[Git][security-tracker-team/security-tracker][master] stretch triage

Moritz Muehlenhoff jmm at debian.org
Mon Apr 29 18:00:49 BST 2019 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5f12af71 by Moritz Muehlenhoff at 2019-04-29T17:00:18Z
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -182,7 +182,8 @@ CVE-2019-11500
 CVE-2019-11499
 	RESERVED
 CVE-2019-11498 (WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack t ...)
-	- wavpack 5.1.0-6 (bug #927903)
+	- wavpack 5.1.0-6 (low; bug #927903)
+	[stretch] - wavpack <no-dsa> (Minor issue)
 	NOTE: https://github.com/dbry/WavPack/issues/67
 	NOTE: https://github.com/dbry/WavPack/commit/bc6cba3f552c44565f7f1e66dc1580189addb2b4
 CVE-2019-11497
@@ -1582,6 +1583,7 @@ CVE-2019-10907 (Airsonic 10.2.1 uses Spring's default remember-me mechanism base
 	NOT-FOR-US: Airsonic
 CVE-2016-10745 (In Pallets Jinja before 2.8.1, str.format allows a sandbox escape. ...)
 	- jinja2 2.9.4-1
+	[stretch] - jinja2 <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/pallets/jinja/commit/9b53045c34e61013dc8f09b7e52a555fa16bed16
 	NOTE: Followup bugfix: https://github.com/pallets/jinja/commit/74bd64e56387f5b2931040dc7235a3509cde1611
 CVE-2019-10906 (In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape ...)
@@ -15791,7 +15793,8 @@ CVE-2019-5429
 CVE-2019-5428
 	REJECTED
 CVE-2019-5427 (c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack  ...)
-	- c3p0 <unfixed> (bug #927936)
+	- c3p0 <unfixed> (low; bug #927936)
+	[stretch] - c3p0 <no-dsa> (Minor issue)
 	[jessie] - c3p0 <no-dsa> (Minor issue)
 	NOTE: https://hackerone.com/reports/509315
 	NOTE: Fixed by: https://github.com/swaldman/c3p0/commit/f38f27635c384806c2a9d6500d80183d9f09d78b
@@ -18937,6 +18940,7 @@ CVE-2019-3890
 	RESERVED
 	[experimental] - evolution-ews 3.31.90-1
 	- evolution-ews <unfixed> (bug #926712)
+	[stretch] - evolution-ews <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/evolution-ews/issues/27
 	NOTE: https://gitlab.gnome.org/GNOME/evolution-ews/issues/36
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1678313
@@ -35929,13 +35933,15 @@ CVE-2018-17439 (An issue was discovered in the HDF HDF5 1.10.3 library. There is
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln5#stack-overflow-in-h5s_extent_get_dims
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10589
 CVE-2018-17438 (A SIGFPE signal is raised in the function H5D__select_io() of H5Dselec ...)
-	- hdf5 <unfixed>
+	- hdf5 <unfixed> (low)
+	[stretch] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_h5d__select_io_h5dselect
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10587
 	NOTE: fix in develop branch: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/7add52ff4f2443357648d53d52add274d1b18b5f
 CVE-2018-17437 (Memory leak in the H5O_dtype_decode_helper() function in H5Odtype.c in ...)
 	[experimental] - hdf5 1.10.5+repack-1~exp1
-	- hdf5 <unfixed>
+	- hdf5 <unfixed> (low)
+	[stretch] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln5#memory-leak-in-h5o_dtype_decode_helper
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10588
 	NOTE: fixed in 1.10.5, release notes: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt
@@ -35949,7 +35955,8 @@ CVE-2018-17435 (A heap-based buffer over-read in H5O_attr_decode() in H5Oattr.c
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10591
 CVE-2018-17434 (A SIGFPE signal is raised in the function apply_filters() of h5repack_ ...)
 	[experimental] - hdf5 1.10.5+repack-1~exp1
-	- hdf5 <unfixed>
+	- hdf5 <unfixed> (low)
+	[stretch] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln4#divided-by-zero---poc_apply_filters_h5repack_filters
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10586
 	NOTE: fixed in 1.10.5, release notes: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt
@@ -36380,7 +36387,8 @@ CVE-2018-17239
 CVE-2018-17238
 	RESERVED
 CVE-2018-17237 (A SIGFPE signal is raised in the function H5D__chunk_set_info_real() o ...)
-	- hdf5 <unfixed>
+	- hdf5 <unfixed> (low)
+	[stretch] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/blob/master/HDF5/README.md#divided-by-zero---h5d__chunk_set_info_real_div_by_zero
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10571 (not public)
 	NOTE: does not appear in 1.10.5 release notes, but fixed in
@@ -36396,14 +36404,16 @@ CVE-2018-17235 (The function mp4v2::impl::MP4Track::FinishSdtp() in mp4track.cpp
 	[jessie] - mp4v2 <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1629451
 CVE-2018-17234 (Memory leak in the H5O__chunk_deserialize() function in H5Ocache.c in  ...)
-	- hdf5 <unfixed>
+	- hdf5 <unfixed> (low)
+	[stretch] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln3#memory-leak---h5o__chunk_deserialize_memory_leak
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10578 (not public)
 	NOTE: does not appear in 1.10.5 release notes, but fixed in
 	NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/f4138013dbc6851e968ea3d37b32776538ef306b
 CVE-2018-17233 (A SIGFPE signal is raised in the function H5D__create_chunk_file_map_h ...)
 	[experimental] - hdf5 1.10.5+repack-1~exp1
-	- hdf5 <unfixed>
+	- hdf5 <unfixed> (low)
+	[stretch] - hdf5 <no-dsa> (Minor issue)
 	NOTE: https://github.com/SegfaultMasters/covering360/tree/master/HDF5/vuln2#divided-by-zero---h5d__create_chunk_file_map_hyper_div_zero
 	NOTE: https://jira.hdfgroup.org/browse/HDFFV-10577
 	NOTE: fixed in 1.10.5, release notes: https://support.hdfgroup.org/ftp/HDF5/releases/hdf5-1.10/hdf5-1.10.5/src/hdf5-1.10.5-RELEASE.txt


=====================================
data/dsa-needed.txt
=====================================
@@ -15,15 +15,24 @@ If needed, specify the release by adding a slash after the name of the source pa
 389-ds-base (fw)
   Thorsten Alteholz proposed an update
 --
+atftp
+--
+bind9
+--
 evolution
 --
 faad2
   not yet fixed upstream
 --
+ffmpeg
+  ping upstream for 3.2.14 release catching up with recent issues  
+--
 glusterfs
 --
 graphicsmagick
 --
+gst-plugins-base1.0 (jmm)
+--
 koji
 --
 libidn



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5f12af7168dfc0083fc9d71319189cb15abbc19d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5f12af7168dfc0083fc9d71319189cb15abbc19d
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190429/847abf53/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list