utf8_line in media_tools/text_i ...)
{DLA-1693-1}
- gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #921969)
- [stretch] - gpac <no-dsa> (Minor issue, will be fixed via point update)
+ [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
NOTE: https://github.com/gpac/gpac/commit/1c449a34fe0b50aaffb881bfb9d7c5ab0bb18cdd
NOTE: https://github.com/gpac/gpac/issues/1188
CVE-2018-20762 (GPAC version 0.7.1 and earlier has a buffer overflow vulnerability in ...)
{DLA-1693-1}
- gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #921969)
- [stretch] - gpac <no-dsa> (Minor issue, will be fixed via point update)
+ [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
NOTE: https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658
NOTE: https://github.com/gpac/gpac/issues/1187
CVE-2018-20761 (GPAC version 0.7.1 and earlier has a Buffer Overflow vulnerability in ...)
{DLA-1693-1}
- gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #921969)
- [stretch] - gpac <no-dsa> (Minor issue, will be fixed via point update)
+ [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
NOTE: https://github.com/gpac/gpac/commit/35ab4475a7df9b2a4bcab235e379c0c3ec543658
NOTE: https://github.com/gpac/gpac/issues/1186
CVE-2018-20760 (In GPAC 0.7.1 and earlier, gf_text_get_utf8_line in media_tools/text_i ...)
{DLA-1693-1}
- gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #921969)
- [stretch] - gpac <no-dsa> (Minor issue, will be fixed via point update)
+ [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
NOTE: https://github.com/gpac/gpac/commit/4c1360818fc8948e9307059fba4dc47ba8ad255d
NOTE: https://github.com/gpac/gpac/issues/1177
CVE-2019-7541
@@ -10667,7 +10667,7 @@ CVE-2019-7444
CVE-2019-7443 [Insecure handling of arguments in helpers]
RESERVED
- kauth 5.54.0-2 (bug #921995)
- [stretch] - kauth <no-dsa> (Minor issue, will be fixed in a point release)
+ [stretch] - kauth 5.28.0-2+deb9u1
- kde4libs <unfixed> (bug #922727)
[buster] - kde4libs <no-dsa> (Minor issue)
[stretch] - kde4libs <no-dsa> (Minor issue)
@@ -11896,7 +11896,7 @@ CVE-2019-6977 (gdImageColorMatch in gd_color_match.c in the GD Graphics Library
NOTE: Proposed patch: https://gist.github.com/cmb69/1f36d285eb297ed326f5c821d7aafced
CVE-2019-6976 (libvips before 8.7.4 generates output images from uninitialized memory ...)
- vips 8.7.4-1 (low)
- [stretch] - vips <no-dsa> (Minor issue)
+ [stretch] - vips 8.4.5-1+deb9u1
[jessie] - vips <ignored> (Minor Issue)
NOTE: https://github.com/libvips/libvips/commit/00622428bda8d7521db8d74260b519fa41d69d0a
CVE-2019-6975 (Django 1.11.x before 1.11.19, 2.0.x before 2.0.11, and 2.1.x before 2. ...)
@@ -15037,7 +15037,7 @@ CVE-2019-8308 (Flatpak before 1.0.7, and 1.1.x and 1.2.x before 1.2.3, exposes /
CVE-2019-5736 (runc through 1.0-rc6, as used in Docker before 18.09.2 and other produ ...)
- lxc 1:3.1.0+really3.0.3-4 (bug #922169; unimportant)
- runc 1.0.0~rc6+dfsg1-2 (bug #922050)
- [stretch] - runc <no-dsa> (Minor issue; no higher level users of runc in stretch; Can be fixed via point release)
+ [stretch] - runc 0.1.1+dfsg1-2+deb9u1
NOTE: https://www.openwall.com/lists/oss-security/2019/02/11/2
NOTE: runc: Fixed by: https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
NOTE: lxc: Fixed by: https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
@@ -15757,12 +15757,12 @@ CVE-2019-5420 (A remote code execution vulnerability in development mode Rails &
CVE-2019-5419 (There is a possible denial of service vulnerability in Action View (Ra ...)
{DLA-1739-1}
- rails 2:5.2.2.1+dfsg-1 (bug #924520)
- [stretch] - rails <no-dsa> (Will be fixed via point release)
+ [stretch] - rails 2:4.2.7.1-1+deb9u1
NOTE: https://www.openwall.com/lists/oss-security/2019/03/13/4
CVE-2019-5418 (There is a File Content Disclosure vulnerability in Action View (Rails ...)
