[Git][security-tracker-team/security-tracker][master] stretch triage

Moritz Muehlenhoff jmm at debian.org
Fri Feb 15 19:53:58 GMT 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
882875a5 by Moritz Muehlenhoff at 2019-02-15T19:53:32Z
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1406,12 +1406,14 @@ CVE-2019-7667
 CVE-2019-7666
 	RESERVED
 CVE-2019-7665 (In elfutils 0.175, a heap-based buffer over-read was discovered in the ...)
-	- elfutils <unfixed> (bug #921880)
+	- elfutils <unfixed> (low; bug #921880)
+	[stretch] - elfutils <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24089
 	NOTE: https://sourceware.org/ml/elfutils-devel/2019-q1/msg00049.html
 	NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=de01cc6f9446187d69b9748bb3636361c79e77a4
 CVE-2019-7664 (In elfutils 0.175, a negative-sized memcpy is attempted in elf_cvt_note ...)
-	- elfutils <unfixed> (bug #921881)
+	- elfutils <unfixed> (low; bug #921881)
+	[stretch] - elfutils <no-dsa> (Minor issue)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24084
 	NOTE: https://sourceware.org/git/?p=elfutils.git;a=commit;h=e65d91d21cb09d83b001fef9435e576ba447db32
 CVE-2019-7663 (An Invalid Address dereference was discovered in ...)
@@ -1479,19 +1481,27 @@ CVE-2019-7639 (An issue was discovered in gsi-openssh-server 7.9p1 on Fedora 29.
 	NOT-FOR-US: gsi-openssh-server (OpenSSH patched with openssh-7.9p1-gsissh.patch)
 CVE-2019-7638 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has ...)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4500
 CVE-2019-7637 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has ...)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4497
 CVE-2019-7636 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has ...)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4499
 CVE-2019-7635 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has ...)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4498
 CVE-2018-20764 (A buffer overflow exists in HelpSystems tcpcrypt on Linux, used for ...)
 	TODO: check
@@ -1611,31 +1621,45 @@ CVE-2019-7579
 	RESERVED
 CVE-2019-7578 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has ...)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4494
 CVE-2019-7577 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has ...)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4492
 CVE-2019-7576 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has ...)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4490
 CVE-2019-7575 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has ...)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4493
 CVE-2019-7574 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has ...)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4496
 CVE-2019-7573 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has ...)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4491
 CVE-2019-7572 (SDL (Simple DirectMedia Layer) through 1.2.15 and 2.x through 2.0.9 has ...)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4495
 CVE-2019-7571
 	RESERVED
@@ -1973,9 +1997,10 @@ CVE-2019-7444
 CVE-2019-7443 [Insecure handling of arguments in helpers]
 	RESERVED
 	- kauth 5.54.0-2 (bug #921995)
+	[stretch] - kauth <no-dsa> (Minor issue)
+	- kde4libs <unfixed>
 	NOTE: https://mail.kde.org/pipermail/kde-announce/2019-February/000011.html
 	NOTE: https://cgit.kde.org/kauth.git/commit/?id=fc70fb0161c1b9144d26389434d34dd135cd3f4a
-	TODO: check kde4libs
 CVE-2019-7442
 	RESERVED
 CVE-2019-7441
@@ -2169,6 +2194,7 @@ CVE-2019-1000022 (Taoensso Sente version Prior to version 1.14.0 contains a Cros
 	NOT-FOR-US: Taoensso Sente
 CVE-2019-1000021 (slixmpp version before commit 7cd73b594e8122dddf847953fcfc85ab4d316416 ...)
 	- slixmpp 1.4.2-1
+	[stretch] - slixmpp <no-dsa> (Minor issue)
 	NOTE: https://lab.louiz.org/poezio/slixmpp/commit/7cd73b594e8122dddf847953fcfc85ab4d316416
 CVE-2019-1000020 (libarchive version commit 5a98dcf8a86364b3c2c469c85b93647dfb139961 ...)
 	{DLA-1668-1}
@@ -2374,6 +2400,7 @@ CVE-2019-7311
 	RESERVED
 CVE-2019-7310 (In Poppler 0.73.0, a heap-based buffer over-read (due to an integer ...)
 	- poppler <unfixed> (bug #921215)
+	[stretch] - poppler <ignored> (Minor issue)
 	[jessie] - poppler <ignored> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12797
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/717
@@ -3624,6 +3651,7 @@ CVE-2019-6778 [slirp: heap buffer overflow in tcp_emu()]
 	- qemu-kvm <removed>
 	- slirp4netns 0.2.1-1
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg03132.html
+	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=a7104eda7dab99d0cdbd3595c211864cba415905
 CVE-2019-6777 (An issue was discovered in ZoneMinder v1.32.3. Reflected XSS exists in ...)
 	- zoneminder 1.32.3-2 (bug #920375)
 	NOTE: https://github.com/ZoneMinder/zoneminder/issues/2436
@@ -4213,6 +4241,7 @@ CVE-2019-6501 [scsi-generic: possible OOB access while handling inquiry request]
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-01/msg02324.html
 	NOTE: Code introduced by https://git.qemu.org/?p=qemu.git;a=commit;h=6c219fc8a1 ,
 	NOTE: but but the overflow was already possible before.
