[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Wed Feb 20 22:45:50 GMT 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
10c91f31 by Moritz Muehlenhoff at 2019-02-20T22:45:10Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -6293,9 +6293,10 @@ CVE-2019-6240 [Arbitrary repo read in Gitlab project import]
 	- gitlab 11.5.7+dfsg-1 (bug #919822)
 	NOTE: https://about.gitlab.com/2019/01/16/critical-security-release-gitlab-11-dot-6-dot-4-released/
 CVE-2018-20699 (Docker Engine before 18.09 allows attackers to cause a denial of ...)
-	- docker.io <unfixed>
+	- docker.io <unfixed> (unimportant)
 	NOTE: https://github.com/docker/engine/pull/70
 	NOTE: https://github.com/moby/moby/pull/37967
+	NOTE: Negligible security impact
 CVE-2019-6239
 	RESERVED
 CVE-2019-6238
@@ -38176,6 +38177,7 @@ CVE-2018-13441 (qh_help in Nagios Core version 4.4.1 and earlier is prone to a N
 	NOTE: https://github.com/NagiosEnterprises/nagioscore/commit/b1a92a3b52d292ccb601e77a0b29cb1e67ac9d76
 CVE-2018-13440 (The audiofile Audio File Library 0.3.6 has a NULL pointer dereference ...)
 	- audiofile <unfixed> (low; bug #903499)
+	[buster] - audiofile <no-dsa> (Minor issue)
 	[stretch] - audiofile <no-dsa> (Minor issue)
 	[jessie] - audiofile <no-dsa> (Minor issue)
 	NOTE: https://github.com/mpruett/audiofile/issues/49
@@ -65039,8 +65041,7 @@ CVE-2017-1000434 (Wordpress plugin Furikake version 0.1.0 is vulnerable to an Op
 	NOT-FOR-US: Wordpress plugin Furikake
 CVE-2017-1000433 (pysaml2 version 4.4.0 and older accept any password when run with ...)
 	{DLA-1410-1}
-	[experimental] - python-pysaml2 4.5.0-1
-	- python-pysaml2 <unfixed> (bug #886423)
+	- python-pysaml2 4.5.0-2 (bug #886423)
 	[stretch] - python-pysaml2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/rohe/pysaml2/issues/451
 	NOTE: Fixed by: https://github.com/rohe/pysaml2/commit/6312a41e037954850867f29d329e5007df1424a5
@@ -93576,11 +93577,12 @@ CVE-2017-11574 (FontForge 20161012 is vulnerable to a heap-based buffer overflow
 	NOTE: https://github.com/fontforge/fontforge/issues/3090
 	NOTE: https://github.com/fontforge/fontforge/commit/62b6433a81ee7ed6e0ac2d6b09ac85b885046ac3
 CVE-2017-11573 (FontForge 20161012 is vulnerable to a buffer over-read in ...)
-	- fontforge <unfixed> (low; bug #873588)
+	- fontforge <unfixed> (unimportant; bug #873588)
 	[stretch] - fontforge <no-dsa> (Minor issue)
 	[jessie] - fontforge <no-dsa> (Minor issue)
 	[wheezy] - fontforge <no-dsa> (Minor issue)
 	NOTE: https://github.com/fontforge/fontforge/issues/3098
+	NOTE: Crash in GUI tool/related desktop libs, no security impact
 CVE-2017-11572 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in ...)
 	{DSA-3958-1 DLA-1065-1}
 	- fontforge 1:20170731~dfsg-1 (bug #869614)
@@ -93591,11 +93593,9 @@ CVE-2017-11571 (FontForge 20161012 is vulnerable to a stack-based buffer overflo
 	NOTE: https://github.com/fontforge/fontforge/issues/3087
 	NOTE: https://github.com/fontforge/fontforge/commit/5a0c6522682b0788fc478dd159dd6168cb5fa38b
 CVE-2017-11570 (FontForge 20161012 is vulnerable to a buffer over-read in umodenc ...)
-	- fontforge <unfixed> (low; bug #873587)
-	[stretch] - fontforge <no-dsa> (Minor issue)
-	[jessie] - fontforge <no-dsa> (Minor issue)
-	[wheezy] - fontforge <no-dsa> (Minor issue)
+	- fontforge <unfixed> (unimportant; bug #873587)
 	NOTE: https://github.com/fontforge/fontforge/issues/3097
+	NOTE: Crash in GUI tool/related desktop libs, no security impact
 CVE-2017-11569 (FontForge 20161012 is vulnerable to a heap-based buffer over-read in ...)
 	{DSA-3958-1 DLA-1065-1}
 	- fontforge 1:20170731~dfsg-1 (bug #869614)
@@ -113917,6 +113917,7 @@ CVE-2016-10125 (D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hard
 	NOT-FOR-US: D-Link
 CVE-2016-10127 (PySAML2 allows remote attackers to conduct XML external entity (XXE) ...)
 	- python-pysaml2 <unfixed> (low; bug #859135)
+	[buster] - python-pysaml2 <no-dsa> (Minor issue)
 	[stretch] - python-pysaml2 <no-dsa> (Minor issue)
 	[jessie] - python-pysaml2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/rohe/pysaml2/issues/366
@@ -179723,10 +179724,7 @@ CVE-2015-1402 (Cross-site scripting (XSS) vulnerability in the Content Rating ..
 CVE-2015-1401 (Improper Authentication vulnerability in the "LDAP / SSO ...)
 	NOT-FOR-US: typo3 extension
 CVE-2015-1554 (kgb-bot 1.33-2 allows remote attackers to cause a denial of service ...)
-	- kgb-bot <unfixed> (low; bug #776424)
-	[stretch] - kgb-bot <ignored> (Minor issue)
-	[jessie] - kgb-bot <ignored> (Minor issue)
-	[wheezy] - kgb-bot <ignored> (Minor issue)
+	- kgb-bot <undetermined> (low; bug #776424)
 CVE-2015-1369 (SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js ...)
 	NOT-FOR-US: sequelize
 CVE-2015-1354



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10c91f31119e0e499492249d40d3817e36e67181

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/10c91f31119e0e499492249d40d3817e36e67181
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190220/26d81f46/attachment.html>


More information about the debian-security-tracker-commits mailing list