[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Thu Jul 11 08:21:00 BST 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0891eec1 by Moritz Muehlenhoff at 2019-07-11T07:20:26Z
buster/stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -272,7 +272,9 @@ CVE-2019-13353
 CVE-2019-13352 (WolfVision Cynap before 1.30j uses a static, hard-coded cryptographic  ...)
 	NOT-FOR-US: WolfVision Cynap
 CVE-2019-13351 (posix/JackSocket.cpp in libjack in JACK2 1.9.1 through 1.9.12 (as dist ...)
-	- jackd2 <unfixed> (bug #931488)
+	- jackd2 <unfixed> (low; bug #931488)
+	[buster] - jackd2 <no-dsa> (Minor issue)
+	[stretch] - jackd2 <no-dsa> (Minor issue)
 	[jessie] - jackd2 <postponed> (Minor issue, hard to reproduce crash with theoretically possible file corruption, no sensitive data to leak)
 	NOTE: https://github.com/jackaudio/jack2/pull/480
 	NOTE: https://github.com/jackaudio/jack2/commit/994e225bbb07a89f56147f7ce7d59beb49f8cfba
@@ -568,10 +570,12 @@ CVE-2019-13234
 	RESERVED
 CVE-2019-13232 (Info-ZIP UnZip 6.0 mishandles the overlapping of files inside a ZIP co ...)
 	{DLA-1846-1}
-	- unzip <unfixed> (bug #931433)
+	- unzip <unfixed> (unimportant; bug #931433)
 	NOTE: https://www.bamsoftware.com/hacks/zipbomb/
 	NOTE: Fixed by: https://github.com/madler/unzip/commit/47b3ceae397d21bf822bc2ac73052a4b1daf8e1c
 	NOTE: Fix depends on: https://github.com/madler/unzip/commit/41beb477c5744bc396fa1162ee0c14218ec12213
+	NOTE: No security impact, crash in CLI tool, any server implementing automatic extraction needs
+	NOTE: to apply resource limits anyway
 CVE-2019-13231
 	RESERVED
 CVE-2019-13230
@@ -9012,6 +9016,7 @@ CVE-2019-9949 (Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, E
 CVE-2019-9948 (urllib in Python 2.x through 2.7.16 supports the local_file: scheme, w ...)
 	{DLA-1852-1 DLA-1834-1}
 	- python3.7 3.7.4~rc2-2
+	[stretch] - python3.7 <no-dsa> (Minor issue)
 	- python3.6 <removed>
 	- python3.5 <removed>
 	- python3.4 <removed>
@@ -32242,6 +32247,7 @@ CVE-2018-19798
 	RESERVED
 CVE-2018-19797 (In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Sel ...)
 	- libsass <unfixed>
+	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2779
 CVE-2018-19796 (An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPre ...)
@@ -56703,10 +56709,12 @@ CVE-2018-11699
 	RESERVED
 CVE-2018-11698 (An issue was discovered in LibSass through 3.5.4. An out-of-bounds rea ...)
 	- libsass <unfixed>
+	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2662
 CVE-2018-11697 (An issue was discovered in LibSass through 3.5.4. An out-of-bounds rea ...)
 	- libsass <unfixed>
+	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2656
 	NOTE: https://github.com/sass/libsass/commit/eb15533b07773c30dc03c9d742865604f47120ef
@@ -74605,17 +74613,17 @@ CVE-2018-5433 (The TIBCO Administrator server component of TIBCO Software Inc.'s
 CVE-2018-5432 (The TIBCO Administrator server component of of TIBCO Software Inc.'s T ...)
 	NOT-FOR-US: TIBCO Administrator
 CVE-2018-5431 (The domain designer component of TIBCO Software Inc.'s TIBCO JasperRep ...)
-	- jasperreports <removed>
+	- jasperreports <undetermined>
 	[jessie] - jasperreports <end-of-life> (not supported in Jessie)
 	[wheezy] - jasperreports <end-of-life> (not supported in Wheezy)
 	NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5431
 CVE-2018-5430 (The Spring web flows of TIBCO Software Inc.'s TIBCO JasperReports Serv ...)
-	- jasperreports <removed>
+	- jasperreports <undetermined>
 	[jessie] - jasperreports <end-of-life> (not supported in Jessie)
 	[wheezy] - jasperreports <end-of-life> (not supported in Wheezy)
 	NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5430
 CVE-2018-5429 (A vulnerability in the report scripting component of TIBCO Software In ...)
-	- jasperreports <removed>
+	- jasperreports <undetermined>
 	[jessie] - jasperreports <end-of-life> (not supported in Jessie)
 	[wheezy] - jasperreports <end-of-life> (not supported in Wheezy)
 	NOTE: https://www.tibco.com/support/advisories/2018/04/tibco-security-advisory-april-17-2018-tibco-jasperreports-2018-5429
@@ -97185,7 +97193,7 @@ CVE-2017-14943 (Trapeze TransitMaster is vulnerable to information disclosure (e
 CVE-2017-14942 (Intelbras WRN 150 devices allow remote attackers to read the configura ...)
 	NOT-FOR-US: Intelbras WRN 150 devices
 CVE-2017-14941 (Jaspersoft JasperReports 4.7 suffers from a saved credential disclosur ...)
-	- jasperreports <removed> (bug #880467; bug #884131)
+	- jasperreports <undetermined> (bug #880467; bug #884131)
 	[jessie] - jasperreports <ignored> (no detailed information available, only needed as build-dependency for Spring)
 	[wheezy] - jasperreports <end-of-life> (cannot be supported due to lack of information)
 	NOTE: https://github.com/binary1985/VulnerabilityDisclosure/blob/master/JasperSoft%20JasperReports%20-%204.7%20-%20CVE-2017-14941


=====================================
data/dsa-needed.txt
=====================================
@@ -20,6 +20,8 @@ chromium
 faad2
   not yet fixed upstream
 --
+firefox-esr (jmm)
+--
 freeimage
 --
 glusterfs/oldstable
@@ -41,7 +43,7 @@ mercurial/oldstable
 neovim/oldstable
   Maintainer will prepare updates
 --
-nss/oldstable
+nss (jmm)
   Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508
 --
 poppler (jmm)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0891eec1447b20c9f45d18754f733df2081bbda3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/0891eec1447b20c9f45d18754f733df2081bbda3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190711/ecb75ae4/attachment-0001.html>