+	NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=e909ff93698851777faac3c45d03c1b73f311ea6
 CVE-2016-10739 (In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo ...)
 	- glibc 2.28-6 (bug #920047)
 	[stretch] - glibc <no-dsa> (Minor issue)
@@ -4349,10 +4378,14 @@ CVE-2018-20727 (Multiple command injection vulnerabilities in NeDi before 1.7Cp3
 CVE-2015-9281 (Logon Manager in SAS Web Infrastructure Platform before 9.4M3 allows ...)
 	NOT-FOR-US: SAS Web Infrastructure Platform
 CVE-2019-6462 (An issue was discovered in cairo 1.16.0. There is an infinite loop in ...)
-	- cairo <unfixed>
+	- cairo <unfixed> (low)
+	[busterh] - cairo <no-dsa> (Minor issue)
+	[stretch] - cairo <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/353
 CVE-2019-6461 (An issue was discovered in cairo 1.16.0. There is an assertion problem ...)
-	- cairo <unfixed>
+	- cairo <unfixed> (low)
+	[busterh] - cairo <no-dsa> (Minor issue)
+	[stretch] - cairo <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/352
 CVE-2019-6460 (An issue was discovered in GNU Recutils 1.8. There is a NULL pointer ...)
 	- recutils <unfixed> (unimportant)
@@ -4389,22 +4422,26 @@ CVE-2019-6448
 CVE-2019-6447 (The ES File Explorer File Manager application through 4.1.9.7.4 for ...)
 	NOT-FOR-US: ES File Explorer File Manager application
 CVE-2018-20726 (A cross-site scripting (XSS) vulnerability exists in host.php (via ...)
-	- cacti 1.2.1+ds1-1
+	- cacti 1.2.1+ds1-1 (low)
+	[stretch] - cacti <no-dsa> (Minor issue)
 	[jessie] - cacti <ignored> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d
 	NOTE: https://github.com/Cacti/cacti/issues/2213
 CVE-2018-20725 (A cross-site scripting (XSS) vulnerability exists in ...)
-	- cacti 1.2.1+ds1-1
+	- cacti 1.2.1+ds1-1 (low)
+	[stretch] - cacti <no-dsa> (Minor issue)
 	[jessie] - cacti <ignored> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d
 	NOTE: https://github.com/Cacti/cacti/issues/2214
 CVE-2018-20724 (A cross-site scripting (XSS) vulnerability exists in pollers.php in ...)
-	- cacti 1.2.1+ds1-1
+	- cacti 1.2.1+ds1-1 (low)
+	[stretch] - cacti <no-dsa> (Minor issue)
 	[jessie] - cacti <ignored> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/commit/1f42478506d83d188f68ce5ff41728a7bd159f53
 	NOTE: https://github.com/Cacti/cacti/issues/2212
 CVE-2018-20723 (A cross-site scripting (XSS) vulnerability exists in ...)
-	- cacti 1.2.1+ds1-1
+	- cacti 1.2.1+ds1-1 (low)
+	[stretch] - cacti <no-dsa> (Minor issue)
 	[jessie] - cacti <ignored> (Minor issue)
 	NOTE: https://github.com/Cacti/cacti/commit/80c2a88fb2afb93f87703ba4641f9970478c102d
 	NOTE: https://github.com/Cacti/cacti/issues/2215
@@ -10699,7 +10736,8 @@ CVE-2018-20664 (Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has X
 CVE-2018-20663 (The Reporting Addon (aka Reports Addon) through 2019-01-02 for CUBA ...)
 	NOT-FOR-US: Reporting Addon for CUBA Platform
 CVE-2018-20662 (In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to cause ...)
-	- poppler <unfixed> (bug #918158)
+	- poppler <unfixed> (low; bug #918158)
+	[stretch] - poppler <no-dsa> (Minor issue)
 	[jessie] - poppler <postponed> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/706
 	NOTE: Initial approach of fixing the issue via
@@ -10925,7 +10963,8 @@ CVE-2018-20651 (A NULL pointer dereference was discovered in ...)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24041
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f
 CVE-2018-20650 (A reachable Object::dictLookup assertion in Poppler 0.72.0 allows ...)
-	- poppler <unfixed> (bug #917974)
+	- poppler <unfixed> (low; bug #917974)
+	[stretch] - poppler <no-dsa> (Minor issue)
 	[jessie] - poppler <postponed> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/de0c0b8324e776f0b851485e0fc9622fc35695b7
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/704
@@ -14940,6 +14979,7 @@ CVE-2018-20098 (There is a heap-based buffer over-read in ...)
 	NOTE: https://github.com/TeamSeri0us/pocs/tree/master/exiv2/20181206
 CVE-2018-20097 (There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroups ...)
 	- exiv2 <unfixed> (low)
+	[stretch] - exiv2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/590
 CVE-2018-20096 (There is a heap-based buffer over-read in the Exiv2::tEXtToDataBuf ...)
