[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Tue Feb 19 22:21:45 GMT 2019 

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
bd11f797 by Moritz Muehlenhoff at 2019-02-19T22:21:14Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -5466,7 +5466,7 @@ CVE-2019-6503 (There is a deserialization vulnerability in Chatopera cosin v3.10
 CVE-2019-6502 (sc_context_create in ctx.c in libopensc in OpenSC 0.19.0 has a memory ...)
 	- opensc <unfixed> (unimportant)
 	NOTE: https://github.com/OpenSC/OpenSC/issues/1586
-	NOTE: Negligable security impact, assigning a CVE seems out of proportion...
+	NOTE: Negligible security impact, assigning a CVE seems out of proportion...
 CVE-2019-1003004 (An improper authorization vulnerability exists in Jenkins 2.158 and ...)
 	NOT-FOR-US: Jenkins
 CVE-2019-1003003 (An improper authorization vulnerability exists in Jenkins 2.158 and ...)
@@ -5632,22 +5632,22 @@ CVE-2019-6461 (An issue was discovered in cairo 1.16.0. There is an assertion pr
 	NOTE: https://gitlab.freedesktop.org/cairo/cairo/issues/352
 CVE-2019-6460 (An issue was discovered in GNU Recutils 1.8. There is a NULL pointer ...)
 	- recutils <unfixed> (unimportant)
-	NOTE: Negligable security impact
+	NOTE: Negligible security impact
 CVE-2019-6459 (An issue was discovered in GNU Recutils 1.8. There is a memory leak in ...)
 	- recutils <unfixed> (unimportant)
-	NOTE: Negligable security impact
+	NOTE: Negligible security impact
 CVE-2019-6458 (An issue was discovered in GNU Recutils 1.8. There is a memory leak in ...)
 	- recutils <unfixed> (unimportant)
-	NOTE: Negligable security impact
+	NOTE: Negligible security impact
 CVE-2019-6457 (An issue was discovered in GNU Recutils 1.8. There is a memory leak in ...)
 	- recutils <unfixed> (unimportant)
-	NOTE: Negligable security impact
+	NOTE: Negligible security impact
 CVE-2019-6456 (An issue was discovered in GNU Recutils 1.8. There is a NULL pointer ...)
 	- recutils <unfixed> (unimportant)
-	NOTE: Negligable security impact
+	NOTE: Negligible security impact
 CVE-2019-6455 (An issue was discovered in GNU Recutils 1.8. There is a double-free ...)
 	- recutils <unfixed> (unimportant)
-	NOTE: Negligable security impact
+	NOTE: Negligible security impact
 CVE-2019-6454 [systemd (PID1) crash with specially crafted D-Bus message]
 	RESERVED
 	{DSA-4393-1 DLA-1684-1}
@@ -5709,17 +5709,14 @@ CVE-2015-9277 (MailEnable before 8.60 allows Directory Traversal for reading the
 CVE-2015-9276 (SmarterTools SmarterMail before 13.3.5535 was vulnerable to stored XSS ...)
 	NOT-FOR-US: SmarterTools SmarterMail
 CVE-2019-6446 (An issue was discovered in NumPy 1.16.0 and earlier. It uses the pickle ...)
-	- python-numpy <unfixed>
-	[stretch] - python-numpy <no-dsa> (Minor issue)
+	- python-numpy 1:1.10.4-1
 	[jessie] - python-numpy <no-dsa> (Minor issue)
 	NOTE: https://github.com/numpy/numpy/issues/12759
-	NOTE: For upstream this works as intended and is documented. Proposed
-	NOTE: solution of switching the default might be dangerous for users who rely on
-	NOTE: the current behavior.
+	NOTE: For upstream this works as intended and is documented.
 	NOTE: https://github.com/numpy/numpy/commit/a2bd3a7eabfe053d6d16a2130fdcad9e5211f6bb
-	NOTE: adds already support to disable use of picke in load/save.
-	NOTE: Proposed fix/partial mitigation via:
-	NOTE: https://github.com/numpy/numpy/pull/12889
+	NOTE: added support to disable use of picke in load/save, marking that as the fixed
+	NOTE: version. The use of that is at the discretion of anyone using numpy
+	NOTE: Further discussion at https://github.com/numpy/numpy/pull/12889
 CVE-2019-6445 (An issue was discovered in NTPsec before 1.1.3. An authenticated ...)
 	- ntpsec 1.1.3+dfsg1-1 (bug #919513)
 CVE-2019-6444 (An issue was discovered in NTPsec before 1.1.3. process_control() in ...)
@@ -13191,15 +13188,15 @@ CVE-2018-20377 (Orange Livebox 00.96.320S devices allow remote attackers to disc
 	NOT-FOR-US: Orange Livebox
 CVE-2018-20376 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. ...)
 	- tcc <unfixed> (unimportant)
-	NOTE: Negligable security impact
+	NOTE: Negligible security impact
 	NOTE: https://lists.nongnu.org/archive/html/tinycc-devel/2018-12/msg00013.html
 CVE-2018-20375 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. ...)
 	- tcc <unfixed> (unimportant)
-	NOTE: Negligable security impact
+	NOTE: Negligible security impact
 	NOTE: https://lists.nongnu.org/archive/html/tinycc-devel/2018-12/msg00014.html
 CVE-2018-20374 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. ...)
