[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Moritz Muehlenhoff jmm at debian.org
Mon Dec 16 19:43:44 GMT 2019 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2f06c1f1 by Moritz Muehlenhoff at 2019-12-16T19:43:23Z
buster/stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -12667,7 +12667,9 @@ CVE-2019-17546 (tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL throug
 	NOTE: gdal uses system libtiff libraries since 2.0.1+dfsg-1~exp1 (#684233)
 CVE-2019-17545 (GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ...)
 	{DLA-1984-1}
-	- gdal 2.4.2+dfsg-2
+	- gdal 2.4.2+dfsg-2 (low)
+	[buster] - gdal <no-dsa> (Minor issue)
+	[stretch] - gdal <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16178
 	NOTE: https://github.com/OSGeo/gdal/commit/148115fcc40f1651a5d15fa34c9a8c528e7147bb
 CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer over- ...)
@@ -14400,6 +14402,8 @@ CVE-2019-16885 (In OkayCMS through 2.3.4, an unauthenticated attacker can achiev
 	NOT-FOR-US: OkayCMS
 CVE-2019-16884 (runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other ...)
 	- runc 1.0.0~rc9+dfsg1-1 (bug #942026)
+	[buster] - runc <no-dsa> (Minor issue)
+	[stretch] - runc <no-dsa> (Minor issue)
 	- golang-github-opencontainers-selinux <unfixed> (bug #942027)
 	NOTE: https://github.com/opencontainers/runc/issues/2128
 CVE-2019-16883
@@ -15762,6 +15766,8 @@ CVE-2019-16371 (LogMeIn LastPass before 4.33.0 allows attackers to construct a c
 	NOT-FOR-US: LogMeIn LastPass
 CVE-2019-16370 (The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algori ...)
 	- gradle <unfixed> (low; bug #941186)
+	[buster] - gradle <no-dsa> (Minor issue)
+	[stretch] - gradle <no-dsa> (Minor issue)
 	[jessie] - gradle <postponed> (Minor issue, old gradle mainly used for building Debian packages with apt signatures)
 	NOTE: https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2f
 CVE-2019-16369
@@ -19000,7 +19006,9 @@ CVE-2019-15239 (In the Linux kernel, a certain net/ipv4/tcp_output.c change, whi
 CVE-2019-15238 (The cforms2 plugin before 15.0.2 for WordPress has CSRF related to the ...)
 	NOT-FOR-US: Wordpress plugin
 CVE-2019-15237 (Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, ...)
-	- roundcube <unfixed>
+	- roundcube <unfixed> (low)
+	[buster] - roundcube <no-dsa> (Minor issue)
+	[stretch] - roundcube <no-dsa> (Minor issue)
 	NOTE: https://github.com/roundcube/roundcubemail/issues/6891
 CVE-2019-15236
 	RESERVED
@@ -19761,6 +19769,8 @@ CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Con
 	NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence Server
 CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication credentials  ...)
 	- gradle <unfixed> (low; bug #941187)
+	[buster] - gradle <no-dsa> (Minor issue)
+	[stretch] - gradle <no-dsa> (Minor issue)
 	[jessie] - gradle <postponed> (Minor issue, old gradle mainly used for building Debian packages with system libraries)
 	NOTE: https://github.com/gradle/gradle/issues/10278
 	NOTE: https://github.com/gradle/gradle/pull/10176
@@ -21533,6 +21543,8 @@ CVE-2019-14494 (An issue was discovered in Poppler through 0.78.0. There is a di
 CVE-2019-14493 (An issue was discovered in OpenCV before 4.1.1. There is a NULL pointe ...)
 	[experimental] - opencv 4.1.1+dfsg-1
 	- opencv 4.1.2+dfsg-3
+	[buster] - opencv <no-dsa> (Minor issue)
+	[stretch] - opencv <no-dsa> (Minor issue)
 	[jessie] - opencv <postponed> (Minor issue, DoS, PoC not crashing)
 	NOTE: https://github.com/opencv/opencv/issues/15127
 	NOTE: https://github.com/opencv/opencv/commit/5691d998ead1d9b0542bcfced36c2dceb3a59023
@@ -26948,7 +26960,9 @@ CVE-2019-13040
 CVE-2019-13039
 	RESERVED
 CVE-2019-13038 (mod_auth_mellon through 0.14.2 has an Open Redirect via the login?Retu ...)
-	- libapache2-mod-auth-mellon <unfixed> (bug #931265)
+	- libapache2-mod-auth-mellon <unfixed> (low; bug #931265)
+	[buster] - libapache2-mod-auth-mellon <no-dsa> (Minor issue)
+	[stretch] - libapache2-mod-auth-mellon <no-dsa> (Minor issue)
 	[jessie] - libapache2-mod-auth-mellon <ignored> (Open Redirect protection not implemented yet)
 	NOTE: https://github.com/Uninett/mod_auth_mellon/issues/35#issuecomment-503974885
 CVE-2019-13037
@@ -57760,6 +57774,7 @@ CVE-2019-2213 (In binder_free_transaction of binder.c, there is a possible use-a
 	NOTE: https://lore.kernel.org/patchwork/patch/1087916/
 CVE-2019-2212 (In poisson_distribution of random, there is an out of bounds read. Thi ...)
 	- libc++ <removed>
+	[stretch] - libc++ <no-dsa> (Minor issue)
 	[jessie] - libc++ <no-dsa> (Minor issue, Jessie versions of software that uses poisson distribution have low popcon)
 	- llvm-toolchain-6.0 <unfixed>
 	[jessie] - llvm-toolchain-6.0 <no-dsa> (Minor issue, Jessie versions of software that uses poisson distribution have low popcon)
@@ -57794,6 +57809,7 @@ CVE-2019-2201 (In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, the
 	NOTE: https://android.googlesource.com/platform/external/libjpeg-turbo/+/d3db2a2634c422286f75c4b38af98837f3d2f0ff
 	NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361
 	NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884
+	NOTE: https://github.com/clearlinux-pkgs/libjpeg-turbo/commit/0a5d06c3dd4a64754d7e6ffa081fd9132714f74c
 CVE-2019-2200
 	RESERVED
 CVE-2019-2199 (In createSessionInternal of PackageInstallerService.java, there is a p ...)
@@ -60275,6 +60291,7 @@ CVE-2019-1551 (There is an overflow bug in the x64_64 Montgomery squaring proced
 	[stretch] - openssl <postponed> (Wait until next upstream security release)
 	[jessie] - openssl <not-affected> (Affected modules are not present in Jessie)
 	- openssl1.0 <removed> (low)
+	[buster] - openssl1.0 <postponed> (Wait until next upstream security release)
 	NOTE: https://www.openssl.org/news/secadv/20191206.txt
 	NOTE: OpenSSL_1_1_1-stable: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f
 	NOTE: OpenSSL_1_0_2-stable: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98


=====================================
data/dsa-needed.txt
=====================================
@@ -21,7 +21,7 @@ chromium
 --
 curl (ghedo)
 --
-cyrus-imapd
+cyrus-imapd (jmm)
 --
 evince/oldstable
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f06c1f12824e635bf58cd15b9cffe4aadba3a5b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2f06c1f12824e635bf58cd15b9cffe4aadba3a5b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191216/39aebe18/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list