[Git][security-tracker-team/security-tracker][master] stretch triage
Moritz Muehlenhoff
jmm at debian.org
Wed Jun 19 19:46:06 BST 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
09092fee by Moritz Muehlenhoff at 2019-06-19T18:45:38Z
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -36,6 +36,7 @@ CVE-2019-12866
RESERVED
CVE-2019-12865 (In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a dou ...)
- radare2 <unfixed> (bug #930704)
+ [stretch] - radare2 <no-dsa> (Minor issue)
NOTE: https://github.com/radare/radare2/issues/14334
NOTE: https://github.com/radare/radare2/commit/40453029179d230cf02ffed205f2d63e33981b8f
CVE-2012-6711 (A heap-based buffer overflow exists in GNU Bash before 4.3 when wide c ...)
@@ -62,6 +63,7 @@ CVE-2019-12856
RESERVED
CVE-2019-12855 (In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP su ...)
- twisted <unfixed> (bug #930626)
+ [stretch] - twisted <no-dsa> (Minor issue)
NOTE: https://github.com/twisted/twisted/pull/1147
NOTE: https://twistedmatrix.com/trac/ticket/9561
CVE-2019-12854
@@ -118,6 +120,7 @@ CVE-2019-12830 (In MyBB before 1.8.21, an attacker can exploit a parsing flaw in
NOT-FOR-US: MyBB
CVE-2019-12829 (radare2 through 3.5.1 mishandles the RParse API, which allows remote a ...)
- radare2 <unfixed> (bug #930590)
+ [stretch] - radare2 <no-dsa> (Minor issue)
NOTE: https://github.com/radare/radare2/issues/14303
NOTE: https://github.com/radare/radare2/commit/b282620b7a8818910c42a29b8f0855a2d13eec14
CVE-2019-12828 (An issue was discovered in Electronic Arts Origin before 10.5.39. Due ...)
@@ -1193,6 +1196,7 @@ CVE-2019-12388
RESERVED
CVE-2019-12387 (In Twisted before 19.2.1, twisted.web did not validate or sanitize URI ...)
- twisted <unfixed> (bug #930389)
+ [stretch] - twisted <no-dsa> (Minor issue)
NOTE: https://github.com/twisted/twisted/commit/6c61fc4503ae39ab8ecee52d10f10ee2c371d7e2
CVE-2019-12386
RESERVED
@@ -4625,6 +4629,7 @@ CVE-2019-11028 (GAT-Ship Web Module before 1.40 suffers from a vulnerability all
NOT-FOR-US: GAT-Ship Web Module
CVE-2015-9284 (The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site ...)
- ruby-omniauth <unfixed>
+ [stretch] - ruby-omniauth <no-dsa> (Minor issue)
[jessie] - ruby-omniauth <no-dsa> (Fix is in additional gem and needs CSRF protection in apps)
NOTE: https://github.com/omniauth/omniauth/pull/809
NOTE: https://www.openwall.com/lists/oss-security/2015/05/26/11
@@ -6763,7 +6768,8 @@ CVE-2019-10154
- moodle <removed>
CVE-2019-10153 [mis-handling of non-ASCII characters in guest comment fields]
RESERVED
- - fence-agents <unfixed>
+ - fence-agents <unfixed> (low)
+ [stretch] - fence-agents <not-affected> (Vulnerable code not present)
[jessie] - fence-agents <not-affected> (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1670460
NOTE: https://github.com/ClusterLabs/fence-agents/pull/255
@@ -6813,6 +6819,7 @@ CVE-2019-10142 [drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
CVE-2019-10141
RESERVED
- ironic-inspector 8.0.0-3 (bug #929332)
+ [stretch] - ironic-inspector <no-dsa> (Minor issue)
NOTE: https://review.opendev.org/#/c/660234/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1711722
CVE-2019-10140
@@ -7293,6 +7300,7 @@ CVE-2019-9949 (Western Digital My Cloud Cloud, Mirror Gen2, EX2 Ultra, EX2100, E
NOT-FOR-US: Western Digital
CVE-2019-9948 (urllib in Python 2.x through 2.7.16 supports the local_file: scheme, w ...)
- python2.7 2.7.16-2
+ [stretch] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue35907
NOTE: https://github.com/python/cpython/pull/11842
CVE-2019-9947 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 and ur ...)
@@ -7303,6 +7311,7 @@ CVE-2019-9947 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 a
- python3.4 <removed>
- python2.7 <unfixed>
[buster] - python2.7 <no-dsa> (Minor issue)
+ [stretch] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue35906
NOTE: Introduced by: https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262
CVE-2019-9946 (Cloud Native Computing Foundation (CNCF) CNI (Container Networking Int ...)
@@ -8668,6 +8677,7 @@ CVE-2019-9740 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 a
- python3.4 <removed>
- python2.7 <unfixed>
[buster] - python2.7 <no-dsa> (Minor issue)
+ [stretchbuster] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue36276
NOTE: https://bugs.python.org/issue30458
CVE-2019-9739
@@ -19490,6 +19500,7 @@ CVE-2019-5437 (Information exposure through the directory listing in npm's harp
CVE-2019-5436 (A heap buffer overflow in the TFTP receiving code allows for DoS or ar ...)
{DLA-1804-1}
- curl 7.64.0-4 (bug #929351)
+ [stretch] - curl <postponed> (Minor issue, can be fixed along in next DSA)
NOTE: https://curl.haxx.se/docs/CVE-2019-5436.html
NOTE: Introduced by: https://github.com/curl/curl/commit/0516ce7786e95
NOTE: Fixed by: https://github.com/curl/curl/commit/2576003415625d7b5f0e390902f8097830b82275
@@ -52299,6 +52310,7 @@ CVE-2018-12585 (An XXE vulnerability in the OPC UA Java and .NET Legacy Stack ca
CVE-2018-12584 (The ConnectionBase::preparseNewBytes function in resip/stack/Connectio ...)
{DLA-1439-1}
- resiprocate <removed> (bug #905495)
+ [stretch] - resiprocate <no-dsa> (Minor issue)
NOTE: http://joachimdezutter.webredirect.org/advisory.html
NOTE: https://github.com/resiprocate/resiprocate/commit/2cb291191c93c7c4e371e22cb89805a5b31d6608
CVE-2018-12583 (An issue was discovered in AKCMS 6.1. CSRF can delete an article via a ...)
@@ -84488,6 +84500,7 @@ CVE-2017-17460
RESERVED
CVE-2018-1340 (Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage ...)
- guacamole-client <unfixed> (bug #920796)
+ [stretch] - guacamole-client <no-dsa> (Minor issue)
[jessie] - guacamole-client <not-affected> (Vulnerable code not present)
- guacamole <removed>
NOTE: https://www.openwall.com/lists/oss-security/2019/01/24/2
=====================================
data/dsa-needed.txt
=====================================
@@ -26,6 +26,8 @@ glusterfs
--
graphicsmagick
--
+jruby
+--
koji
--
libidn
@@ -44,10 +46,14 @@ nss
--
php-horde-form (carnil)
--
+poppler
+--
python2.7 (jmm)
--
python3.5 (jmm)
--
+rdesktop
+--
simplesamlphp
--
smarty3
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/09092fee5bde84a53feec4eaaeb1e5c98166a71f
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/09092fee5bde84a53feec4eaaeb1e5c98166a71f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190619/f0707773/attachment.html>
More information about the debian-security-tracker-commits
mailing list