[Git][security-tracker-team/security-tracker][master] 14 commits: update note

[Thorsten Alteholz]

Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2030c0cd by Thorsten Alteholz at 2019-08-04T20:44:37Z
update note

- - - - -
9cf69ffa by Thorsten Alteholz at 2019-08-04T20:44:38Z
mark vlc as EOL

- - - - -
08b03435 by Thorsten Alteholz at 2019-08-04T20:44:39Z
follow security team with no-dsa for CVE-2019-5057 in Jessie

- - - - -
b95b855c by Thorsten Alteholz at 2019-08-04T20:44:41Z
follow security team with no-dsa for CVE-2019-5058 in Jessie

- - - - -
cd70d1d8 by Thorsten Alteholz at 2019-08-04T20:44:42Z
follow security team with no-dsa for CVE-2019-5059 in Jessie

- - - - -
3da09f57 by Thorsten Alteholz at 2019-08-04T20:44:43Z
follow security team with no-dsa for CVE-2019-5060 in Jessie

- - - - -
33a30ea1 by Thorsten Alteholz at 2019-08-04T20:44:45Z
follow security team with no-dsa for CVE-2019-14494 in Jessie

- - - - -
5c14f80c by Thorsten Alteholz at 2019-08-04T20:44:45Z
add wireshark

- - - - -
0edbfd14 by Thorsten Alteholz at 2019-08-04T20:44:45Z
add dnsmasq

- - - - -
6a005287 by Thorsten Alteholz at 2019-08-04T20:44:46Z
add pytghon3.4

- - - - -
feac19d3 by Thorsten Alteholz at 2019-08-04T20:44:46Z
add tika

- - - - -
f8dde30b by Thorsten Alteholz at 2019-08-04T20:44:46Z
add yara

- - - - -
ac16aa99 by Thorsten Alteholz at 2019-08-04T20:44:47Z
mark CVE-2018-20839 as no-dsa

- - - - -
00768d5e by Thorsten Alteholz at 2019-08-04T20:44:49Z
mark CVEss for schism as no-dsa

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -277,9 +277,11 @@ CVE-2019-14525
 	RESERVED
 CVE-2019-14524 (An issue was discovered in Schism Tracker through 20190722. There is a ...)
 	- schism <unfixed> (bug #933808)
+	[jessie] - schism <no-dsa> (Minor issue)
 	NOTE: https://github.com/schismtracker/schismtracker/issues/201
 CVE-2019-14523 (An issue was discovered in Schism Tracker through 20190722. There is a ...)
 	- schism <unfixed> (bug #933809)
+	[jessie] - schism <no-dsa> (Minor issue)
 	NOTE: https://github.com/schismtracker/schismtracker/issues/202
 CVE-2019-14522
 	RESERVED
@@ -343,6 +345,7 @@ CVE-2019-14494 (An issue was discovered in Poppler through 0.78.0. There is a di
 	- poppler <unfixed> (bug #933812)
 	[buster] - poppler <no-dsa> (Minor issue)
 	[stretch] - poppler <no-dsa> (Minor issue)
+	[jessie] - poppler <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/802
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/317
 CVE-2019-14493 (An issue was discovered in OpenCV before 4.1.1. There is a NULL pointe ...)
@@ -411,6 +414,7 @@ CVE-2019-14466
 	RESERVED
 CVE-2019-14465 (fmt_mtm_load_song in fmt/mtm.c in Schism Tracker 20190722 has a heap-b ...)
 	- schism <unfixed> (bug #933807)
+	[jessie] - schism <no-dsa> (Minor issue)
 	NOTE: https://github.com/schismtracker/schismtracker/issues/198
 	NOTE: https://github.com/schismtracker/schismtracker/commit/b78e8d32883f8a865035436af4fa6d541b6ebb42
 CVE-2019-14464 (XMFile::read in XMFile.cpp in milkyplay in MilkyTracker 1.02.00 has a  ...)
@@ -7781,6 +7785,7 @@ CVE-2018-20839 (systemd 242 changes the VT1 mode upon a logout, which allows att
 	[stretch] - systemd <no-dsa> (Minor issue)
 	[jessie] - systemd <no-dsa> (Not reproducible without Ubuntu-style persistant VT1 greeter; too invasive to fix)
 	- xorg-server <unfixed>
+	[jessie] - xorg-server <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1803993
 	NOTE: https://github.com/systemd/systemd/commit/9725f1a10f80f5e0ae7d9b60547458622aeb322f
 	NOTE: https://github.com/systemd/systemd/pull/12378
@@ -25782,10 +25787,12 @@ CVE-2019-5461 [GitHub Integration SSRF]
 CVE-2019-5460 (Double Free in VLC versions <= 3.0.6 leads to a crash. ...)
 	{DSA-4459-1}
 	- vlc 3.0.7-1
+	[jessie] - vlc <end-of-life> (https://lists.debian.org/debian-security-announce/2018/msg00130.html)
 	NOTE: https://hackerone.com/reports/503208
 CVE-2019-5459 (An Integer underflow in VLC Media Player versions < 3.0.7 leads to  ...)
 	{DSA-4459-1}
 	- vlc 3.0.7-1
+	[jessie] - vlc <end-of-life> (https://lists.debian.org/debian-security-announce/2018/msg00130.html)
 	NOTE: https://hackerone.com/reports/502816
 CVE-2019-5458 (Cross-site scripting (XSS) vulnerability in http-file-server (all vers ...)
 	TODO: check
@@ -26619,36 +26626,44 @@ CVE-2019-5060 (An exploitable code execution vulnerability exists in the XPM ima
 	- libsdl2-image 2.0.5+dfsg1-1
 	[buster] - libsdl2-image <no-dsa> (Minor issue)
 	[stretch] - libsdl2-image <no-dsa> (Minor issue)
+	[jessie] - libsdl2-image <no-dsa> (Minor issue)
 	- sdl-image1.2 <unfixed>
 	[buster] - sdl-image1.2 <no-dsa> (Minor issue)
 	[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
+	[jessie] - sdl-image1.2 <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0844
 	NOTE: https://hg.libsdl.org/SDL_image/rev/26061e601c81
 CVE-2019-5059 (An exploitable code execution vulnerability exists in the XPM image re ...)
 	- libsdl2-image 2.0.5+dfsg1-1
 	[buster] - libsdl2-image <no-dsa> (Minor issue)
 	[stretch] - libsdl2-image <no-dsa> (Minor issue)
+	[jessie] - libsdl2-image <no-dsa> (Minor issue)
 	- sdl-image1.2 <unfixed>
 	[buster] - sdl-image1.2 <no-dsa> (Minor issue)
 	[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
+	[jessie] - sdl-image1.2 <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0843
 	NOTE: https://hg.libsdl.org/SDL_image/rev/95fc7da55247
 CVE-2019-5058 (An exploitable code execution vulnerability exists in the XCF image re ...)
 	- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
 	[buster] - libsdl2-image <no-dsa> (Minor issue)
 	[stretch] - libsdl2-image <no-dsa> (Minor issue)
+	[jessie] - libsdl2-image <no-dsa> (Minor issue)
 	- sdl-image1.2 <unfixed> (bug #932755)
 	[buster] - sdl-image1.2 <no-dsa> (Minor issue)
 	[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
+	[jessie] - sdl-image1.2 <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0842
 	NOTE: https://hg.libsdl.org/SDL_image/rev/b1a80aec2b10
 CVE-2019-5057 (An exploitable code execution vulnerability exists in the PCX image-re ...)
 	- libsdl2-image 2.0.5+dfsg1-1 (bug #932754)
 	[buster] - libsdl2-image <no-dsa> (Minor issue)
 	[stretch] - libsdl2-image <no-dsa> (Minor issue)
+	[jessie] - libsdl2-image <no-dsa> (Minor issue)
 	- sdl-image1.2 <unfixed> (bug #932755)
 	[buster] - sdl-image1.2 <no-dsa> (Minor issue)
 	[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
+	[jessie] - sdl-image1.2 <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0841
 	NOTE: https://hg.libsdl.org/SDL_image/rev/7453e79c8cdb
 CVE-2019-5056