 	- tcc <unfixed> (unimportant)
-	NOTE: Negligable security impact
+	NOTE: Negligible security impact
 	NOTE: https://lists.nongnu.org/archive/html/tinycc-devel/2018-12/msg00015.html
 CVE-2018-20373 (Tenda ADSL modem routers 1.0.1 allow XSS via the hostname of a DHCP ...)
 	NOT-FOR-US: Tenda ADSL modem routers
@@ -18334,7 +18331,7 @@ CVE-2018-19960 (The debug_mode function in web/web.py in OnionShare through 1.3.
 	- onionshare 1.3.2-1 (bug #915859; unimportant)
 	[jessie] - onionshare <no-dsa> (contrib not supported)
 	NOTE: https://github.com/micahflee/onionshare/issues/837
-	NOTE: Negligable (and disputable) security impact, as the debug mode is not enabled by default
+	NOTE: Negligible (and disputable) security impact, as the debug mode is not enabled by default
 CVE-2018-19935 (ext/imap/php_imap.c in PHP 5.x and 7.x before 7.3.0 allows remote ...)
 	{DSA-4353-1 DLA-1608-1}
 	- php7.3 7.3.0-1
@@ -58164,6 +58161,7 @@ CVE-2018-6253 (NVIDIA GPU Display Driver contains a vulnerability in the DirectX
 	[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-340xx <unfixed>
+	[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported, no updates provided by Nvidia for 340)
 	[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-304xx <unfixed>
 	[stretch] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
@@ -58181,6 +58179,7 @@ CVE-2018-6249 (NVIDIA GPU Display Driver contains a vulnerability in kernel mode
 	[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-340xx <unfixed>
+	[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported, no updates provided by Nvidia for 340)
 	[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-304xx <unfixed>
 	[stretch] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
@@ -85724,12 +85723,10 @@ CVE-2017-14159 (slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dr
 	NOTE: http://www.openldap.org/its/index.cgi?findid=8703
 	NOTE: Negligible security impact, but filed #877512
 CVE-2017-14158 (Scrapy 1.4 allows remote attackers to cause a denial of service (memory ...)
-	- python-scrapy <unfixed> (bug #875947)
-	[stretch] - python-scrapy <no-dsa> (Minor issue)
-	[jessie] - python-scrapy <no-dsa> (Minor issue)
-	[wheezy] - python-scrapy <no-dsa> (Minor issue)
+	- python-scrapy <unfixed> (unimportant; bug #875947)
 	NOTE: http://blog.csdn.net/wangtua/article/details/75228728
 	NOTE: https://github.com/scrapy/scrapy/issues/482
+	NOTE: Negligable security impact
 CVE-2017-14157
 	RESERVED
 CVE-2017-14156 (The atyfb_ioctl function in drivers/video/fbdev/aty/atyfb_base.c in the ...)
@@ -89838,11 +89835,9 @@ CVE-2017-12855 (Xen maintains the _GTF_{read,writ}ing bits as appropriate, to in
 CVE-2017-12853 (The RealTime RWR-3G-100 Router Firmware Version : Ver1.0.56 is ...)
 	NOT-FOR-US: RealTime RWR-3G-100 Router Firmware
 CVE-2017-12852 (The numpy.pad function in Numpy 1.13.1 and older versions is missing ...)
-	- python-numpy <unfixed> (bug #872407)
-	[stretch] - python-numpy <no-dsa> (Minor issue)
-	[jessie] - python-numpy <no-dsa> (Minor issue)
-	[wheezy] - python-numpy <no-dsa> (Minor issue)
+	- python-numpy <unfixed> (unimportant; bug #872407)
 	NOTE: https://github.com/numpy/numpy/issues/9560#issuecomment-322395292
+	NOTE: Negligible security impact
 CVE-2017-12851 (An authenticated standard user could reset the password of the admin ...)
 	- kanboard <itp> (bug #790814)
 CVE-2017-12850 (An authenticated standard user could reset the password of other users ...)
@@ -110163,6 +110158,7 @@ CVE-2017-6272 (NVIDIA GPU Display Driver contains a vulnerability in the kernel
 	[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-340xx <unfixed>
+	[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported, no updates provided by Nvidia for 340)
 	[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-304xx <unfixed>
 	[stretch] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
@@ -110183,6 +110179,7 @@ CVE-2017-6267 (NVIDIA GPU Display Driver contains a vulnerability in the kernel
 	[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-340xx <unfixed>
+	[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported, no updates provided by Nvidia for 340)
 	[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-304xx <unfixed>
 	[stretch] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
@@ -110195,6 +110192,7 @@ CVE-2017-6266 (NVIDIA GPU Display Driver contains a vulnerability in the kernel
 	[jessie] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
 	[wheezy] - nvidia-graphics-drivers <end-of-life> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-340xx <unfixed>
+	[buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported, no updates provided by Nvidia for 340)
 	[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
 	- nvidia-graphics-drivers-legacy-304xx <unfixed>
 	[stretch] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bd11f797de3d208fcaf12ebfe200697228bbeadb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/bd11f797de3d208fcaf12ebfe200697228bbeadb
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190219/180db3a7/attachment.html>

More information about the debian-security-tracker-commits mailing list