[Git][security-tracker-team/security-tracker][master] stretch triage

Moritz Muehlenhoff jmm at debian.org
Mon Jun 3 21:20:46 BST 2019 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
6d60ccf9 by Moritz Muehlenhoff at 2019-06-03T20:20:16Z
stretch triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -318,6 +318,7 @@ CVE-2019-12451
 	RESERVED
 CVE-2019-12450 (file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1  ...)
 	- glib2.0 <unfixed> (bug #929753)
+	[stretch] - glib2.0 <no-dsa> (Minor issue)
 	NOTE: https://gitlab.gnome.org/GNOME/glib/commit/d8f8f4d637ce43f8699ba94c9b7648beda0ca174
 CVE-2019-12449 (An issue was discovered in GNOME gvfs 1.29.4 through 1.41.2. daemon/gv ...)
 	- gvfs <unfixed> (bug #929755)
@@ -889,8 +890,10 @@ CVE-2019-12219 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4625
 CVE-2019-12218 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
 	- libsdl2-image <unfixed>
+	[stretch] - libsdl2-image <no-dsa> (Minor issue)
 	[jessie] - libsdl2-image <no-dsa> (Minor issue)
 	- sdl-image1.2 <unfixed>
+	[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
 	[jessie] - sdl-image1.2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4620
 	TODO: check details and correct vulnerability location
@@ -904,8 +907,10 @@ CVE-2019-12217 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4626
 CVE-2019-12216 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
 	- libsdl2-image <unfixed>
+	[stretch] - libsdl2-image <no-dsa> (Minor issue)
 	[jessie] - libsdl2-image <no-dsa> (Minor issue)
 	- sdl-image1.2 <unfixed>
+	[stretch] - sdl-image1.2 <no-dsa> (Minor issue)
 	[jessie] - sdl-image1.2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4619
 	TODO: check details and correct vulnerability location
@@ -3752,7 +3757,8 @@ CVE-2019-11039 [Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to in
 	NOTE: PHP Bug: https://bugs.php.net/bug.php?id=78069
 CVE-2019-11038 [Uninitialized read in gdImageCreateFromXbm]
 	RESERVED
-	- libgd2 <unfixed> (bug #929821)
+	- libgd2 <unfixed> (low; bug #929821)
+	[stretch] - libgd2 <no-dsa> (Minor issue)
 	- php7.3 7.3.6-1 (unimportant)
 	- php7.0 <removed> (unimportant)
 	- php5 <removed> (unimportant)
@@ -11369,6 +11375,7 @@ CVE-2019-8340
 	RESERVED
 CVE-2019-8339 (An issue was discovered in Falco through 0.14.0. A missing indicator f ...)
 	- sysdig <unfixed>
+	[stretch] - sysdig <no-dsa> (Minor issue)
 CVE-2019-8338 (The signature verification routine in the Airmail GPG-PGP Plugin, vers ...)
 	NOT-FOR-US: Airmail
 CVE-2019-8336 (HashiCorp Consul (and Consul Enterprise) 1.4.x before 1.4.3 allows a c ...)
@@ -29849,12 +29856,14 @@ CVE-2018-19666 (The agent in OSSEC through 3.1.0 on Windows allows local users t
 	- ossec-hids <itp> (bug #361954)
 CVE-2018-19665 (The Bluetooth subsystem in QEMU mishandles negative values for length  ...)
 	- qemu 1:3.1+dfsg-2 (low; bug #916278)
-	[stretch] - qemu <postponed> (Revisit when final upstream patch is out)
+	[stretch] - qemu <ignored> (Minor issue)
 	[jessie] - qemu <postponed> (Revisit when final upstream patch is out)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html
 	NOTE: note that previously mentioned patch will never be merged by upstream, see
 	NOTE: https://lists.debian.org/debian-lts/2019/01/msg00073.html
+	NOTE: 3.1 marked bluetooth subsystem as unused/deprecated, will most likely be removed:
+	NOTE:  https://github.com/qemu/qemu/commit/c0188e69d
 CVE-2018-19664 (libjpeg-turbo 2.0.1 has a heap-based buffer over-read in the put_pixel ...)
 	- libjpeg-turbo <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/305
@@ -145880,7 +145889,8 @@ CVE-2016-7153 (The HTTP/2 protocol does not consider the role of the TCP congest
 CVE-2016-7152 (The HTTPS protocol does not consider the role of the TCP congestion wi ...)
 	NOTE: CVE assigned for the HTTP/2 protocol issue
 CVE-2016-7151 (Capstone 3.0.4 has an out-of-bounds vulnerability (SEGV caused by a re ...)
-	- capstone <unfixed>
+	- capstone <unfixed> (low)
+	[stretch] - capstone <no-dsa> (Minor issue)
 	[jessie] - capstone <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/aquynh/capstone/commit/87a25bb543c8e4c09b48d4b4a6c7db31ce58df06 (4.0-alpha4)
 	NOTE: https://github.com/aquynh/capstone/pull/725



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d60ccf93e51597dbb0a7d56689aa0d2801c241d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/6d60ccf93e51597dbb0a7d56689aa0d2801c241d
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190603/7c9df064/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list