[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Mon Jul 8 20:20:32 BST 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5bbc0c04 by Moritz Muehlenhoff at 2019-07-08T19:19:54Z
buster/stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -29,7 +29,9 @@ CVE-2019-13391 (In ImageMagick 7.0.8-50 Q16, ComplexImages in MagickCore/fourier
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1588
 	NOTE: https://github.com/ImageMagick/ImageMagick6/commit/f6ffc702c6eecd963587273a429dcd608c648984
 CVE-2019-13390 (In FFmpeg 4.1.3, there is a division by zero at adx_write_trailer in l ...)
-	TODO: check
+	- ffmpeg <unfixed> (low)
+	[buster] - ffmpeg <postponed> (Minor issue, wait until fixed in 4.1.x branch)
+	[stretch] - ffmpeg <postponed> (Minor issue, wait until fixed in 3.2.x branch)
 CVE-2019-13389
 	RESERVED
 CVE-2019-13388
@@ -569,6 +571,8 @@ CVE-2019-13165
 	RESERVED
 CVE-2019-13164 (qemu-bridge-helper.c in QEMU 4.0.0 does not ensure that a network inte ...)
 	- qemu <unfixed> (bug #931351)
+	[buster] - qemu <postponed> (Minor issue, can be fixed along in future DSA)
+	[stretch] - qemu <postponed> (Minor issue, can be fixed along in future DSA)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg00245.html
 CVE-2019-13163
@@ -742,6 +746,8 @@ CVE-2019-13108 (An integer overflow in Exiv2 through 0.27.1 allows an attacker t
 	NOTE: https://github.com/Exiv2/exiv2/issues/789
 CVE-2019-13107 (Multiple integer overflows exist in MATIO before 1.5.16, related to ma ...)
 	- libmatio <unfixed> (bug #931323)
+	[buster] - libmatio <no-dsa> (Minor issue)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: Several commits between 1.5.15..1.5.16: https://github.com/tbeu/matio/compare/f8cd397...fabac6c
 CVE-2019-13106
 	RESERVED
@@ -902,7 +908,9 @@ CVE-2019-13034
 CVE-2016-10761 (Logitech Unifying devices before 2016-02-26 allow keystroke injection, ...)
 	NOT-FOR-US: Logitech
 CVE-2019-13045 (Irssi before 1.0.8, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, when S ...)
-	- irssi 1.2.1-1 (bug #931264)
+	- irssi 1.2.1-1 (low; bug #931264)
+	[buster] - irssi <no-dsa> (Minor issue)
+	[stretch] - irssi <no-dsa> (Minor issue)
 	[jessie] - irssi <not-affected> (vulnerable sasl code is not present)
 	NOTE: https://irssi.org/security/irssi_sa_2019_06.txt
 	NOTE: https://github.com/irssi/irssi/pull/1058
@@ -3020,7 +3028,6 @@ CVE-2019-12218 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer
 	[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
 	[jessie] - sdl-image1.2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4620
-	TODO: check details and correct vulnerability location
 CVE-2019-12217 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
 	- libsdl2-image <unfixed>
 	[buster] - libsdl2-image <no-dsa> (Minor issue)
@@ -3041,7 +3048,6 @@ CVE-2019-12216 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer
 	[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
 	[jessie] - sdl-image1.2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4619
-	TODO: check details and correct vulnerability location
 CVE-2019-12215 (** DISPUTED ** A full path disclosure vulnerability was discovered in  ...)
 	- matomo <itp> (bug #448532)
 CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of mishand ...)
@@ -21746,12 +21752,20 @@ CVE-2019-5053
 	RESERVED
 CVE-2019-5052 (An exploitable integer overflow vulnerability exists when loading a PC ...)
 	- libsdl2-image <unfixed>
+	[buster] - libsdl2-image <no-dsa> (Minor issue)
+	[stretch] - libsdl2-image <no-dsa> (Minor issue)
 	- sdl-image1.2 <unfixed>
+	[buster] - sdl-image1.2 <no-dsa> (Minor issue)
+	[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0821
 	NOTE: https://hg.libsdl.org/SDL_image/rev/b920be2b3fc6
 CVE-2019-5051 (An exploitable heap-based buffer overflow vulnerability exists when lo ...)
 	- libsdl2-image <unfixed>
+	[buster] - libsdl2-image <no-dsa> (Minor issue)
+	[stretch] - libsdl2-image <no-dsa> (Minor issue)
 	- sdl-image1.2 <unfixed>
+	[buster] - sdl-image1.2 <no-dsa> (Minor issue)
+	[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0820
 	TODO: isolate fixing commit
 CVE-2019-5050


=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ bzip2
 --
 chromium
 --
+dosbox (jmm)
+--
 faad2
   not yet fixed upstream
 --
@@ -29,7 +31,7 @@ glusterfs
 --
 graphicsmagick
 --
-jruby
+jruby/oldstable
 --
 koji
 --
@@ -55,7 +57,7 @@ python3.5 (jmm)
 --
 redis
 --
-simplesamlphp
+simplesamlphp/oldstable
 --
 smarty3
 --
@@ -64,7 +66,7 @@ sox
 sssd
   Maintainer prepared an update and proposed debdiff, acked for upload, but update needs further testing before release.
 --
-teeworlds
+teeworlds/oldstable
 --
 wordpress
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5bbc0c046062f1612de394ec2bf3d3b5263b92a7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/5bbc0c046062f1612de394ec2bf3d3b5263b92a7
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190708/d4a93581/attachment-0001.html>
