[Git][security-tracker-team/security-tracker][master] 4 commits: CVE-2018-20004,mxml: Link to fixing commit, remove no-dsa tag for Jessie.

Tue Jan 1 23:18:21 GMT 2019

Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dd77373b by Markus Koschany at 2019-01-01T23:18:06Z
CVE-2018-20004,mxml: Link to fixing commit, remove no-dsa tag for Jessie.

- - - - -
f091dc1c by Markus Koschany at 2019-01-01T23:18:06Z
CVE-2016-4570,CVE-2016-4571,mxml: Link to fixing commits

Remove no-dsa tag for Jessie

- - - - -
ac34d34c by Markus Koschany at 2019-01-01T23:18:07Z
CVE-2018-20592,mxml: Mark as no-dsa for Jessie.

This issue only affects the mxmldoc tool instead of the library.

- - - - -
8ae8f862 by Markus Koschany at 2019-01-01T23:18:07Z
Add mxml to dla-needed.txt

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -308,6 +308,7 @@ CVE-2018-20594 (An issue was discovered in hsweb 3.0.4. It is a reflected XSS ..
 	NOT-FOR-US: hsweb
 CVE-2018-20593 (In Mini-XML (aka mxml) v2.12, there is stack-based buffer overflow in ...)
 	- mxml <unfixed>
+	[jessie] - mxml <no-dsa> (Minor issue, only affects the mxmldoc tool)
 	NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/so_mxmldoc.c:2971_1.txt
 	NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/so_mxmldoc.c:2971_1.txt.err (error output)
 	NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/so_mxmldoc.c:2987_1.txt
@@ -4873,8 +4874,8 @@ CVE-2018-20005 (An issue has been found in Mini-XML (aka mxml) 2.12. It is a ...
 CVE-2018-20004 (An issue has been found in Mini-XML (aka mxml) 2.12. It is a ...)
 	- mxml <unfixed> (low)
 	[stretch] - mxml <no-dsa> (Minor issue)
-	[jessie] - mxml <ignored> (Minor issue)
 	NOTE: https://github.com/michaelrsweet/mxml/issues/233
+	NOTE: Fixed by https://github.com/michaelrsweet/mxml/commit/4f5577dd4672d228e4180f06bdbd66f343ea45e0
 CVE-2018-20003
 	RESERVED
 CVE-2018-20002 (The _bfd_generic_read_minisymbols function in syms.c in the Binary File ...)
@@ -131138,14 +131139,14 @@ CVE-2016-4546 (Samsung devices with Android KK(4.4) or L(5.0/5.1) allow local us
 	NOT-FOR-US: Samsung Android component
 CVE-2016-4570 (The mxmlDelete function in mxml-node.c in mxml 2.9, 2.7, and possibly ...)
 	- mxml 2.9-1 (bug #825855)
-	[jessie] - mxml <no-dsa> (Minor issue)
 	[wheezy] - mxml <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/05/07/8
+	NOTE: https://github.com/michaelrsweet/mxml/commit/d8c0ba900728d47523d76ba4acf33176cd04647c
 CVE-2016-4571 (The mxml_write_node function in mxml-file.c in mxml 2.9, 2.7, and ...)
 	- mxml 2.9-2 (bug #825855)
-	[jessie] - mxml <no-dsa> (Minor issue)
 	[wheezy] - mxml <no-dsa> (Minor issue)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/05/07/8
+	NOTE: https://github.com/michaelrsweet/mxml/commit/5f74dc212497332d05882660db130a37d2f458eb
 CVE-2016-4558 (The BPF subsystem in the Linux kernel before 4.5.5 mishandles ...)
 	- linux 4.5.3-1
 	[jessie] - linux <not-affected> (Issue introduced later)


=====================================
data/dla-needed.txt
=====================================
@@ -88,6 +88,8 @@ linux (Ben Hutchings)
 --
 linux-4.9 (Ben Hutchings)
 --
+mxml
+--
 nettle
 --
 nss (Roberto C. Sánchez)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6aea9d298a872b2ac5d05c75803c8cd65df783df...8ae8f862280c80000ef8b023ae193ecd586b1ab0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/6aea9d298a872b2ac5d05c75803c8cd65df783df...8ae8f862280c80000ef8b023ae193ecd586b1ab0
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190101/c7421481/attachment.html>
