[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Mon Jun 3 21:53:29 BST 2019



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8cbad464 by Moritz Muehlenhoff at 2019-06-03T20:53:00Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -4572,7 +4572,8 @@ CVE-2019-10725
 CVE-2019-10724
 	RESERVED
 CVE-2019-10723 (An issue was discovered in PoDoFo 0.9.6. The PdfPagesTreeCache class i ...)
-	- libpodofo <unfixed> (bug #926667)
+	- libpodofo <unfixed> (low; bug #926667)
+	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <ignored> (clean exception quit/DoS, low popcon)
 	NOTE: https://sourceforge.net/p/podofo/tickets/46/
@@ -26965,6 +26966,7 @@ CVE-2018-20098 (There is a heap-based buffer over-read in Exiv2::Jp2Image::encod
 CVE-2018-20097 (There is a SEGV in Exiv2::Internal::TiffParserWorker::findPrimaryGroup ...)
 	{DLA-1691-1}
 	- exiv2 <unfixed> (low)
+	[buster] - exiv2 <no-dsa> (Minor issue)
 	[stretch] - exiv2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/590
 	NOTE: https://github.com/Exiv2/exiv2/commit/203ab0db28c9666b16069d4056ac5f66f753a51d
@@ -32928,6 +32930,7 @@ CVE-2018-19536
 CVE-2018-19535 (In Exiv2 0.26 and previous versions, PngChunk::readRawProfile in pngch ...)
 	{DLA-1691-1}
 	- exiv2 <unfixed> (bug #915135)
+	[buster] - exiv2 <no-dsa> (Minor issue)
 	[stretch] - exiv2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/428
 	NOTE: https://github.com/Exiv2/exiv2/pull/430
@@ -34462,6 +34465,7 @@ CVE-2018-19109 (tianti 2.3 allows remote authenticated users to bypass intended
 CVE-2018-19108 (In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in the PS ...)
 	{DLA-1691-1}
 	- exiv2 <unfixed> (bug #913272)
+	[buster] - exiv2 <no-dsa> (Minor issue)
 	[stretch] - exiv2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/426
 	NOTE: https://github.com/Exiv2/exiv2/pull/518
@@ -34470,6 +34474,7 @@ CVE-2018-19108 (In Exiv2 0.26, Exiv2::PsdImage::readMetadata in psdimage.cpp in
 CVE-2018-19107 (In Exiv2 0.26, Exiv2::IptcParser::decode in iptc.cpp (called from psdi ...)
 	{DLA-1691-1}
 	- exiv2 <unfixed> (bug #913273)
+	[buster] - exiv2 <no-dsa> (Minor issue)
 	[stretch] - exiv2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/427
 	NOTE: https://github.com/Exiv2/exiv2/pull/518
@@ -38441,6 +38446,7 @@ CVE-2018-17582 (Tcpreplay v4.3.0 beta1 contains a heap-based buffer over-read. T
 CVE-2018-17581 (CiffDirectory::readDirectory() at crwimage_int.cpp in Exiv2 0.26 has e ...)
 	{DLA-1691-1}
 	- exiv2 <unfixed> (low; bug #910060)
+	[buster] - exiv2 <no-dsa> (Minor issue)
 	[stretch] - exiv2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/460
 	NOTE: Fixed in: https://github.com/Exiv2/exiv2/commit/b3d077dcaefb6747fff8204490f33eba5a144edb
@@ -41825,6 +41831,7 @@ CVE-2018-16337 (An issue was discovered in Cscms V4.1.8. There is a CSRF vulnera
 CVE-2018-16336 (Exiv2::Internal::PngChunk::parseTXTChunk in Exiv2 v0.26 allows remote  ...)
 	{DLA-1551-1}
 	- exiv2 <unfixed> (bug #916081)
+	[buster] - exiv2 <no-dsa> (Minor issue)
 	[stretch] - exiv2 <no-dsa> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/400
 	NOTE: https://github.com/Exiv2/exiv2/commit/35b3e596edacd2437c2c5d3dd2b5c9502626163d
@@ -42860,6 +42867,7 @@ CVE-2018-15890
 	RESERVED
 CVE-2018-15889 (In podofo 0.9.6, the function PoDoFo::PdfParser::ReadObjects() in base ...)
 	- libpodofo <unfixed> (low; bug #916167)
+	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)
 	NOTE: (possible, but not yet confirmed) duplicate of CVE-2018-5783
@@ -46577,7 +46585,8 @@ CVE-2018-14499 (An issue was found in HYBBS through 2016-03-08. There is an XSS
 	NOT-FOR-US: HYBBS
 CVE-2018-14498 (get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG th ...)
 	{DLA-1719-1}
-	- libjpeg-turbo <unfixed> (bug #924678)
+	- libjpeg-turbo <unfixed> (low; bug #924678)
+	[buster] - libjpeg-turbo <no-dsa> (Minor issue)
 	[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
