[Git][security-tracker-team/security-tracker][master] 4 commits: Mark CVE-2018-17191 as ignored

Sat Jan 26 10:02:02 GMT 2019

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9a881d6e by Salvatore Bonaccorso at 2019-01-26T09:51:01Z
Mark CVE-2018-17191 as ignored

As we track source-code level issues, mark the issue as ignored.

Given the Nashorn module is not enabled and javascript support is
incomplete we can ignore the issue for the stable release. not-affected
would imply that the issue is not present in the version as released in
stretch.

- - - - -
8a4e3fbd by Salvatore Bonaccorso at 2019-01-26T09:52:14Z
Remove reference to original attempt to fix CVE-2019-5489

More details tracked in kernel-sec triaging repository.

- - - - -
2d6e9243 by Salvatore Bonaccorso at 2019-01-26T10:00:58Z
Process NFUs

- - - - -
d1ce3136 by Salvatore Bonaccorso at 2019-01-26T10:01:17Z
Add CVE-2019-6956/faad2 issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -13,7 +13,7 @@ CVE-2019-6968
 CVE-2019-6967
 	RESERVED
 CVE-2019-6966 (An issue was discovered in Bento4 1.5.1-628. The AP4_ElstAtom class in ...)
-	TODO: check
+	NOT-FOR-US: Bento4
 CVE-2019-6965
 	RESERVED
 CVE-2019-6964
@@ -33,7 +33,8 @@ CVE-2019-6958
 CVE-2019-6957
 	RESERVED
 CVE-2019-6956 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) ...)
-	TODO: check
+	- faad2 <unfixed> (bug #914641)
+	NOTE: https://sourceforge.net/p/faac/bugs/240/
 CVE-2019-6955
 	RESERVED
 CVE-2019-6954
@@ -335,7 +336,7 @@ CVE-2019-6807
 CVE-2019-6806
 	RESERVED
 CVE-2019-6805 (SQL Injection was found in S-CMS version V3.0 via the ...)
-	TODO: check
+	NOT-FOR-US: S-CMS
 CVE-2019-6804 (An XSS issue was discovered on the Job Edit page in Rundeck Community ...)
 	NOT-FOR-US: Rundeck Community Edition
 CVE-2019-6803 (typora through 0.9.9.20.3 beta has XSS, with resultant remote command ...)
@@ -3422,7 +3423,6 @@ CVE-2019-5488 (EARCLINK ESPCMS-P8 has SQL injection in the ...)
 	NOT-FOR-US: EARCLINK ESPCMS-P8
 CVE-2019-5489 (The mincore() implementation in mm/mincore.c in the Linux kernel ...)
 	- linux <unfixed>
-	NOTE: https://git.kernel.org/linus/574823bfab82d9d8fa47f422778043fbb4b4f50e (5.0-rc1)
 CVE-2019-5487
 	RESERVED
 CVE-2019-5486
@@ -18986,11 +18986,11 @@ CVE-2018-19025
 CVE-2018-19024
 	RESERVED
 CVE-2018-19023 (Hetronic Nova-M radio control systems prior to version r161 use fixed ...)
-	TODO: check
+	NOT-FOR-US: Hetronic Nova-M radio control systems
 CVE-2018-19022
 	RESERVED
 CVE-2018-19021 (A specially crafted script could bypass the authentication of a ...)
-	TODO: check
+	NOT-FOR-US: Emerson DeltaV DCS
 CVE-2018-19020
 	RESERVED
 CVE-2018-19019 (A type confusion vulnerability exists when processing project files in ...)
@@ -19017,7 +19017,7 @@ CVE-2018-19010
 	RESERVED
 	NOT-FOR-US: Drager patient monitoring medical devices
 CVE-2018-19009 (Pilz PNOZmulti Configurator prior to version 10.9 allows an ...)
-	TODO: check
+	NOT-FOR-US: Pilz PNOZmulti Configurator
 CVE-2018-19008
 	RESERVED
 CVE-2018-19007 (In Geutebrueck GmbH E2 Camera Series versions prior to 1.12.0.25 the ...)
@@ -19073,7 +19073,7 @@ CVE-2018-18983 (VT-Designer Version 2.1.7.31 is vulnerable by the program readin
 CVE-2018-18982 (NUUO CMS All versions 3.3 and prior the web server application allows ...)
 	NOT-FOR-US: NUUO CMS
 CVE-2018-18981 (In Rockwell Automation FactoryTalk Services Platform 2.90 and earlier, ...)
-	TODO: check
+	NOT-FOR-US: Rockwell Automation FactoryTalk Services Platform
 CVE-2014-10077 (Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 ...)
 	{DLA-1584-1}
 	- ruby-i18n 0.7.0-3 (bug #913093)
@@ -20631,7 +20631,7 @@ CVE-2018-18365
 CVE-2018-18364
 	RESERVED
 CVE-2018-18363 (Norton App Lock prior to 1.4.0.445 can be susceptible to a bypass ...)
-	TODO: check
+	NOT-FOR-US: Norton App Lock
 CVE-2018-18362 (Norton Password Manager for Android (formerly Norton Identity Safe) ...)
 	NOT-FOR-US: Norton Password Manager for Android
 CVE-2018-18361 (An issue was discovered in nc-cms through 2017-03-10. ...)
@@ -23624,7 +23624,7 @@ CVE-2018-17192 (The X-Frame-Options headers were applied inconsistently on some
 	NOT-FOR-US: Apache NiFi
 CVE-2018-17191 (Apache NetBeans (incubating) 9.0 NetBeans Proxy Auto-Configuration ...)
 	- netbeans 10.0-1
-	[stretch] - netbeans <not-affected> (Nashorn module is not enabled. Javascript support is incomplete)
+	[stretch] - netbeans <ignored> (Nashorn module is not enabled. Javascript support is incomplete)
 	NOTE: Fixed upstream in version 10.0
 	NOTE: https://www.openwall.com/lists/oss-security/2018/12/30/1
 CVE-2018-17190 (In all versions of Apache Spark, its standalone resource manager ...)
@@ -36532,7 +36532,7 @@ CVE-2018-12239 (Norton prior to 22.15; Symantec Endpoint Protection (SEP) prior
 CVE-2018-12238 (Norton prior to 22.15; Symantec Endpoint Protection (SEP) prior to ...)
 	NOT-FOR-US: Norton
 CVE-2018-12237 (The Symantec Reporter CLI 10.1 prior to 10.1.5.6 and 10.2 prior to ...)
-	TODO: check
+	NOT-FOR-US: Symantec Reporter CLI
 CVE-2018-12236
 	RESERVED
 CVE-2018-12235
@@ -55667,7 +55667,7 @@ CVE-2018-5499
 CVE-2018-5498
 	RESERVED
 CVE-2018-5497 (Clustered Data ONTAP versions prior to 9.1P16, 9.3P10 and 9.4P5 are ...)
-	TODO: check
+	NOT-FOR-US: Clustered Data ONTAP
 CVE-2018-5496 (Data ONTAP operating in 7-Mode versions prior to 8.2.5P2 are ...)
 	NOT-FOR-US: Data ONTAP
 CVE-2018-5495 (All StorageGRID Webscale versions are susceptible to a vulnerability ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/4be12f62f9b326224980726781e3cb96e4cde346...d1ce31367e07f67dfcd2b731b5cace0f4ca33518

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/compare/4be12f62f9b326224980726781e3cb96e4cde346...d1ce31367e07f67dfcd2b731b5cace0f4ca33518
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190126/e696c700/attachment.html>