{DLA-1739-1}
- rails 2:5.2.2.1+dfsg-1 (bug #924520)
- [stretch] - rails <no-dsa> (Will be fixed via point release)
+ [stretch] - rails 2:4.2.7.1-1+deb9u1
NOTE: https://www.openwall.com/lists/oss-security/2019/03/13/5
CVE-2019-5417 (A path traversal vulnerability in serve npm package version 7.0.1 allo ...)
NOT-FOR-US: node serve module
@@ -21035,10 +21035,10 @@ CVE-2018-20350
RESERVED
CVE-2018-20349 (The igraph_i_strdiff function in igraph_trie.c in igraph through 0.7.1 ...)
- igraph 0.7.1-3 (bug #917211)
- [stretch] - igraph <no-dsa> (Minor issue)
+ [stretch] - igraph 0.7.1-2.1+deb9u1
[jessie] - igraph <no-dsa> (Minor issue)
- r-cran-igraph 1.2.2-2 (bug #917212)
- [stretch] - r-cran-igraph <no-dsa> (Minor issue)
+ [stretch] - r-cran-igraph 1.0.1-1+deb9u1
NOTE: https://github.com/igraph/igraph/issues/1141
NOTE: Fixed by: https://github.com/igraph/igraph/commit/e3a9566e6463186230f215151b57b893df6d9ce2
CVE-2018-20348 (libpff_item_tree_create_node in libpff_item_tree.c in libpff before ex ...)
@@ -21190,7 +21190,7 @@ CVE-2018-1000873 (Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Impr
NOT-FOR-US: Fasterxml Jackson Jackson-Modules-Java8 module
CVE-2018-1000872 (OpenKMIP PyKMIP version All versions before 0.8.0 contains a CWE 399: ...)
- python-pykmip 0.7.0-3 (low; bug #917030)
- [stretch] - python-pykmip <no-dsa> (Minor issue)
+ [stretch] - python-pykmip 0.5.0-4+deb9u1
NOTE: https://github.com/OpenKMIP/PyKMIP/commit/3a7b880bdf70d295ed8af3a5880bab65fa6b3932
NOTE: https://github.com/OpenKMIP/PyKMIP/issues/430
CVE-2018-1000871 (HotelDruid HotelDruid 2.3.0 version 2.3.0 and earlier contains a SQL I ...)
@@ -23524,7 +23524,7 @@ CVE-2019-2537 (Vulnerability in the MySQL Server component of Oracle MySQL (subc
- mysql-5.7 5.7.25-1 (bug #919817)
- mariadb-10.3 1:10.3.13-1 (bug #920933)
- mariadb-10.1 <removed>
- [stretch] - mariadb-10.1 <no-dsa> (Minor issue; will be fixed via point release)
+ [stretch] - mariadb-10.1 10.1.38-0+deb9u1
- mariadb-10.0 <removed>
NOTE: Fixed in MariaDB: 10.3.13, 10.1.38, 10.0.38
CVE-2019-2536 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
@@ -23545,7 +23545,7 @@ CVE-2019-2529 (Vulnerability in the MySQL Server component of Oracle MySQL (subc
{DLA-1655-1}
- mysql-5.7 5.7.25-1 (bug #919817)
- mariadb-10.1 <removed>
- [stretch] - mariadb-10.1 <no-dsa> (Minor issue; will be fixed via point release)
+ [stretch] - mariadb-10.1 10.1.38-0+deb9u1
- mariadb-10.0 <removed>
NOTE: Fixed in MariaDB: 10.1.38, 10.0.38
CVE-2019-2528 (Vulnerability in the MySQL Server component of Oracle MySQL (subcompon ...)
@@ -25726,17 +25726,17 @@ CVE-2019-1789 [An out-of-bounds heap read condition when scanning PE files]
RESERVED
{DLA-1759-1}
- clamav 0.101.2+dfsg-1
- [stretch] - clamav <no-dsa> (Already fixed via SUA, pending inclusion in next point release)
+ [stretch] - clamav 0.100.3+dfsg-0+deb9u1
NOTE: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
CVE-2019-1788 (A vulnerability in the Object Linking & Embedding (OLE2) file scan ...)
{DLA-1759-1}
- clamav 0.101.2+dfsg-1
- [stretch] - clamav <no-dsa> (Already fixed via SUA, pending inclusion in next point release)
+ [stretch] - clamav 0.100.3+dfsg-0+deb9u1
NOTE: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
CVE-2019-1787 (A vulnerability in the Portable Document Format (PDF) scanning functio ...)
