[Git][security-tracker-team/security-tracker][master] buster triage

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b565d010 by Moritz Muehlenhoff at 2019-02-10T13:31:12Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -13676,6 +13676,7 @@ CVE-2018-20030 [Input validation issue resulting in a denial of service]
 	[stretch] - libexif <no-dsa> (Minor issue)
 	[jessie] - libexif <no-dsa> (Minor issue)
 	NOTE: https://secuniaresearch.flexerasoftware.com/secunia_research/2018-28/
+	NOTE: https://github.com/libexif/libexif/commit/6aa11df549114ebda520dde4cdaea2f9357b2c89
 CVE-2018-20029 (The nxfs.sys driver in the DokanFS library 0.6.0 in NoMachine before ...)
 	NOT-FOR-US: nxfs.sys driver in the DokanFS library in NoMachine on Windows
 CVE-2019-2394
@@ -26408,7 +26409,7 @@ CVE-2018-16890 (libcurl versions from 7.36.0 to before 7.64.0 is vulnerable to a
 	NOTE: Introduced by: https://github.com/curl/curl/commit/86724581b6c02d160b52f817550cfdfc9c93af62
 CVE-2018-16889 (Ceph does not properly sanitize encryption keys in debug logging for ...)
 	- ceph <unfixed> (low; bug #918969)
-	[stretch] - ceph <no-dsa> (Minor issue)
+	[stretch] - ceph <postponed> (Minor issue)
 	[jessie] - ceph <not-affected> (Vulnerable code not present)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1665334
 	NOTE: http://tracker.ceph.com/issues/37847
@@ -26630,7 +26631,7 @@ CVE-2018-16847 (An OOB heap buffer r/w access issue was found in the NVM Express
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg00200.html
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=87ad860c622cc8f8916b5232bd8728c08f938fce
 CVE-2018-16846 (It was found in Ceph versions before 13.2.4 that authenticated ceph ...)
-	- ceph <unfixed>
+	- ceph <unfixed> (bug #921947)
 	NOTE: http://tracker.ceph.com/issues/35994
 	NOTE: https://github.com/ceph/ceph/commit/ab29bed2fc9f961fe895de1086a8208e21ddaddc
 	NOTE: Backport to 12.2.11: https://tracker.ceph.com/issues/37831
@@ -32113,7 +32114,7 @@ CVE-2018-14663 (An issue has been found in PowerDNS DNSDist before 1.3.3 allowin
 	[stretch] - dnsdist <no-dsa> (Minor issue)
 	NOTE: https://dnsdist.org/security-advisories/powerdns-advisory-for-dnsdist-2018-08.html
 CVE-2018-14662 (It was found Ceph versions before 13.2.4 that authenticated ceph users ...)
-	- ceph <unfixed>
+	- ceph <unfixed> (bug #921948)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1637327
 	NOTE: https://github.com/ceph/ceph/commit/a2acedd2a7e12d58af6db35edbd8a9d29c557578
 CVE-2018-14661 (It was found that usage of snprintf function in feature/locks ...)
@@ -47713,12 +47714,14 @@ CVE-2018-8832 (enhavo 0.4.0 has XSS via a user-group that contains executable ..
 	NOT-FOR-US: enhavo
 CVE-2018-8831 (A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through ...)
 	- kodi <unfixed> (low)
+	[buster] - kodi <no-dsa> (Minor issue)
 	[stretch] - kodi <no-dsa> (Minor issue)
 	- xbmc <removed>
 	[jessie] - xbmc <no-dsa> (Minor issue)
 	[wheezy] - xbmc <no-dsa> (Minor issue)
 	NOTE: http://seclists.org/fulldisclosure/2018/Apr/36
 	NOTE: https://trac.kodi.tv/ticket/17814
+	NOTE: Fixed in v18
 CVE-2018-8830
 	RESERVED
 CVE-2018-8829
@@ -98924,6 +98927,7 @@ CVE-2017-8872 (The htmlParseTryOrFinish function in HTMLparser.c in libxml2 2.9.
 	NOTE: https://gitlab.gnome.org/GNOME/libxml2/commit/123234f2cfcd9e9b9f83047eee1dc17b4c3f4407
 CVE-2017-8871 (The cr_parser_parse_selector_core function in cr-parser.c in libcroco ...)
