[Git][security-tracker-team/security-tracker][master] 2 commits: Add todo/note for CVE-2019-6256/liblivemedia

Salvatore Bonaccorso carnil at debian.org
Sat Jan 19 22:13:47 GMT 2019 

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
113e87fb by Salvatore Bonaccorso at 2019-01-19T22:11:18Z
Add todo/note for CVE-2019-6256/liblivemedia

The addition of 2018.11.26-1 was based on reproducibility of the issue.
We have no proof yet on where the fix actually lies so add at least here
a todo for further checking given the maintainers are confident the
issue is fixed in the newest version.

We would need to isolate the fix, and secondly pinpoint to the exact
version adressing the issue in sid.

- - - - -
9b37c29f by Salvatore Bonaccorso at 2019-01-19T22:12:16Z
Revert "Triage results."

This reverts commit 2558c51f7986177185e47a8e2f5fee3a1430f1ed.

The issue was adressed in DLA-1632-1 for jessie, thus adding the
<ignored> causes more confusion.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -639,6 +639,7 @@ CVE-2019-6257 (A Server Side Request Forgery (SSRF) vulnerability in elFinder be
 CVE-2019-6256 (A Denial of Service issue was discovered in the LIVE555 Streaming Media ...)
 	- liblivemedia 2018.11.26-1 (bug #919529)
 	NOTE: https://github.com/rgaufman/live555/issues/19
+	TODO: not entirely clear if 2018.11.26-1 is really the fixing version, cf. #919529
 CVE-2019-6255
 	RESERVED
 CVE-2019-6254
@@ -13056,7 +13057,6 @@ CVE-2018-19758 (There is a heap-based buffer over-read at wav.c in wav_write_hea
 	{DLA-1632-1}
 	- libsndfile <unfixed> (bug #917416)
 	[stretch] - libsndfile <no-dsa> (Minor issue)
-	[jessie] - libsndfile <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643812
 	NOTE: https://github.com/erikd/libsndfile/issues/435
 	NOTE: https://github.com/erikd/libsndfile/commit/42132c543358cee9f7c3e9e9b15bb6c1063a608e



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/2558c51f7986177185e47a8e2f5fee3a1430f1ed...9b37c29fe1143f18ba20b7eb6e27b7be46c5fd3d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/2558c51f7986177185e47a8e2f5fee3a1430f1ed...9b37c29fe1143f18ba20b7eb6e27b7be46c5fd3d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190119/0059ab05/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list