{DLA-1759-1}
- clamav 0.101.2+dfsg-1
- [stretch] - clamav <no-dsa> (Already fixed via SUA, pending inclusion in next point release)
+ [stretch] - clamav 0.100.3+dfsg-0+deb9u1
NOTE: https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
CVE-2019-1786 (A vulnerability in the Portable Document Format (PDF) scanning functio ...)
- clamav 0.101.2+dfsg-1
@@ -31794,7 +31794,7 @@ CVE-2018-18981 (In Rockwell Automation FactoryTalk Services Platform 2.90 and ea
CVE-2014-10077 (Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 f ...)
{DLA-1584-1}
- ruby-i18n 0.7.0-3 (bug #913093)
- [stretch] - ruby-i18n <no-dsa> (Minor issue)
+ [stretch] - ruby-i18n 0.7.0-2+deb9u1
NOTE: https://github.com/svenfuchs/i18n/pull/289
NOTE: https://github.com/svenfuchs/i18n/commit/24e71a9a4901ed18c9cab5c53109fd9bf2416bcb
CVE-2018-18980 (An XML External Entity injection (XXE) vulnerability exists in Zoho Ma ...)
@@ -36711,7 +36711,7 @@ CVE-2018-17183 (Artifex Ghostscript before 9.25 allowed a user-writable error ex
NOTE: http://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb713b3818b52d8a6cf62c951eba2e1795ff9624
CVE-2018-17095 (An issue has been discovered in mpruett Audio File Library (aka audiof ...)
- audiofile 0.3.6-5 (low; bug #913166)
- [stretch] - audiofile <no-dsa> (Minor issue)
+ [stretch] - audiofile 0.3.6-4+deb9u1
[jessie] - audiofile <postponed> (Can be fixed along in future DLA)
NOTE: https://github.com/mpruett/audiofile/issues/50
NOTE: https://github.com/mpruett/audiofile/issues/51
@@ -38247,7 +38247,7 @@ CVE-2018-16549 (HScripts PHP File Browser Script v1.0 allows Directory Traversal
NOT-FOR-US: HScripts PHP File Browser Script
CVE-2018-16548 (An issue was discovered in ZZIPlib through 0.13.69. There is a memory ...)
- zziplib 0.13.62-3.2 (low; bug #910335)
- [stretch] - zziplib <no-dsa> (Minor issue)
+ [stretch] - zziplib 0.13.62-3.2~deb9u1
[jessie] - zziplib <ignored> (Minor issue)
NOTE: https://github.com/gdraheim/zziplib/issues/58
NOTE: https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb
@@ -38406,7 +38406,7 @@ CVE-2018-16477 (A bypass vulnerability in Active Storage >= 5.2.0 for Google
NOTE: Originally no version was affected until 2:5.2.0+dfsg-2 was uploaded to unstable.
CVE-2018-16476 (A Broken Access Control vulnerability in Active Job versions >= 4.2 ...)
- rails 2:5.2.2+dfsg-1 (bug #914847)
- [stretch] - rails <no-dsa> (Will be fixed via point release)
+ [stretch] - rails 2:4.2.7.1-1+deb9u1
[jessie] - rails <not-affected> (only affects >= 4.2.0)
NOTE: https://www.openwall.com/lists/oss-security/2018/11/27/4
CVE-2018-16475 (A Path Traversal in Knightjs versions <= 0.0.1 allows an attacker t ...)
@@ -40734,7 +40734,7 @@ CVE-2018-1000653 (zzcms version 8.3 and earlier contains a SQL Injection vulnera
NOT-FOR-US: zzcms
CVE-2018-1000652 (JabRef version <=4.3.1 contains a XML External Entity (XXE) vulnera ...)
- jabref 3.8.2+ds-12 (low; bug #921772)
- [stretch] - jabref <no-dsa> (Minor issue)
+ [stretch] - jabref 3.8.1+ds-3+deb9u1
[jessie] - jabref <no-dsa> (Minor issue)
NOTE: https://github.com/JabRef/jabref/issues/4229
NOTE: https://github.com/JabRef/jabref/commit/89f855d76713b4cd25ac0830c719cd61c511851e
@@ -46148,7 +46148,7 @@ CVE-2018-13441 (qh_help in Nagios Core version 4.4.1 and earlier is prone to a N
NOTE: https://github.com/NagiosEnterprises/nagioscore/commit/b1a92a3b52d292ccb601e77a0b29cb1e67ac9d76
CVE-2018-13440 (The audiofile Audio File Library 0.3.6 has a NULL pointer dereference ...)
