[Git][security-tracker-team/security-tracker][master] new curl issues

Wed Feb 6 10:12:01 GMT 2019

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
496d56e6 by Moritz Muehlenhoff at 2019-02-06T10:11:31Z
new curl issues

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -8123,10 +8123,16 @@ CVE-2019-3825
 	RESERVED
 CVE-2019-3824
 	RESERVED
-CVE-2019-3823
+CVE-2019-3823 [curl: SMTP end-of-response out-of-bounds read]
 	RESERVED
-CVE-2019-3822
+	- curl <unfixed>
+	NOTE: https://curl.haxx.se/docs/CVE-2019-3823.html
+	NOTE: https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38da0c1ce6f1c0ceb484
+CVE-2019-3822 [curl: NTLMv2 type-3 header stack buffer overflow]
 	RESERVED
+	- curl <unfixed>
+	NOTE: https://curl.haxx.se/docs/CVE-2019-3822.html
+	NOTE: https://github.com/curl/curl/commit/50c9484278c63b958655a717844f0721263939cc
 CVE-2019-3821
 	RESERVED
 CVE-2019-3820 [partial lock screen bypass]
@@ -25749,8 +25755,11 @@ CVE-2018-16892
 	RESERVED
 CVE-2018-16891
 	RESERVED
-CVE-2018-16890
+CVE-2018-16890 [curl: NTLM type-2 out-of-bounds buffer read]
 	RESERVED
+	- curl <unfixed>
+	NOTE: https://curl.haxx.se/docs/CVE-2018-16890.html
+	NOTE: https://github.com/curl/curl/commit/b780b30d1377adb10bbe774835f49e9b237fb9bb
 CVE-2018-16889 (Ceph does not properly sanitize encryption keys in debug logging for ...)
 	- ceph <unfixed> (low; bug #918969)
 	[stretch] - ceph <no-dsa> (Minor issue)
@@ -45991,7 +46000,6 @@ CVE-2018-9246 (The PGObject::Util::DBAdmin module before 0.120.0 for Perl, as us
 	NOTE: https://github.com/ledgersmb/PGObject-Util-DBAdmin/commit/f4e684008ca9e182833a70793ae91288d2c80218
 	NOTE: https://github.com/ledgersmb/PGObject-Util-DBAdmin/commit/dc48d0e1af0dbf861779b2c781e0f4c612c22cfb
 	NOTE: https://archive.ledgersmb.org/ledger-smb-announce/msg00280.html
-	TODO: check if set of commits complete
 CVE-2018-9245 (The Ericsson-LG iPECS NMS A.1Ac login portal has a SQL injection ...)
 	NOT-FOR-US: Ericsson-LG iPECS NMS A.1Ac login portal
 CVE-2018-9242 (The PAN-OS management web interface page in PAN-OS 6.1.20 and earlier, ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ ansible
 --
 chromium
 --
+curl (ghedo)
+--
 faad2
   not yet fixed upstream
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/496d56e65eb3e7d0b32f6c17c67e671961b77f09

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/496d56e65eb3e7d0b32f6c17c67e671961b77f09
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190206/7b569923/attachment-0001.html>
