[Git][security-tracker-team/security-tracker][master] stretch triage

Sat Feb 2 05:06:40 GMT 2019

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9c3d4031 by Moritz Muehlenhoff at 2019-02-02T05:06:10Z
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -352,12 +352,14 @@ CVE-2019-7151 (A NULL pointer dereference was discovered in ...)
 	NOTE: https://github.com/WebAssembly/binaryen/commit/2127e64f42da55bb5b9b0ab1995b3ca7fc4e0d0b
 	NOTE: https://github.com/WebAssembly/binaryen/commit/85e95e315a8023c46eb804fe80ebc244bcfdae3e
 CVE-2019-7150 (An issue was discovered in elfutils 0.175. A segmentation fault can ...)
-	- elfutils <unfixed> (bug #920909)
+	- elfutils <unfixed> (low; bug #920909)
+	[stretch] - elfutils <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24103
 	NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00070.html
 	NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=da5c5336a1eaf519de246f7d9f0f5585e1d4ac59
 CVE-2019-7149 (A heap-based buffer over-read was discovered in the function ...)
-	- elfutils <unfixed> (bug #920910)
+	- elfutils <unfixed> (low; bug #920910)
+	[stretch] - elfutils <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24102
 	NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00068.html
 	NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=2562759d6fe5b364fe224852e64e8bda39eb2e35
@@ -1200,7 +1202,8 @@ CVE-2017-18360 (In change_port_settings in drivers/usb/serial/io_ti.c in the Lin
 	NOTE: Fixed by: https://git.kernel.org/linus/6aeb75e6adfaed16e58780309613a578fe1ee90b
 CVE-2017-18359 (PostGIS 2.x before 2.3.3, as used with PostgreSQL, allows remote ...)
 	{DLA-1653-1}
-	- postgis 2.3.3+dfsg-1
+	- postgis 2.3.3+dfsg-1 (low)
+	[stretch] - postgis <no-dsa> (Minor issue)
 	NOTE: https://trac.osgeo.org/postgis/ticket/3704
 	NOTE: https://trac.osgeo.org/postgis/changeset/15444
 	NOTE: https://trac.osgeo.org/postgis/changeset/15445
@@ -2034,7 +2037,8 @@ CVE-2019-6439 (examples/benchmark/tls_bench.c in a benchmark tool in wolfSSL thr
 	NOTE: https://github.com/wolfSSL/wolfssl/issues/2032
 	NOTE: Issue only in example code
 CVE-2019-6438 (SchedMD Slurm before 17.11.13 and 18.x before 18.08.5 mishandles 32-bit ...)
-	- slurm-llnl <unfixed> (bug #920997)
+	- slurm-llnl <unfixed> (low; bug #920997)
+	[stretch] - slurm-llnl <no-dsa> (Minor issue)
 	NOTE: https://www.schedmd.com/news.php?id=213
 	NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2019/000018.html
 CVE-2019-6437
@@ -8838,12 +8842,14 @@ CVE-2018-20555
 CVE-2018-20554
 	RESERVED
 CVE-2018-20553 (Tcpreplay before 4.3.1 has a heap-based buffer over-read in get_l2len ...)
-	- tcpreplay <unfixed> (bug #917574)
+	- tcpreplay <unfixed> (low; bug #917574)
+	[stretch] - tcpreplay <no-dsa> (Minor issue)
 	[jessie] - tcpreplay <no-dsa> (not used by any sponsor, hard to exploit)
 	NOTE: https://github.com/appneta/tcpreplay/issues/530
 	NOTE: https://github.com/appneta/tcpreplay/pull/532/commits/6b830a1640ca20528032c89a4fdd8291a4d2d8b2
 CVE-2018-20552 (Tcpreplay before 4.3.1 has a heap-based buffer over-read in packet2tree ...)
-	- tcpreplay <unfixed> (bug #917574)
+	- tcpreplay <unfixed> (low; bug #917574)
+	[stretch] - tcpreplay <no-dsa> (Minor issue)
 	[jessie] - tcpreplay <no-dsa> (not used by any sponsor, hard to exploit)
 	NOTE: https://github.com/appneta/tcpreplay/issues/530
 	NOTE: https://github.com/appneta/tcpreplay/pull/532/commits/6b830a1640ca20528032c89a4fdd8291a4d2d8b2
@@ -18492,6 +18498,7 @@ CVE-2018-19518 (University of Washington IMAP Toolkit 2007f on UNIX, as used in
 	- php7.0 <removed> (bug #913836)
 	- php5 <removed>
 	- uw-imap <unfixed> (bug #914632)
+	[stretch] - uw-imap <no-dsa> (Minor issue)
 	NOTE: Fixed in 5.6.39, 7.0.33, 7.1.25, 7.2.13, 7.3.0
 	NOTE: PHP Bug: https://bugs.php.net/bug.php?id=76428
 	NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77153
@@ -24537,7 +24544,8 @@ CVE-2018-17200
 	RESERVED
 CVE-2018-17199 (In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks ...)
 	{DLA-1647-1}
-	- apache2 2.4.38-1 (bug #920303)
+	- apache2 2.4.38-1 (low; bug #920303)
+	[stretch] - apache2 <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/01/22/3
 	NOTE: 2.4.x http://svn.apache.org/r1851409
 	NOTE: 2.5.x http://svn.apache.org/r1850947
@@ -24566,7 +24574,8 @@ CVE-2018-17191 (Apache NetBeans (incubating) 9.0 NetBeans Proxy Auto-Configurati
 CVE-2018-17190 (In all versions of Apache Spark, its standalone resource manager ...)
 	NOT-FOR-US: Apache Spark
 CVE-2018-17189 (In Apache HTTP server versions 2.4.37 and prior, by sending request ...)
-	- apache2 2.4.38-1 (bug #920302)
+	- apache2 2.4.38-1 (low; bug #920302)
+	[stretch] - apache2 <no-dsa> (Minor issue)
 	[jessie] - apache2 <not-affected> (Vulnerable code not present)
 	NOTE: HTTP/2 support introduced in 2.4.17
 	NOTE: https://www.openwall.com/lists/oss-security/2019/01/22/2


=====================================
data/dsa-needed.txt
=====================================
@@ -46,6 +46,8 @@ mbedtls
 --
 mercurial
 --
+mumble
+--
 mysql-connector-python
   Proposed to update to 2.1.9 via stretch-security
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c3d40319ee7b84b427f772a0d70c90e51d3a539

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/9c3d40319ee7b84b427f772a0d70c90e51d3a539
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190202/244d009b/attachment-0001.html>