- audiofile 0.3.6-5 (low; bug #903499)
- [stretch] - audiofile <no-dsa> (Minor issue)
+ [stretch] - audiofile 0.3.6-4+deb9u1
[jessie] - audiofile <no-dsa> (Minor issue)
NOTE: https://github.com/mpruett/audiofile/issues/49
CVE-2018-13439 (WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a mercha ...)
@@ -47128,12 +47128,12 @@ CVE-2018-13007 (An issue was discovered in gpmf-parser 1.1.2. There is a heap-ba
CVE-2018-13006 (An issue was discovered in MP4Box in GPAC 0.7.1. There is a heap-based ...)
{DLA-1432-1}
- gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #902782)
- [stretch] - gpac <no-dsa> (Minor issue, will be fixed via point update)
+ [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
NOTE: https://github.com/gpac/gpac/commit/bceb03fd2be95097a7b409ea59914f332fb6bc86
CVE-2018-13005 (An issue was discovered in MP4Box in GPAC 0.7.1. The function urn_Read ...)
{DLA-1432-1}
- gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #902782)
- [stretch] - gpac <no-dsa> (Minor issue, will be fixed via point update)
+ [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
NOTE: https://github.com/gpac/gpac/issues/1088
NOTE: https://github.com/gpac/gpac/commit/bceb03fd2be95097a7b409ea59914f332fb6bc86
CVE-2018-13004
@@ -49617,12 +49617,12 @@ CVE-2018-12182 (Insufficient memory write check in SMM service for EDK II may al
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1136
CVE-2018-12181 (Stack overflow in corrupted bmp for EDK II may allow unprivileged user ...)
- edk2 0~20181115.85588389-3 (bug #924615)
- [stretch] - edk2 <no-dsa> (Minor issue, will be fixed via point update)
+ [stretch] - edk2 0~20161202.7bbe0b3e-1+deb9u1
[jessie] - edk2 <end-of-life> (non-free is not supported)
NOTE: https://lists.01.org/pipermail/edk2-devel/2019-March/037626.html
CVE-2018-12180 (Buffer overflow in BlockIo service for EDK II may allow an unauthentic ...)
- edk2 0~20181115.85588389-3 (bug #924615)
- [stretch] - edk2 <no-dsa> (Minor issue, will be fixed via point update)
+ [stretch] - edk2 0~20161202.7bbe0b3e-1+deb9u1
[jessie] - edk2 <end-of-life> (non-free is not supported)
NOTE: https://lists.01.org/pipermail/edk2-devel/2019-February/037248.html
NOTE: https://lists.01.org/pipermail/edk2-devel/2019-February/037249.html
@@ -49636,7 +49636,7 @@ CVE-2018-12179 (Improper configuration in system firmware for EDK II may allow u
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1133
CVE-2018-12178 (Buffer overflow in network stack for EDK II may allow unprivileged use ...)
- edk2 0~20181115.85588389-3 (bug #924615)
- [stretch] - edk2 <no-dsa> (Minor issue, will be fixed via point update)
+ [stretch] - edk2 0~20161202.7bbe0b3e-1+deb9u1
[jessie] - edk2 <end-of-life> (non-free is not supported)
NOTE: https://lists.01.org/pipermail/edk2-devel/2019-February/037251.html
NOTE: https://github.com/tianocore/edk2/commit/84110bbe4bb3a346514b9bb12eadb7586bca7dfd
@@ -52566,14 +52566,14 @@ CVE-2018-11131
RESERVED
CVE-2018-11130 (The header::add_FORMAT_descriptor function in header.cpp in VCFtools 0 ...)
- vcftools 0.1.16-1 (low; bug #902190)
- [stretch] - vcftools <no-dsa> (Minor issue)
+ [stretch] - vcftools 0.1.14+dfsg-4+deb9u1
[jessie] - vcftools <no-dsa> (Minor issue)
[wheezy] - vcftools <no-dsa> (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2018/May/43
NOTE: https://github.com/vcftools/vcftools/issues/109
CVE-2018-11129 (The header::add_INFO_descriptor function in header.cpp in VCFtools 0.1 ...)
- vcftools 0.1.16-1 (low; bug #902190)
- [stretch] - vcftools <no-dsa> (Minor issue)
+ [stretch] - vcftools 0.1.14+dfsg-4+deb9u1
[jessie] - vcftools <no-dsa> (Minor issue)
[wheezy] - vcftools <no-dsa> (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2018/May/43
@@ -52640,7 +52640,7 @@ CVE-2018-11100 (The decompileSETTARGET function in decompile.c in libming throug
NOTE: https://github.com/libming/libming/issues/142
CVE-2018-11099 (The header::add_INFO_descriptor function in header.cpp in VCFtools 0.1 ...)