 	[experimental] - exiv2 <unfixed> (low)
@@ -17766,7 +17806,8 @@ CVE-2018-19667
 CVE-2018-19666 (The agent in OSSEC through 3.1.0 on Windows allows local users to gain ...)
 	- ossec-hids <itp> (bug #361954)
 CVE-2018-19665 (The Bluetooth subsystem in QEMU mishandles negative values for length ...)
-	- qemu 1:3.1+dfsg-2 (bug #916278)
+	- qemu 1:3.1+dfsg-2 (low; bug #916278)
+	[stretch] - qemu <postponed> (Revisit when final upstream patch is out)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html
 	NOTE: note that previously mentioned patch will never be merged by upstream, see
@@ -20806,6 +20847,7 @@ CVE-2018-19536
 	RESERVED
 CVE-2018-19535 (In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in ...)
 	- exiv2 <unfixed> (bug #915135)
+	[stretch] - exiv2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/428
 	NOTE: https://github.com/Exiv2/exiv2/pull/430
 CVE-2018-19534
@@ -25016,6 +25058,7 @@ CVE-2018-18065 (_set_key in agent/helpers/table_container.c in Net-SNMP before 5
 	NOTE: https://sourceforge.net/p/net-snmp/code/ci/7ffb8e25a0db851953155de91f0170e9bf8c457d/
 CVE-2018-18064 (cairo through 1.15.14 has an out-of-bounds stack-memory write during ...)
 	- cairo <unfixed> (bug #916083)
+	[stretch] - cairo <no-dsa> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/341
 CVE-2018-18063
 	RESERVED
@@ -30964,8 +31007,8 @@ CVE-2018-15748 (On Dell 2335dn printers with Printer Firmware Version 2.70.05.02
 CVE-2018-15747
 	RESERVED
 CVE-2018-15746 (qemu-seccomp.c in QEMU might allow local OS guest users to cause a ...)
-	- qemu 1:3.1+dfsg-1 (bug #907500)
-	[stretch] - qemu <no-dsa> (Minor issue; Only enabled by default later, but supported)
+	- qemu 1:3.1+dfsg-1 (low; bug #907500)
+	[stretch] - qemu <ignored> (Minor issue, too risky to backport, not enabled by default)
 	[jessie] - qemu <no-dsa> (Minor issue; Only enabled by default later, but supported)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-08/msg02289.html
@@ -31374,7 +31417,8 @@ CVE-2018-15588 (MailMate before 1.11.3 mishandles a suspicious HTML/MIME structu
 CVE-2018-15587 (GNOME Evolution through 3.28.2 is prone to OpenPGP signatures being ...)
 	- evolution <unfixed>
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=796424
-	TODO: check
+	NOTE: https://gitlab.gnome.org/GNOME/evolution/commit/9c55a311325f5905d8b8403b96607e46cf343f21
+	NOTE: https://gitlab.gnome.org/GNOME/evolution/commit/f66cd3e1db301d264563b4222a3574e2e58e2b85
 CVE-2018-15586 (Enigmail before 2.0.6 is prone to to OpenPGP signatures being spoofed ...)
 	- enigmail 2:2.0.6.1-2
 	[jessie] - enigmail <end-of-life> (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html)
@@ -98195,13 +98239,20 @@ CVE-2017-9504
 	REJECTED
 CVE-2017-9503 (QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host ...)
 	{DLA-1497-1}
-	- qemu 1:2.10.0-1 (bug #865754)
-	[stretch] - qemu <no-dsa> (Minor issue, can be included in future update)
+	- qemu 1:2.10.0-1 (low; bug #865754)
+	[stretch] - qemu <ignored> (Minor issue, too intrusive to backport)
 	[wheezy] - qemu <not-affected> (Vulnerable code not present)
 	- qemu-kvm <removed>
 	[wheezy] - qemu-kvm <not-affected> (Vulnerable code not present)
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg01313.html
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg01309.html
+	NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=87e459a810d7b1ec1638085b5a80ea3d9b43119a
+	NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=b356807fcdfc45583c437f761fc579ab2a8eab11
+	NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=36c327a69d723571f02a7691631667cdb1865ee1
+	NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=5104fac8539eaf155fc6de93e164be43e1e62242
+	NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=24c0c77af515acbf0f9705e8096f33ef24d37430
+	NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=134550bf81a026e18cf58b81e2c2cceaf516f92e
+	NOTE: https://git.qemu.org/gitweb.cgi?p=qemu.git;a=commit;h=660174fc1b346803b3f1d7c260e2a36329b66435
 CVE-2017-9502 (In curl before 7.54.1 on Windows and DOS, libcurl's default protocol ...)
 	- curl <not-affected> (Windows only)
 CVE-2017-9501 (In ImageMagick 7.0.5-7 Q16, an assertion failure was found in the ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -59,6 +59,8 @@ passenger
 rdesktop
   Maintainer will prepare an update
 --
+runc
+--
 simplesamlphp
 --
 smarty3



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/882875a5757496f52fbffdc1000da8894f47bae9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/882875a5757496f52fbffdc1000da8894f47bae9
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190215/fbf2111e/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list