=====================================
data/dla-needed.txt
=====================================
@@ -9,6 +9,8 @@ To pick an issue, simply add your name behind it. To learn more about how
 this list is updated have a look at
 https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 
+--
+dnsmasq
 --
 faad2 (Hugo Lefeuvre)
   NOTE: 20190519: I have a few patches pending for open issues. Will be PR-ed soon.
@@ -87,6 +89,9 @@ proftpd-dfsg (Markus Koschany)
   NOTE: Stable update was released today.
 --
 python2.7 (Thorsten Alteholz)
+  NOTE: 20190804: need to check fails with test suite unrelated to this patch
+--
+python3.4 (Thorsten Alteholz)
 --
 qemu
   NOTE: 20190528: An upload candidate is waiting for being tested on real hardware.
@@ -97,6 +102,7 @@ qemu
   NOTE: 20190529: More testing needed.
 --
 ruby-mini-magick (Thorsten Alteholz)
+  NOTE: 20190805: package does not build in Jessie
 --
 ruby-openid
   NOTE: 20190628: In discussion with upstream/rubygems maintainer regarding what the issue actually *is*. (lamby)
@@ -124,12 +130,16 @@ sqlite3
 subversion
   NOTE: 20190804: For (at least) CVE-2018-11782 the svn_err_trace that is in the diff has not been added yet. (lamby)
 --
+tika
+--
 tomcat8
   NOTE: 20190522: FTBFS
   NOTE: Test SSL certificate expired, see https://bz.apache.org/bugzilla/show_bug.cgi?id=57655
   NOTE: Attempt to solve this by using certificates from latest tomcat8 package failed (Brian).
   NOTE: 20190701: New CVE just piled up.
 --
+wireshark (Thorsten Alteholz)
+--
 wordpress
   NOTE: 20190614: No upstream fix yet. (apo)
 --
@@ -138,3 +148,5 @@ xen
 --
 xymon (Thorsten alteholz)
 --
+yara
+--



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d5173322a76b1d71e305198af82c38a9dd4f60f8...00768d5e7d12aa1b678b4892545b9e8bc107a42a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/d5173322a76b1d71e305198af82c38a9dd4f60f8...00768d5e7d12aa1b678b4892545b9e8bc107a42a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190804/1e596f55/attachment-0001.html>