- vcftools 0.1.16-1 (low; bug #902190)
- [stretch] - vcftools <no-dsa> (Minor issue)
+ [stretch] - vcftools 0.1.14+dfsg-4+deb9u1
[jessie] - vcftools <no-dsa> (Minor issue)
[wheezy] - vcftools <no-dsa> (Minor issue)
NOTE: http://seclists.org/fulldisclosure/2018/May/43
@@ -57623,7 +57623,7 @@ CVE-2018-9234 (GnuPG 2.2.4 and 2.2.5 does not enforce a configuration in which k
NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=a17d2d1f690ebe5d005b4589a5fe378b6487c657
CVE-2018-9240 (ncmpc through 0.29 is prone to a NULL pointer dereference flaw. If a u ...)
- ncmpc 0.33-1 (low; bug #894724)
- [stretch] - ncmpc <no-dsa> (Minor issue)
+ [stretch] - ncmpc 0.25-0.1+deb9u1
[jessie] - ncmpc <no-dsa> (Minor issue)
[wheezy] - ncmpc <no-dsa> (Minor issue)
CVE-2018-9233 (Sophos Endpoint Protection 10.7 uses an unsalted SHA-1 hash for passwo ...)
@@ -60780,7 +60780,7 @@ CVE-2018-7999 (In libgraphite2 in graphite2 1.3.11, a NULL pointer dereference v
CVE-2018-7998 (In libvips before 8.6.3, a NULL function pointer dereference vulnerabi ...)
{DLA-1306-1}
- vips 8.4.5-2 (low; bug #892589)
- [stretch] - vips <no-dsa> (Minor issue)
+ [stretch] - vips 8.4.5-1+deb9u1
[jessie] - vips <no-dsa> (Minor issue)
NOTE: https://github.com/jcupitt/libvips/commit/20d840e6da15c1574b3ed998bc92f91d1e36c2a5
NOTE: https://github.com/jcupitt/libvips/issues/893
@@ -61452,7 +61452,7 @@ CVE-2018-7727 (An issue was discovered in ZZIPlib 0.13.68. There is a memory lea
NOTE: unzzipcat-mem and unzzipdir-mem not installed into binary packages.
CVE-2018-7726 (An issue was discovered in ZZIPlib 0.13.68. There is a bus error cause ...)
- zziplib 0.13.62-3.2 (low; bug #913165)
- [stretch] - zziplib <no-dsa> (Minor issue)
+ [stretch] - zziplib 0.13.62-3.2~deb9u1
[jessie] - zziplib <no-dsa> (Minor issue)
[wheezy] - zziplib <no-dsa> (Minor issue)
NOTE: https://github.com/gdraheim/zziplib/issues/27
@@ -61462,7 +61462,7 @@ CVE-2018-7726 (An issue was discovered in ZZIPlib 0.13.68. There is a bus error
NOTE: https://github.com/gdraheim/zziplib/commit/feae4da1a5c92100c44ebfcbaaa895959cc0829b (v0.13.69)
CVE-2018-7725 (An issue was discovered in ZZIPlib 0.13.68. An invalid memory address ...)
- zziplib 0.13.62-3.2 (low; bug #913165)
- [stretch] - zziplib <no-dsa> (Minor issue)
+ [stretch] - zziplib 0.13.62-3.2~deb9u1
[jessie] - zziplib <no-dsa> (Minor issue)
[wheezy] - zziplib <no-dsa> (Minor issue)
NOTE: https://github.com/gdraheim/zziplib/issues/39
@@ -61486,7 +61486,7 @@ CVE-2018-7719 (Acrolinx Server before 5.2.5 on Windows allows Directory Traversa
CVE-2018-7752 (GPAC through 0.7.1 has a Buffer Overflow in the gf_media_avc_read_sps ...)
{DLA-1693-1}
- gpac 0.5.2-426-gc5ad4e4+dfsg5-4.1 (bug #892526)
- [stretch] - gpac <no-dsa> (Minor issue, will be fixed via point release)
+ [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
[wheezy] - gpac <not-affected> (vulnerable code not present)
NOTE: https://github.com/gpac/gpac/issues/997
NOTE: https://github.com/gpac/gpac/commit/90dc7f853d31b0a4e9441cba97feccf36d8b69a4
@@ -64303,7 +64303,7 @@ CVE-2018-6870 (Reflected XSS exists in PHP Scripts Mall Website Seller Script 2.
CVE-2018-6869 (In ZZIPlib 0.13.68, there is an uncontrolled memory allocation and a c ...)
