[Git][security-tracker-team/security-tracker][master] stretch/buster triage

Moritz Muehlenhoff jmm at debian.org
Mon Dec 2 21:49:04 GMT 2019



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
08844222 by Moritz Muehlenhoff at 2019-12-02T21:48:44Z
stretch/buster triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -907,10 +907,11 @@ CVE-2019-19330 (The HTTP/2 implementation in HAProxy before 2.0.10 mishandles he
 	NOTE: https://git.haproxy.org/?p=haproxy.git;a=commit;h=54f53ef7ce4102be596130b44c768d1818570344
 	NOTE: https://git.haproxy.org/?p=haproxy.git;a=commit;h=146f53ae7e97dbfe496d0445c2802dd0a30b0878
 CVE-2019-19308 (In text_to_glyphs in sushi-font-widget.c in gnome-font-viewer 3.34.0,  ...)
-	- gnome-font-viewer <unfixed>
-	- gnome-sushi <unfixed>
+	- gnome-font-viewer <unfixed> (unimportant)
+	- gnome-sushi <unfixed> (unimportant)
 	NOTE: https://gitlab.gnome.org/GNOME/gnome-font-viewer/issues/17
 	NOTE: https://gitlab.gnome.org/GNOME/gnome-font-viewer/commit/9661683379806e2bad6a52ce6dde776a33f4f981
+	NOTE: Crash in GUI tool, no security impact
 CVE-2019-19307 (An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6. ...)
 	NOT-FOR-US: Cesanta Mongoose
 	NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1
@@ -1199,13 +1200,19 @@ CVE-2019-19206 (Dolibarr CRM/ERP 10.0.3 allows viewimage.php?file= Stored XSS du
 CVE-2019-19205
 	RESERVED
 CVE-2019-19204 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the func ...)
-	- libonig <unfixed> (bug #945313)
+	- libonig <unfixed> (low; bug #945313)
+	[buster] - libonig <no-dsa> (Minor issue)
+	[stretch] - libonig <no-dsa> (Minor issue)
 	NOTE: https://github.com/kkos/oniguruma/issues/162
 	NOTE: https://github.com/kkos/oniguruma/commit/6eb4aca6a7f2f60f473580576d86686ed6a6ebec (v6.9.4_rc2)
+	NOTE: Only exploitable with attacker-provided pattern
 CVE-2019-19203 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the func ...)
-	- libonig <unfixed> (bug #945312)
+	- libonig <unfixed> (low; bug #945312)
+	[buster] - libonig <no-dsa> (Minor issue)
+	[stretch] - libonig <no-dsa> (Minor issue)
 	NOTE: https://github.com/kkos/oniguruma/issues/163
 	NOTE: https://github.com/kkos/oniguruma/commit/aa0188eaedc056dca8374ac03d0177429b495515 (v6.9.4_rc2)
+	NOTE: Only exploitable with attacker-provided pattern
 CVE-2019-19202 (In Vtiger 7.x before 7.2.0, the My Preferences saving functionality al ...)
 	NOT-FOR-US: Vtiger CRM
 CVE-2019-19201
@@ -2028,6 +2035,7 @@ CVE-2019-18874 (psutil (aka python-psutil) through 5.6.5 can have a double free.
 	- python-psutil 5.6.7-1 (low; bug #944605)
 	[buster] - python-psutil <no-dsa> (Minor issue)
 	[stretch] - python-psutil <no-dsa> (Minor issue)
+	NOTE: https://github.com/giampaolo/psutil/commit/7d512c8e4442a896d56505be3e78f1156f443465
 	NOTE: https://github.com/giampaolo/psutil/pull/1616
 CVE-2019-18873 (FUDForum 3.0.9 is vulnerable to Stored XSS via the User-Agent HTTP hea ...)
 	NOT-FOR-US: FUDForum
@@ -2223,13 +2231,19 @@ CVE-2019-18801
 CVE-2019-18800 (Viber through 11.7.0.5 allows a remote attacker who can capture a vict ...)
 	NOT-FOR-US: Viber
 CVE-2019-18799 (LibSass before 3.6.3 allows a NULL pointer dereference in Sass::Parser ...)
-	- libsass <unfixed>
+	- libsass <unfixed> (low)
+	[buster] - libsass <no-dsa> (Minor issue)
+	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/3001
 CVE-2019-18798 (LibSass before 3.6.3 allows a heap-based buffer over-read in Sass::wea ...)
-	- libsass <unfixed>
+	- libsass <unfixed> (low)
+	[buster] - libsass <no-dsa> (Minor issue)
+	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2999
 CVE-2019-18797 (LibSass 3.6.1 has uncontrolled recursion in Sass::Eval::operator()(Sas ...)
-	- libsass <unfixed>
+	- libsass <unfixed> (low)
+	[buster] - libsass <no-dsa> (Minor issue)
+	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/3000
 CVE-2019-18796
 	RESERVED
@@ -5321,15 +5335,21 @@ CVE-2019-18466 (An issue was discovered in Podman in libpod before 1.6.0. It res
 	NOT-FOR-US: libpod (podman library used to create container pods)
 CVE-2019-18601 (OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to denial of ser ...)
 	{DLA-1982-1}
-	- openafs 1.8.5-1 (bug #943587)
+	- openafs 1.8.5-1 (low; bug #943587)
+	[buster] - openafs <no-dsa> (Minor issue)
+	[stretch] - openafs <no-dsa> (Minor issue)
 	NOTE: http://openafs.org/pages/security/OPENAFS-SA-2019-003.txt
