[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Tue Jan 29 12:56:15 GMT 2019 

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a3b8fdb8 by Moritz Muehlenhoff at 2019-01-29T12:55:49Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -11974,6 +11974,7 @@ CVE-2018-20074
 CVE-2018-20073 [chromium stores download meta data in extended attributes]
 	RESERVED
 	- chromium <unfixed>
+	[stretch] - chromium <postponed> (Wait until fixed upstream)
 CVE-2018-20072
 	RESERVED
 CVE-2018-20071 (Insufficiently strict origin checks during JIT payment app ...)
@@ -38943,6 +38944,7 @@ CVE-2018-11491 (ASUS HG100 devices with firmware before 1.05.12 allow unauthenti
 	NOT-FOR-US: ASUS HG100 devices
 CVE-2018-11490 (The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly ...)
 	- giflib <unfixed> (bug #904114)
+	[buster] - giflib <no-dsa> (Minor issue)
 	[stretch] - giflib <no-dsa> (Minor issue)
 	[jessie] - giflib <no-dsa> (Minor issue)
 	NOTE: https://github.com/pts/sam2p/issues/38
@@ -38950,6 +38952,7 @@ CVE-2018-11490 (The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibl
 	NOTE: Issue was reported against sam2p but issue is in dgif_lib.c from giflib.
 CVE-2018-11489 (The DGifDecompressLine function in dgif_lib.c in GIFLIB (possibly ...)
 	- giflib <unfixed> (bug #904113)
+	[buster] - giflib <no-dsa> (Minor issue)
 	[stretch] - giflib <no-dsa> (Minor issue)
 	[jessie] - giflib <no-dsa> (Minor issue)
 	NOTE: https://github.com/pts/sam2p/issues/37
@@ -49252,6 +49255,7 @@ CVE-2018-7588 (An issue was discovered in CImg v.220. A heap-based buffer over-r
 	NOTE: https://github.com/dtschump/CImg/commit/8447076ef22322a14a0ce130837e44c5ba8095f4
 CVE-2018-7587 (An issue was discovered in CImg v.220. DoS occurs when loading a ...)
 	- cimg <unfixed> (low; bug #892780)
+	[buster] - cimg <no-dsa> (Minor issue)
 	[stretch] - cimg <no-dsa> (Minor issue)
 	[jessie] - cimg <no-dsa> (Minor issue)
 	[wheezy] - cimg <no-dsa> (Minor issue)
@@ -49694,6 +49698,7 @@ CVE-2018-1000098 (Teluu PJSIP version 2.7.1 and earlier contains a Integer Overf
 	NOTE: In jessie Asterisk doesn't use pjproject for SIP (only for ICE, STUN and TURN)
 CVE-2018-1000101 (Mingw-w64 version 5.0.3 and earlier contains an Improper Null ...)
 	- mingw-w64 <unfixed> (low; bug #897196)
+	[buster] - mingw-w64 <ignored> (Minor issue)
 	[stretch] - mingw-w64 <ignored> (Minor issue)
 	[jessie] - mingw-w64 <ignored> (Minor issue)
 	[wheezy] - mingw-w64 <ignored> (Minor issue)
@@ -89044,11 +89049,9 @@ CVE-2017-11549 (The play_midi function in playmidi.c in TiMidity++ 2.14.0 allows
 	NOTE: https://sourceforge.net/p/timidity/discussion/217458/thread/9a1c9620/
 	NOTE: Crash in CLI tool, no security impact
 CVE-2017-11548 (The _tokenize_matrix function in audio_out.c in Xiph.Org libao 1.2.0 ...)
-	- libao <unfixed> (low; bug #870608)
-	[stretch] - libao <no-dsa> (Minor issue)
-	[jessie] - libao <no-dsa> (Minor issue)
-	[wheezy] - libao <no-dsa> (Minor issue)
+	- libao <unfixed> (unimportant; bug #870608)
 	NOTE: http://seclists.org/fulldisclosure/2017/Jul/84
+	NOTE: Not a security issue in ao, needs to be validated in applications using it, see #870608
 CVE-2017-11547 (The resample_gauss function in resample.c in TiMidity++ 2.14.0 allows ...)
 	- timidity 2.14.0-4 (unimportant; bug #870338)
 	NOTE: http://seclists.org/fulldisclosure/2017/Jul/83
@@ -106045,7 +106048,8 @@ CVE-2017-6078 (FastStone MaxView 3.0 and 3.1 allows user-assisted attackers to c
 CVE-2017-6077 (ping.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 ...)
 	NOT-FOR-US: NETGEAR
 CVE-2016-10228 (The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and ...)
-	- glibc <unfixed> (bug #856503)
+	- glibc <unfixed> (low; bug #856503)
+	[buster] - glibc <no-dsa> (Minor issue)
 	[stretch] - glibc <no-dsa> (Minor issue)
 	[jessie] - glibc <no-dsa> (Minor issue)
 	- eglibc <removed>
@@ -145052,7 +145056,8 @@ CVE-2016-2782 (The treo_attach function in drivers/usb/serial/visor.c in the Lin
 	- linux-2.6 <removed>
 	NOTE: Upstream commit: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=cac9b50b0d75a1d50d6c056ff65c005f3224c8e0 (v4.5-rc2)
 CVE-2016-2781 (chroot in GNU coreutils, when used with --userspec, allows local users ...)
-	- coreutils <unfixed> (bug #816320)
+	- coreutils <unfixed> (low; bug #816320)
+	[buster] - coreutils <ignored> (Minor issue)
 	[stretch] - coreutils <ignored> (Minor issue)
 	[jessie] - coreutils <ignored> (Minor issue)
 	[wheezy] - coreutils <ignored> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3b8fdb83b0c8e931ae82b8054ef74a584151577

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/a3b8fdb83b0c8e931ae82b8054ef74a584151577
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190129/196b47e8/attachment.html>

More information about the debian-security-tracker-commits mailing list