{DLA-1287-1}
- zziplib 0.13.62-3.2 (bug #889089)
- [stretch] - zziplib <no-dsa> (Minor issue)
+ [stretch] - zziplib 0.13.62-3.2~deb9u1
[jessie] - zziplib <no-dsa> (Minor issue)
NOTE: https://github.com/gdraheim/zziplib/issues/22
NOTE: https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3 (v0.13.68)
@@ -65172,7 +65172,7 @@ CVE-2018-1000036 (In MuPDF 1.12.0 and earlier, multiple memory leaks in the PDF
NOTE: negligible security impact, memory leak in CLI tool
CVE-2018-1000035 (A heap-based buffer overflow exists in Info-Zip UnZip version <= 6. ...)
- unzip 6.0-22 (bug #889838)
- [stretch] - unzip <no-dsa> (Harmless crash, builds with fortified source)
+ [stretch] - unzip 6.0-21+deb9u1
[jessie] - unzip <no-dsa> (Harmless crash, builds with fortified source)
[wheezy] - unzip <no-dsa> (Harmless crash, builds with fortified source)
NOTE: https://www.sec-consult.com/en/blog/advisories/multiple-vulnerabilities-in-infozip-unzip/index.html
@@ -65351,14 +65351,14 @@ CVE-2018-6542 (In ZZIPlib 0.13.67, there is a bus error (when handling a disk64_
NOTE: Negligible impact and unzzipcat utility not installed into binary packages
CVE-2018-6541 (In ZZIPlib 0.13.67, there is a bus error caused by loading of a misali ...)
- zziplib 0.13.62-3.2 (bug #889089)
- [stretch] - zziplib <no-dsa> (Minor issue)
+ [stretch] - zziplib 0.13.62-3.2~deb9u1
[jessie] - zziplib <no-dsa> (Minor issue)
[wheezy] - zziplib <ignored> (Minor issue)
NOTE: https://github.com/gdraheim/zziplib/issues/16
NOTE: https://github.com/gdraheim/zziplib/commit/0c0c9256b0903f664bca25dd8d924211f81e01d3 (v0.13.68)
CVE-2018-6540 (In ZZIPlib 0.13.67, there is a bus error caused by loading of a misali ...)
- zziplib 0.13.62-3.2 (bug #923659)
- [stretch] - zziplib <no-dsa> (Minor issue)
+ [stretch] - zziplib 0.13.62-3.2~deb9u1
[jessie] - zziplib <no-dsa> (Minor issue)
[wheezy] - zziplib <ignored> (Minor issue)
NOTE: https://github.com/gdraheim/zziplib/issues/15
@@ -65618,7 +65618,7 @@ CVE-2018-6485 (An integer overflow in the implementation of the posix_memalign i
NOTE: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8e448310d74b283c5cd02b9ed7fb997b47bf9b22
CVE-2018-6484 (In ZZIPlib 0.13.67, there is a memory alignment error and bus error in ...)
- zziplib 0.13.62-3.2 (bug #889089)
- [stretch] - zziplib <no-dsa> (Minor issue)
+ [stretch] - zziplib 0.13.62-3.2~deb9u1
[jessie] - zziplib <no-dsa> (Minor issue)
[wheezy] - zziplib <ignored> (Minor issue)
NOTE: https://github.com/gdraheim/zziplib/issues/14
@@ -65861,7 +65861,7 @@ CVE-2018-6382 (** DISPUTED ** MantisBT 2.10.0 allows local users to conduct SQL
NOTE: https://mantisbt.org/bugs/view.php?id=23908
CVE-2018-6381 (In ZZIPlib 0.13.67, there is a segmentation fault caused by invalid me ...)
- zziplib 0.13.62-3.2 (bug #889096)
- [stretch] - zziplib <no-dsa> (Minor issue)
+ [stretch] - zziplib 0.13.62-3.2~deb9u1
[jessie] - zziplib <no-dsa> (Minor issue)
[wheezy] - zziplib <ignored> (Minor issue)
NOTE: https://github.com/gdraheim/zziplib/issues/12
@@ -69032,7 +69032,7 @@ CVE-2018-5384 (Navarino Infinity web interface up to version 2.2 exposes an unau
CVE-2018-5383 (Bluetooth firmware or operating system software drivers in macOS versi ...)
{DLA-1747-1}
- firmware-nonfree 20190114-1
- [stretch] - firmware-nonfree <no-dsa> (non-free not supported)
+ [stretch] - firmware-nonfree 20161130-5
NOTE: http://www.cs.technion.ac.il/~biham/BT/
CVE-2018-5382 (Bouncy Castle BKS version 1 keystore (BKS-V1) files use an HMAC that i ...)