 	- libcroco <unfixed> (bug #864666; low)
+	[buster] - libcroco <no-dsa> (Minor issue)
 	[stretch] - libcroco <no-dsa> (Minor issue)
 	[jessie] - libcroco <no-dsa> (Minor issue)
 	[wheezy] - libcroco <not-affected> (Vulnerable code not present)
@@ -99051,6 +99055,7 @@ CVE-2016-10369 (unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp fo
 	NOTE: Fixed by: https://git.lxde.org/gitweb/?p=lxde/lxterminal.git;a=commit;h=f99163c6ff8b2f57c5f37b1ce5d62cf7450d4648
 CVE-2017-8834 (The cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 ...)
 	- libcroco <unfixed> (bug #864666; low)
+	[buster] - libcroco <no-dsa> (Minor issue)
 	[stretch] - libcroco <no-dsa> (Minor issue)
 	[jessie] - libcroco <no-dsa> (Minor issue)
 	[wheezy] - libcroco <not-affected> (Vulnerable code not present)
@@ -108047,6 +108052,7 @@ CVE-2017-5983 (The JIRA Workflow Designer Plugin in Atlassian JIRA Server before
 	NOT-FOR-US: JIRA Workflow Designer Plugin
 CVE-2017-5982 (Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi ...)
 	- kodi <unfixed> (bug #855225)
+	[buster] - kodi <ignored> (Minor issue)
 	[stretch] - kodi <ignored> (Minor issue)
 	[jessie] - kodi <ignored> (Minor issue)
 	- xbmc <removed> (bug #861274)
@@ -129835,7 +129841,8 @@ CVE-2016-7965 (DokuWiki 2016-06-26a and older uses $_SERVER[HTTP_HOST] instead o
 	NOTE: Can be adresesd by properly configure dokuwiki as per
 	NOTE: https://github.com/splitbrain/dokuwiki/issues/1709#issuecomment-262337572
 CVE-2016-7964 (The sendRequest method in HTTPClient Class in file /inc/HTTPClient.php ...)
-	- dokuwiki <unfixed> (bug #844731)
+	- dokuwiki <unfixed> (low; bug #844731)
+	[buster] - dokuwiki <ignored> (Minor issue)
 	[jessie] - dokuwiki <no-dsa> (Minor issue)
 	[wheezy] - dokuwiki <no-dsa> (Minor issue)
 	NOTE: https://github.com/splitbrain/dokuwiki/issues/1708
@@ -137786,6 +137793,7 @@ CVE-2016-5417 (Memory leak in the __res_vinit function in the IPv6 name server .
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19257
 CVE-2016-5416 (389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, ...)
 	- 389-ds-base <unfixed> (bug #834233)
+	[buster] - 389-ds-base <no-dsa> (Minor issue)
 	[stretch] - 389-ds-base <no-dsa> (Minor issue)
 	[jessie] - 389-ds-base <no-dsa> (Minor issue)
 	NOTE: https://fedorahosted.org/389/ticket/48852
@@ -148557,7 +148565,8 @@ CVE-2016-2142 (Red Hat OpenShift Enterprise 3.1 uses world-readable permissions
 	NOT-FOR-US: OpenShift
 CVE-2016-2141 (JGroups before 4.0 does not require the proper headers for the ENCRYPT ...)
 	- libjgroups-java <unfixed> (low; bug #867493)
-	[stretch] - libjgroups-java <no-dsa> (Minor issue)
+	[buster] - libjgroups-java <ignored> (Minor issue, only used as build dep)
+	[stretch] - libjgroups-java <ignored> (Minor issue, only used as build dep)
 	[jessie] - libjgroups-java <no-dsa> (Minor issue)
 	[wheezy] - libjgroups-java <no-dsa> (Minor issue, only used as build dependency)
 CVE-2016-2140 (The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) ...)
@@ -192049,6 +192058,7 @@ CVE-2012-6656 (iconvdata/ibm930.c in GNU C Library (aka glibc) before 2.16 allow
 CVE-2012-6655 [passes (encrypted) passwords as commandline arguments]
 	RESERVED
 	- accountsservice <unfixed> (low; bug #757912)
+	[buster] - accountsservice <ignored> (Minor issue)
 	[stretch] - accountsservice <ignored> (Minor issue)
 	[jessie] - accountsservice <ignored> (Minor issue)
 	[wheezy] - accountsservice <ignored> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b565d0104bc0324a585ae86d8c19f73f8e71823a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/b565d0104bc0324a585ae86d8c19f73f8e71823a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190210/8277c26e/attachment.html>