 CVE-2019-18602 (OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to an informatio ...)
 	{DLA-1982-1}
-	- openafs 1.8.5-1 (bug #943587)
+	- openafs 1.8.5-1 (low; bug #943587)
+	[buster] - openafs <no-dsa> (Minor issue)
+	[stretch] - openafs <no-dsa> (Minor issue)
 	NOTE: http://openafs.org/pages/security/OPENAFS-SA-2019-002.txt
 CVE-2019-18603 (OpenAFS before 1.6.24 and 1.8.x before 1.8.5 is prone to information l ...)
 	{DLA-1982-1}
-	- openafs 1.8.5-1 (bug #943587)
+	- openafs 1.8.5-1 (low; bug #943587)
+	[buster] - openafs <no-dsa> (Minor issue)
+	[stretch] - openafs <no-dsa> (Minor issue)
 	NOTE: http://openafs.org/pages/security/OPENAFS-SA-2019-001.txt
 CVE-2019-18465 (In Progress MOVEit Transfer 11.1 before 11.1.3, a vulnerability has be ...)
 	NOT-FOR-US: Progress MOVEit Transfer
@@ -8594,13 +8614,16 @@ CVE-2019-17499 (The setter.xml component of the Common Gateway Interface on Comp
 	NOT-FOR-US: Compal CH7465LG devices
 CVE-2019-17498 (In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic i ...)
 	{DLA-1991-1}
-	- libssh2 <unfixed> (bug #943562)
+	- libssh2 <unfixed> (low; bug #943562)
+	[buster] - libssh2 <no-dsa> (Minor issue)
+	[stretch] - libssh2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/libssh2/libssh2/commit/dedcbd106f8e52d5586b0205bc7677e4c9868f9c
 	NOTE: https://blog.semmle.com/libssh2-integer-overflow-CVE-2019-17498/
 	NOTE: Backported SUSE patch for versions <= 1.8.0 (including struct string_buf,
 	NOTE: and the functions _libssh2_check_length(), _libssh2_get_u32() and
 	NOTE: libssh2_get_string(), forming part of the fix):
 	NOTE: https://bugzilla.suse.com/attachment.cgi?id=822416
+	NOTE: Only exploitable with a malicious server
 CVE-2018-21028 (Boa through 0.94.14rc21 allows remote attackers to trigger a memory le ...)
 	- boa <removed>
 CVE-2018-21027 (Boa through 0.94.14rc21 allows remote attackers to trigger an out-of-m ...)
@@ -9008,6 +9031,8 @@ CVE-2019-17363
 CVE-2019-17362 (In LibTomCrypt through 1.18.2, the der_decode_utf8_string function (in ...)
 	{DLA-1951-1}
 	- libtomcrypt <unfixed>
+	[buster] - libtomcrypt <no-dsa> (Minor issue)
+	[stretch] - libtomcrypt <no-dsa> (Minor issue)
 	NOTE: https://github.com/libtom/libtomcrypt/issues/507
 	NOTE: https://github.com/libtom/libtomcrypt/pull/508
 CVE-2019-17361
@@ -16096,6 +16121,8 @@ CVE-2019-14865 (A flaw was found in the grub2-set-bootflag utility of grub2. A l
 CVE-2019-14864
 	RESERVED
 	- ansible <unfixed> (low; bug #943768)
+	[buster] - ansible <no-dsa> (Minor issue)
+	[stretch] - ansible <no-dsa> (Minor issue)
 	NOTE: https://github.com/ansible/ansible/issues/63522
 	NOTE: https://github.com/ansible/ansible/pull/63527
 CVE-2019-14863
@@ -44936,7 +44963,9 @@ CVE-2019-5069 (A code execution vulnerability exists in Epignosis eFront LMS v5.
 	NOT-FOR-US: Epignosis eFront LMS
 CVE-2019-5068 (An exploitable shared memory permissions vulnerability exists in the f ...)
 	{DLA-1993-1}
-	- mesa <unfixed> (bug #944298)
+	- mesa <unfixed> (low; bug #944298)
+	[buster] - mesa <no-dsa> (Minor issue)
+	[stretch] - mesa <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0857
 	NOTE: https://lists.freedesktop.org/pipermail/mesa-dev/2019-October/223704.html
 	NOTE: https://cgit.freedesktop.org/mesa/mesa/commit/?id=02c3dad0f3b4d26e0faa5cc51d06bc50d693dcdc
@@ -47537,8 +47566,10 @@ CVE-2019-3867
 	RESERVED
 	NOT-FOR-US: OpenShift (web-cosnole issue specific to OpenShift only)
 CVE-2019-3866 (An information-exposure vulnerability was discovered where openstack-m ...)
-	- mistral <unfixed>
+	- python-oslo.utils <unfixed> (low)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1768731
+	NOTE: https://bugs.launchpad.net/tripleo/+bug/1850843
+	NOTE: https://opendev.org/openstack/oslo.utils/commit/b41268417cecb12d1d5955ee3107067edf050221
 CVE-2019-3865
 	RESERVED
 	NOT-FOR-US: Quay


=====================================
data/dsa-needed.txt
=====================================
@@ -35,6 +35,8 @@ jruby/oldstable
 libidn/oldstable
   santiago proposed debdiffs for jessie and stretch
 --
+libopenmpt
+--
 linux (carnil)
   Wait until more issues have piled up
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08844222ae280aa9bf80cdc437c398360575dab9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/08844222ae280aa9bf80cdc437c398360575dab9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191202/0d4e1e7c/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list