- bouncycastle 1.48+dfsg-2
@@ -87581,7 +87581,7 @@ CVE-2017-16130 (exxxxxxxxxxx is an Http eX Frame Google Style JavaScript Guide.
NOT-FOR-US: exxxxxxxxxxx
CVE-2017-16129 (The HTTP client module superagent is vulnerable to ZIP bomb attacks. I ...)
- node-superagent 0.20.0+dfsg-2
- [stretch] - node-superagent <ignored> (Nodejs in stretch not covered by security support)
+ [stretch] - node-superagent 0.20.0+dfsg-1+deb9u2
[jessie] - node-superagent <ignored> (Nodejs in jessie not covered by security support)
NOTE: https://github.com/visionmedia/superagent/issues/1259
NOTE: https://nodesecurity.io/advisories/479
@@ -91890,7 +91890,7 @@ CVE-2017-14805
RESERVED
CVE-2017-14804 (The build package before 20171128 did not check directory names during ...)
- obs-build 20180302-1 (bug #887306)
- [stretch] - obs-build <no-dsa> (Minor issue)
+ [stretch] - obs-build 20160921-1+deb9u1
[jessie] - obs-build <no-dsa> (Minor issue)
NOTE: https://bugzilla.novell.com/show_bug.cgi?id=1069904
CVE-2017-14803 (In NetIQ Access Manager 4.3 and 4.4, a bug exists in Identity Server w ...)
@@ -128423,7 +128423,7 @@ CVE-2016-9843 (The crc32_big function in crc32.c in zlib 1.2.8 might allow conte
[jessie] - zlib <no-dsa> (Minor issue)
[wheezy] - zlib <no-dsa> (Minor issue)
- rsync 3.1.3-6 (bug #924509)
- [stretch] - rsync <no-dsa> (Minor issue)
+ [stretch] - rsync 3.1.2-1+deb9u2
NOTE: https://github.com/madler/zlib/commit/d1d577490c15a0c6862473d7576352a9f18ef811
NOTE: Report: https://wiki.mozilla.org/images/0/09/Zlib-report.pdf
CVE-2016-9842 (The inflateMark function in inflate.c in zlib 1.2.8 might allow contex ...)
@@ -128432,7 +128432,7 @@ CVE-2016-9842 (The inflateMark function in inflate.c in zlib 1.2.8 might allow c
[jessie] - zlib <no-dsa> (Minor issue)
[wheezy] - zlib <no-dsa> (Minor issue)
- rsync 3.1.3-6 (bug #924509)
- [stretch] - rsync <no-dsa> (Minor issue)
+ [stretch] - rsync 3.1.2-1+deb9u2
NOTE: https://github.com/madler/zlib/commit/e54e1299404101a5a9d0cf5e45512b543967f958
NOTE: Report: https://wiki.mozilla.org/images/0/09/Zlib-report.pdf
CVE-2016-9841 (inffast.c in zlib 1.2.8 might allow context-dependent attackers to hav ...)
@@ -128441,7 +128441,7 @@ CVE-2016-9841 (inffast.c in zlib 1.2.8 might allow context-dependent attackers t
[jessie] - zlib <no-dsa> (Minor issue)
[wheezy] - zlib <no-dsa> (Minor issue)
- rsync 3.1.3-6 (bug #924509)
- [stretch] - rsync <no-dsa> (Minor issue)
+ [stretch] - rsync 3.1.2-1+deb9u2
NOTE: https://github.com/madler/zlib/commit/9aaec95e82117c1cb0f9624264c3618fc380cecb
NOTE: Report: https://wiki.mozilla.org/images/0/09/Zlib-report.pdf
CVE-2016-9840 (inftrees.c in zlib 1.2.8 might allow context-dependent attackers to ha ...)