 	- mozjpeg <itp> (bug #741487)
 	NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9c78a04df4e44ef6487eee99c4258397f4fdca55
@@ -50183,6 +50192,7 @@ CVE-2018-12984 (Hycus CMS 1.0.4 allows Authentication Bypass via "'=' 'OR'" cred
 	NOT-FOR-US: Hycus CMS
 CVE-2018-12983 (A stack-based buffer over-read in the PdfEncryptMD5Base::ComputeEncryp ...)
 	- libpodofo <unfixed> (low; bug #916580)
+	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1595693
@@ -50448,7 +50458,9 @@ CVE-2018-12887
 CVE-2018-12886 (stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in fu ...)
 	- gcc-snapshot <unfixed>
 	- gcc-8 <unfixed>
+	[buster] - gcc-8 <ignored> (Too intrusive to backport)
 	- gcc-7 <unfixed>
+	[buster] - gcc-7 <ignored> (Too intrusive to backport)
 	- gcc-6 <removed>
 	[stretch] - gcc-6 <ignored> (Too intrusive to backport)
 	- gcc-4.9 <removed>
@@ -55217,6 +55229,7 @@ CVE-2018-11256 (An issue was discovered in PoDoFo 0.9.5. The function PdfDocumen
 	NOTE: https://sourceforge.net/p/podofo/code/1938
 CVE-2018-11255 (An issue was discovered in PoDoFo 0.9.5. The function PdfPage::GetPage ...)
 	- libpodofo <unfixed> (low; bug #916584)
+	[buster] - libpodofo <no-dsa> (Minor issue)
 	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)
 	[wheezy] - libpodofo <no-dsa> (Minor issue)
@@ -82875,6 +82888,7 @@ CVE-2017-17670 (In VideoLAN VLC media player through 2.2.8, there is a type conv
 	NOTE: POC: https://gist.github.com/dyntopia/194d912287656f66dd502158b0cd2e68
 CVE-2017-17669 (There is a heap-based buffer over-read in the Exiv2::Internal::PngChun ...)
 	- exiv2 <unfixed> (bug #886006)
+	[buster] - exiv2 <ignored> (Minor issue)
 	[stretch] - exiv2 <ignored> (Minor issue)
 	[jessie] - exiv2 <ignored> (Minor issue)
 	[wheezy] - exiv2 <ignored> (Minor issue)
@@ -84191,6 +84205,7 @@ CVE-2018-1153 (Burp Suite Community Edition 1.7.32 and 1.7.33 fail to validate t
 CVE-2018-1152 (libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerabilit ...)
 	{DLA-1638-1}
 	- libjpeg-turbo <unfixed> (low; bug #902950)
+	[buster] - libjpeg-turbo <no-dsa> (Minor issue)
 	[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
 	NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6
 CVE-2018-1151 (The web server on Western Digital TV Media Player 1.03.07 and TV Live  ...)
@@ -94738,6 +94753,7 @@ CVE-2017-14865 (There is a heap-based buffer overflow in the Exiv2::us2Data func
 CVE-2017-14864 (An Invalid memory address dereference was discovered in Exiv2::getULon ...)
 	{DLA-1147-1}
 	- exiv2 <unfixed>
+	[buster] - exiv2 <ignored> (Minor issue)
 	[stretch] - exiv2 <ignored> (Minor issue)
 	[jessie] - exiv2 <ignored> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/73
@@ -94756,6 +94772,7 @@ CVE-2017-14863 (A NULL pointer dereference was discovered in Exiv2::Image::print
 CVE-2017-14862 (An Invalid memory address dereference was discovered in Exiv2::DataVal ...)
 	{DLA-1147-1}
 	- exiv2 <unfixed>
+	[buster] - exiv2 <ignored> (Minor issue)
 	[stretch] - exiv2 <ignored> (Minor issue)
 	[jessie] - exiv2 <ignored> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/75
@@ -94782,6 +94799,7 @@ CVE-2017-14860 (There is a heap-based buffer over-read in the Exiv2::Jp2Image::r
 CVE-2017-14859 (An Invalid memory address dereference was discovered in Exiv2::StringV ...)
 	{DLA-1147-1}
 	- exiv2 <unfixed>
+	[busters] - exiv2 <ignored> (Minor issue)
 	[stretch] - exiv2 <ignored> (Minor issue)
 	[jessie] - exiv2 <ignored> (Minor issue)
 	NOTE: https://github.com/Exiv2/exiv2/issues/74



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8cbad464685416eea837955b2bbd62dbc2a72018

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8cbad464685416eea837955b2bbd62dbc2a72018
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190603/2f74321c/attachment.html>


More information about the debian-security-tracker-commits mailing list