[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Tue Dec 10 18:44:43 GMT 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9abb6108 by Moritz Muehlenhoff at 2019-12-10T18:44:21Z
buster/stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -73,15 +73,23 @@ CVE-2019-19639
 	RESERVED
 CVE-2019-19638 (An issue was discovered in libsixel 1.8.2. There is a heap-based buffe ...)
 	- libsixel <unfixed>
+	[buster] - libsixel <no-dsa> (Minor issue)
+	[stretch] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/saitoha/libsixel/issues/102
 CVE-2019-19637 (An issue was discovered in libsixel 1.8.2. There is an integer overflo ...)
 	- libsixel <unfixed>
+	[buster] - libsixel <no-dsa> (Minor issue)
+	[stretch] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/saitoha/libsixel/issues/105
 CVE-2019-19636 (An issue was discovered in libsixel 1.8.2. There is an integer overflo ...)
 	- libsixel <unfixed>
+	[buster] - libsixel <no-dsa> (Minor issue)
+	[stretch] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/saitoha/libsixel/issues/104
 CVE-2019-19635 (An issue was discovered in libsixel 1.8.2. There is a heap-based buffe ...)
 	- libsixel <unfixed>
+	[buster] - libsixel <no-dsa> (Minor issue)
+	[stretch] - libsixel <no-dsa> (Minor issue)
 	NOTE: https://github.com/saitoha/libsixel/issues/103
 CVE-2019-19634
 	RESERVED
@@ -2391,9 +2399,11 @@ CVE-2019-19335
 	RESERVED
 CVE-2019-19334 (In all versions of libyang before 1.0-r5, a stack-based buffer overflo ...)
 	- libyang <unfixed> (bug #946217)
+	[buster] - libyang <no-dsa> (Minor issue)
 	NOTE: https://github.com/CESNET/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6
 CVE-2019-19333 (In all versions of libyang before 1.0-r5, a stack-based buffer overflo ...)
 	- libyang <unfixed> (bug #946217)
+	[buster] - libyang <no-dsa> (Minor issue)
 	NOTE: https://github.com/CESNET/libyang/commit/f6d684ade99dd37b21babaa8a856f64faa1e2e0d
 CVE-2019-19332 [KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID]
 	RESERVED
@@ -6427,7 +6437,9 @@ CVE-2019-18610 (An issue was discovered in manager.c in Sangoma Asterisk through
 	NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28580
 CVE-2019-18609 (An issue was discovered in amqp_handle_input in amqp_connection.c in r ...)
 	{DLA-2022-1}
-	- librabbitmq <unfixed> (bug #946005)
+	- librabbitmq <unfixed> (low; bug #946005)
+	[buster] - librabbitmq <no-dsa> (Minor issue)
+	[stretch] - librabbitmq <no-dsa> (Minor issue)
 	NOTE: https://github.com/alanxz/rabbitmq-c/commit/fc85be7123050b91b054e45b91c78d3241a5047a
 CVE-2019-18608 (Cezerin v0.33.0 allows unauthorized order-information modification bec ...)
 	NOT-FOR-US: Cezerin
@@ -11608,6 +11620,8 @@ CVE-2019-16935 (The documentation XML-RPC server in Python through 2.7.16, 3.x t
 	[stretch] - python2.7 <no-dsa> (Minor issue)
 	[jessie] - python2.7 <ignored> (Minor Issue, XSS in an unlikely use-case)
 	- jython <unfixed>
+	[buster] - jython <ignored> (Minor Issue)
+	[stretch] - jython <ignored> (Minor Issue)
 	[jessie] - jython <ignored> (Minor Issue, XSS in an unlikely use-case)
 	- pypy <unfixed> (low)
 	[buster] - pypy <no-dsa> (Minor issue)
@@ -12094,6 +12108,8 @@ CVE-2019-16771 (Versions of Armeria 0.85.0 through and including 0.96.0 are vuln
 	NOT-FOR-US: Armeria
 CVE-2019-16770 (In Puma before version 4.3.2, a poorly-behaved client could use keepal ...)
 	- puma <unfixed> (bug #946312)
+	[buster] - puma <no-dsa> (Minor issue)
+	[stretch] - puma <no-dsa> (Minor issue)
 	NOTE: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
 	NOTE: https://github.com/puma/puma/commit/06053e60908074bb38293d4449ea261cb009b53e
 CVE-2019-16769 (The serialize-javascript npm package before version 2.1.1 is vulnerabl ...)
@@ -25998,6 +26014,8 @@ CVE-2019-12416
 	RESERVED
 CVE-2019-12415 (In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to conv ...)
 	- libapache-poi-java <unfixed> (bug #943565)
+	[buster] - libapache-poi-java <no-dsa> (Minor issue)
+	[stretch] - libapache-poi-java <no-dsa> (Minor issue)
 	[jessie] - libapache-poi-java <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/10/23/1
 CVE-2019-12414


=====================================
data/dsa-needed.txt
=====================================
@@ -76,5 +76,7 @@ wordpress (seb)
   2019-11-19: ask about stretch-security
   2019-11-06: maintainer proposed debdiff for buster-security
 --
+xcftools
+--
 xen
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9abb610827a753e0da5dfe09a713128a09a3fe0f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9abb610827a753e0da5dfe09a713128a09a3fe0f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191210/bf95b79c/attachment.html>
