[Git][security-tracker-team/security-tracker][master] stretch triage
Moritz Muehlenhoff
jmm at debian.org
Tue Feb 26 21:50:05 GMT 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
139a2cbf by Moritz Muehlenhoff at 2019-02-26T21:49:40Z
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -115,11 +115,9 @@ CVE-2019-9153
CVE-2019-9152 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an out ...)
- hdf5 <undetermined>
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul8
- TODO: check
CVE-2019-9151 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an out ...)
- hdf5 <undetermined>
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul7
- TODO: check
CVE-2019-9150
RESERVED
CVE-2019-9149
@@ -1827,15 +1825,12 @@ CVE-2019-8399
CVE-2019-8398 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an out ...)
- hdf5 <undetermined>
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul6
- TODO: check
CVE-2019-8397 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an out ...)
- hdf5 <undetermined>
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul5
- TODO: check
CVE-2019-8396 (A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 ...)
- hdf5 <undetermined>
NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul4
- TODO: check
CVE-2019-8395 (An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ...)
NOT-FOR-US: Zoho ManageEngine ServiceDesk Plus
CVE-2019-8394 (Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows ...)
@@ -20084,6 +20079,7 @@ CVE-2018-19609 (ShowDoc 2.4.1 allows remote attackers to obtain sensitive inform
NOT-FOR-US: ShowDoc
CVE-2018-19608 (Arm Mbed TLS before 2.14.1, before 2.7.8, and before 2.1.17 allows a ...)
- mbedtls 2.14.1-1 (bug #915796)
+ [stretch] - mbedtls <no-dsa> (Minor issue)
- polarssl <removed>
NOTE: http://cat.eyalro.net/
NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.14.1-2.7.8-and-2.1.17-released
@@ -33057,6 +33053,7 @@ CVE-2018-15757
REJECTED
CVE-2018-15756 (Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, ...)
- libspring-java 4.3.21-1 (bug #911786)
+ [stretch] - libspring-java <no-dsa> (Minor issue)
[jessie] - libspring-java <not-affected> (vulnerable code introduced in later version)
NOTE: https://pivotal.io/security/cve-2018-15756
CVE-2018-15755 (Cloud Foundry CF Networking Release, versions 2.11.0 prior to 2.16.0, ...)
@@ -45472,10 +45469,12 @@ CVE-2018-11041 (Cloud Foundry UAA, versions later than 4.6.0 and prior to 4.19.0
NOT-FOR-US: Cloud Foundry
CVE-2018-11040 (Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to ...)
- libspring-java 4.3.19-1
+ [stretch] - libspring-java <no-dsa> (Minor issue)
[jessie] - libspring-java <no-dsa> (unable to find relevant commits)
NOTE: https://pivotal.io/security/cve-2018-11040
CVE-2018-11039 (Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior ...)
- libspring-java 4.3.19-1
+ [stretch] - libspring-java <no-dsa> (Minor issue)
[jessie] - libspring-java <no-dsa> (Minor issue)
NOTE: https://pivotal.io/security/cve-2018-11039
CVE-2017-18270 (In the Linux kernel before 4.13.5, a local user could create keyrings ...)
@@ -73518,6 +73517,7 @@ CVE-2018-1273 (Spring Data Commons, versions prior to 1.13 to 1.13.10, 2.0 to 2.
NOT-FOR-US: Spring Data Commons
CVE-2018-1272 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior ...)
- libspring-java 4.3.19-1 (bug #895114)
+ [stretch] - libspring-java <no-dsa> (Minor issue)
[jessie] - libspring-java <not-affected> (vulnerable code not found)
[wheezy] - libspring-java <not-affected> (Vulnerable broker code introduced in various commits re. https://github.com/spring-projects/spring-framework/blame/0009806debb578e884f6dc98bd1f2dc668020021/spring-messaging/src/main/java/org/springframework/messaging/simp/broker/DefaultSubscriptionRegistry.java)
NOTE: https://pivotal.io/security/cve-2018-1272
@@ -73526,6 +73526,7 @@ CVE-2018-1271 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 pr
NOTE: https://pivotal.io/security/cve-2018-1271
CVE-2018-1270 (Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior ...)
- libspring-java 4.3.19-1 (bug #895114)
+ [stretch] - libspring-java <no-dsa> (Minor issue)
[jessie] - libspring-java <not-affected> (vulnerable code not found)
[wheezy] - libspring-java <not-affected> (Vulnerable broker code introduced in various commits re. https://github.com/spring-projects/spring-framework/blame/0009806debb578e884f6dc98bd1f2dc668020021/spring-messaging/src/main/java/org/springframework/messaging/simp/broker/DefaultSubscriptionRegistry.java)
NOTE: https://pivotal.io/security/cve-2018-1270
@@ -73677,6 +73678,7 @@ CVE-2018-1200 (Apps Manager for PCF (Pivotal Application Service 1.11.x before .
NOT-FOR-US: Pivotal
CVE-2018-1199 (Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before ...)
- libspring-java 4.3.14-1 (bug #890001)
+ [stretch] - libspring-java <no-dsa> (Minor issue)
[wheezy] - libspring-java <ignored> (Too intrusive to fix by upgrade)
[jessie] - libspring-java <no-dsa> (fix for spring-security available but not for springframework)
- libspring-security-java <itp> (bug #582181)
=====================================
data/dsa-needed.txt
=====================================
@@ -30,16 +30,12 @@ libidn
libpng1.6
wait for final patch
--
-libspring-java
---
linux
Wait until more issues have piled up
--
mariadb-10.1
https://alioth-lists.debian.net/pipermail/pkg-mysql-maint/2019-February/012771.html
--
-mbedtls
---
mercurial
mumble
@@ -55,6 +51,8 @@ openjpeg2 (luciano)
--
passenger
--
+php7.0 (jmm)
+--
runc
--
simplesamlphp
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/139a2cbf8955aed5411a088dab2834dbe084ca68
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/139a2cbf8955aed5411a088dab2834dbe084ca68
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190226/fbd64eb7/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list