=====================================
data/next-point-update.txt
=====================================
@@ -1,107 +1,3 @@
-CVE-2014-10077
- [stretch] - ruby-i18n 0.7.0-2+deb9u1
-CVE-2018-9240
- [stretch] - ncmpc 0.25-0.1+deb9u1
-CVE-2018-1000035
- [stretch] - unzip 6.0-21+deb9u1
-CVE-2019-8331
- [stretch] - twitter-bootstrap3 3.3.7+dfsg-2+deb9u2
-CVE-2018-1000872
- [stretch] - python-pykmip 0.5.0-4+deb9u1
-CVE-2019-7443
- [stretch] - kauth 5.28.0-2+deb9u1
-CVE-2018-7998
- [stretch] - vips 8.4.5-1+deb9u1
-CVE-2019-6976
- [stretch] - vips 8.4.5-1+deb9u1
-CVE-2019-5736
- [stretch] - runc 0.1.1+dfsg1-2+deb9u1
-CVE-2018-12181
- [stretch] - edk2 0~20161202.7bbe0b3e-1+deb9u1
-CVE-2018-12180
- [stretch] - edk2 0~20161202.7bbe0b3e-1+deb9u1
-CVE-2018-12178
- [stretch] - edk2 0~20161202.7bbe0b3e-1+deb9u1
-CVE-2016-9843
- [stretch] - rsync 3.1.2-1+deb9u2
-CVE-2016-9842
- [stretch] - rsync 3.1.2-1+deb9u2
-CVE-2016-9841
- [stretch] - rsync 3.1.2-1+deb9u2
-CVE-2018-20349
- [stretch] - r-cran-igraph 1.0.1-1+deb9u1
-CVE-2018-5383
- [stretch] - firmware-nonfree 20161130-5
-CVE-2019-10063
- [stretch] - flatpak 0.8.9-0+deb9u3
-CVE-2019-1787
- [stretch] - clamav 0.100.3+dfsg-0+deb9u1
-CVE-2019-1789
- [stretch] - clamav 0.100.3+dfsg-0+deb9u1
-CVE-2019-1788
- [stretch] - clamav 0.100.3+dfsg-0+deb9u1
-CVE-2017-14804
- [stretch] - obs-build 20160921-1+deb9u1
-CVE-2018-16548
- [stretch] - zziplib 0.13.62-3.2~deb9u1
-CVE-2018-6381
- [stretch] - zziplib 0.13.62-3.2~deb9u1
-CVE-2018-6484
- [stretch] - zziplib 0.13.62-3.2~deb9u1
-CVE-2018-6540
- [stretch] - zziplib 0.13.62-3.2~deb9u1
-CVE-2018-6541
- [stretch] - zziplib 0.13.62-3.2~deb9u1
-CVE-2018-6869
- [stretch] - zziplib 0.13.62-3.2~deb9u1
-CVE-2018-7725
- [stretch] - zziplib 0.13.62-3.2~deb9u1
-CVE-2018-7726
- [stretch] - zziplib 0.13.62-3.2~deb9u1
-CVE-2019-10269
- [stretch] - bwa 0.7.15-2+deb9u1
-CVE-2018-7752
- [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
-CVE-2018-13005
- [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
-CVE-2018-13006
- [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
-CVE-2018-20760
- [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
-CVE-2018-20761
- [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
-CVE-2018-20762
- [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
-CVE-2018-20763
- [stretch] - gpac 0.5.2-426-gc5ad4e4+dfsg5-3+deb9u1
-CVE-2018-17095
- [stretch] - audiofile 0.3.6-4+deb9u1
-CVE-2018-13440
- [stretch] - audiofile 0.3.6-4+deb9u1
-CVE-2018-20349
- [stretch] - igraph 0.7.1-2.1+deb9u1
-CVE-2018-1000652
- [stretch] - jabref 3.8.1+ds-3+deb9u1
-CVE-2018-11099
- [stretch] - vcftools 0.1.14+dfsg-4+deb9u1
-CVE-2018-11129
- [stretch] - vcftools 0.1.14+dfsg-4+deb9u1
-CVE-2018-11130
- [stretch] - vcftools 0.1.14+dfsg-4+deb9u1
-CVE-2019-2537
- [stretch] - mariadb-10.1 10.1.38-0+deb9u1
-CVE-2019-2529
- [stretch] - mariadb-10.1 10.1.38-0+deb9u1
-CVE-2019-5418
- [stretch] - rails 2:4.2.7.1-1+deb9u1
-CVE-2019-5419
- [stretch] - rails 2:4.2.7.1-1+deb9u1
-CVE-2018-16476
- [stretch] - rails 2:4.2.7.1-1+deb9u1
-CVE-2017-16129
- [stretch] - node-superagent 0.20.0+dfsg-1+deb9u1
-CVE-2019-11358
- [stretch] - jquery 3.1.1-2+deb9u1
CVE-2017-12424
[stretch] - shadow 1:4.4-4.1+deb9u1
CVE-2015-9261 [busybox: pointer misuse unziping files]
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b280d31e7d839685295da6268f49981e73dac8b0
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b280d31e7d839685295da6268f49981e73dac8b0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190427/4f3b8aeb/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list