[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Fri Feb 22 22:31:00 GMT 2019 

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
93c3b8ff by Moritz Muehlenhoff at 2019-02-22T22:30:40Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -12449,6 +12449,7 @@ CVE-2018-20651 (A NULL pointer dereference was discovered in ...)
 	NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=54025d5812ff100f5f0654eb7e1ffd50f2e37f5f
 CVE-2018-20650 (A reachable Object::dictLookup assertion in Poppler 0.72.0 allows ...)
 	- poppler <unfixed> (low; bug #917974)
+	[buster] - poppler <no-dsa> (Minor issue)
 	[stretch] - poppler <no-dsa> (Minor issue)
 	[jessie] - poppler <postponed> (Minor issue)
 	NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/de0c0b8324e776f0b851485e0fc9622fc35695b7
@@ -12984,19 +12985,19 @@ CVE-2018-20535 (There is a use-after-free at asm/preproc.c (function pp_getline)
 	[jessie] - nasm <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.nasm.us/show_bug.cgi?id=3392530
 CVE-2018-20534 (There is an illegal address access at src/pool.h (function ...)
-	- libsolv <unfixed> (low)
+	- libsolv <unfixed> (low; bug #923002)
 	[stretch] - libsolv <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652604
 	NOTE: https://github.com/openSUSE/libsolv/pull/291
 	NOTE: https://github.com/openSUSE/libsolv/commit/4830af9d979d3685de538b80fbeba51ad590525e
 CVE-2018-20533 (There is a NULL pointer dereference at ext/testcase.c (function ...)
-	- libsolv <unfixed> (low)
+	- libsolv <unfixed> (low; bug #923002)
 	[stretch] - libsolv <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652599
 	NOTE: https://github.com/openSUSE/libsolv/pull/291
 	NOTE: https://github.com/openSUSE/libsolv/commit/4830af9d979d3685de538b80fbeba51ad590525e
 CVE-2018-20532 (There is a NULL pointer dereference at ext/testcase.c (function ...)
-	- libsolv <unfixed> (low)
+	- libsolv <unfixed> (low; bug #923002)
 	[stretch] - libsolv <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652605
 	NOTE: https://github.com/openSUSE/libsolv/pull/291
@@ -23757,6 +23758,7 @@ CVE-2018-19143 (Open Ticket Request System (OTRS) 4.0.x before 4.0.33, 5.0.x bef
 	NOTE: https://community.otrs.com/security-advisory-2018-07-security-update-for-otrs-framework/
 CVE-2018-19120 (The HTML thumbnailer plugin in KDE Applications before 18.12.0 allows ...)
 	- kio-extras 4:18.08.3-1 (bug #913595)
+	[buster] - kio-extras <no-dsa> (Minor issue)
 	[stretch] - kio-extras <no-dsa> (Minor issue)
 	- kde-runtime <unfixed> (bug #913596)
 	[stretch] - kde-runtime <no-dsa> (Minor issue)
@@ -73665,11 +73667,13 @@ CVE-2018-1100 (zsh through version 5.4.2 is vulnerable to a stack-based buffer .
 	NOTE: https://www.zsh.org/cgi-bin/mla/redirect?WORKERNUMBER=42607
 	NOTE: https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/
 CVE-2018-1099 (DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An ...)
-	- etcd <unfixed> (bug #921156)
+	- etcd <unfixed> (low; bug #921156)
+	[stretch] - etcd <postponed> (Minor issue, revisit when fixed upstream and possibly backported to 3.2.x)
 	NOTE: https://github.com/coreos/etcd/issues/9353
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1552717
 CVE-2018-1098 (A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. ...)
-	- etcd <unfixed> (bug #921156)
+	- etcd <unfixed> (low; bug #921156)
+	[stretch] - etcd <postponed> (Minor issue, revisit when fixed upstream and possibly backported to 3.2.x)
 	NOTE: https://github.com/coreos/etcd/issues/9353
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1552714
 CVE-2018-1097 (A flaw was found in foreman before 1.16.1. The issue allows users with ...)
@@ -150003,7 +150007,8 @@ CVE-2016-2569 (Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly ap
 	NOTE: http://www.squid-cache.org/Versions/v4/changesets/squid-4-14552.patch
 	NOTE: Upstream confirmed it does not affect squid 2.7.x
 CVE-2016-2568 (pkexec, when used with --user nonpriv, allows local users to escape to ...)
-	- policykit-1 <unfixed> (bug #816062; bug #812512)
+	- policykit-1 <unfixed> (low; bug #816062; bug #812512)
+	[buster] - policykit-1 <ignored> (Minor issue)
 	[stretch] - policykit-1 <ignored> (Minor issue)
 	[jessie] - policykit-1 <ignored> (Minor issue)
 	[wheezy] - policykit-1 <ignored> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93c3b8ff16d55dbb4955ff8781d7e1fd3abe1573

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/93c3b8ff16d55dbb4955ff8781d7e1fd3abe1573
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190222/900544b9/attachment.html>

More information about the debian-security-tracker-commits mailing list