[Git][security-tracker-team/security-tracker][master] NFUs from external check

Fri Jun 21 16:00:12 BST 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
197a83a5 by Moritz Muehlenhoff at 2019-06-21T14:58:49Z
NFUs from external check
revert some libsass entries to <undetermined>, not really actionable at this
  point, these are all for 2017 fuzzer reports which were never upstreamed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -3620,11 +3620,14 @@ CVE-2019-11470 (The cineon parsing component in ImageMagick 7.0.8-26 Q16 allows
 	NOTE: https://github.com/ImageMagick/ImageMagick/issues/1472
 	NOTE: https://github.com/ImageMagick/ImageMagick6/commit/a0473b29add9521ffd4c74f6f623b418811762b0
 CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (uncontrol ...)
-	- libsass <unfixed>
+	- libsass <unfixed> (low)
+	[buster] - libsass <no-dsa> (Minor issue)
+	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2671
 	NOTE: Possibly introduced after https://github.com/sass/libsass/commit/25c9b4952f5838b615da996035453967d0420f57 (3.4.7)
 CVE-2018-20821 (The parsing component in LibSass through 3.5.5 allows attackers to cau ...)
-	- libsass <unfixed>
+	- libsass <unfixed> (low)
+	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/sass/libsass/issues/2658
 	NOTE: Introduced by: https://github.com/sass/libsass/commit/efd97dae376de50b3e6ed724337c4f274a21491d (3.5.0)
@@ -6824,6 +6827,7 @@ CVE-2019-10172
 	RESERVED
 CVE-2019-10171
 	RESERVED
+	- 389-ds-base <not-affected> (Incomplete RHEL backport)
 CVE-2019-10170
 	RESERVED
 CVE-2019-10169
@@ -6981,6 +6985,7 @@ CVE-2019-10136
 	RESERVED
 CVE-2019-10135
 	RESERVED
+	NOTE: OpenShift Build Service client
 CVE-2019-10134
 	RESERVED
 CVE-2019-10133
@@ -30532,7 +30537,8 @@ CVE-2018-19839 (In LibSass prior to 3.5.5, the function handle_error in sass_con
 	NOTE: https://github.com/sass/libsass/issues/2657
 	NOTE: https://github.com/sass/libsass/pull/2767
 CVE-2018-19838 (In LibSass prior to 3.5.5, functions inside ast.cpp for IMPLEMENT_AST_ ...)
-	- libsass <unfixed>
+	- libsass <unfixed> (low)
+	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2660
 CVE-2018-19837 (In LibSass prior to 3.5.5, Sass::Eval::operator()(Sass::Binary_Express ...)
@@ -30563,9 +30569,8 @@ CVE-2018-19827 (In LibSass 3.5.5, a use-after-free vulnerability exists in the S
 	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2782
 CVE-2018-19826 (** DISPUTED ** In inspect.cpp in LibSass 3.5.5, a high memory footprin ...)
-	- libsass <unfixed>
-	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2781
+	NOTE: Per libsass upstream this is not a security issues, but works as designed
 CVE-2018-19825
 	RESERVED
 CVE-2018-19824 (In the Linux kernel through 4.19.6, a local user could exploit a use-a ...)
@@ -101166,18 +101171,15 @@ CVE-2017-12966 (The asn1f_lookup_symbol_impl function in asn1fix_retrieve.c in l
 CVE-2017-12965 (Session fixation vulnerability in Apache2Triad 1.5.4 allows remote att ...)
 	NOT-FOR-US: Apache2Triad
 CVE-2017-12964 (There is a stack consumption issue in LibSass 3.4.5 that is triggered  ...)
-	- libsass <unfixed> (low; bug #873034)
-	[stretch] - libsass <no-dsa> (Minor issue)
+	- libsass <undetermined> (low; bug #873034)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482397
 CVE-2017-12963 (There is an illegal address access in Sass::Eval::operator() in eval.c ...)
-	- libsass <unfixed> (low; bug #873034)
-	[stretch] - libsass <no-dsa> (Minor issue)
+	- libsass <undetermined> (low; bug #873034)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482335
 	NOTE: Similar issue to CVE-2017-11555 but for the issue which remains unfixed
 	NOTE: with the upstream patch for CVE-2017-11555.
 CVE-2017-12962 (There are memory leaks in LibSass 3.4.5 triggered by deeply nested cod ...)
-	- libsass <unfixed> (low; bug #873034)
-	[stretch] - libsass <no-dsa> (Minor issue)
+	- libsass <undetermined> (low; bug #873034)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482331
 CVE-2017-12961 (There is an assertion abort in the function parse_attributes() in data ...)
 	- pspp 1.0.1-1 (unimportant)
@@ -105657,8 +105659,7 @@ CVE-2017-11607
 CVE-2017-11606
 	RESERVED
 CVE-2017-11605 (There is a heap based buffer over-read in LibSass 3.4.5, related to ad ...)
-	- libsass <unfixed> (bug #870184)
-	[stretch] - libsass <no-dsa> (Minor issue)
+	- libsass <undetermined> (bug #870184)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1474019
 CVE-2017-11604
 	RESERVED
@@ -106471,12 +106472,10 @@ CVE-2017-11343 (Due to an incomplete fix for CVE-2012-6125, all versions of CHIC
 	[wheezy] - chicken <no-dsa> (Minor issue)
 	NOTE: http://lists.nongnu.org/archive/html/chicken-announce/2017-07/msg00000.html
 CVE-2017-11342 (There is an illegal address access in ast.cpp of LibSass 3.4.5. A craf ...)
-	- libsass <unfixed> (bug #868577)
-	[stretch] - libsass <no-dsa> (Minor issue)
+	- libsass <undetermined> (bug #868577)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470722
 CVE-2017-11341 (There is a heap based buffer over-read in lexer.hpp of LibSass 3.4.5.  ...)
-	- libsass <unfixed> (bug #868577)
-	[stretch] - libsass <no-dsa> (Minor issue)
+	- libsass <undetermined> (bug #868577)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470714
 CVE-2017-11340 (There is a Segmentation fault in the XmpParser::terminate() function i ...)
 	[experimental] - exiv2 <unfixed> (low; bug #868578)
@@ -108446,8 +108445,7 @@ CVE-2017-10688 (In LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDir
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2712
 	NOTE: Fixed by: https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
 CVE-2017-10687 (In LibSass 3.4.5, there is a heap-based buffer over-read in the functi ...)
-	- libsass <unfixed> (low; bug #866672)
-	[stretch] - libsass <no-dsa> (Minor issue)
+	- libsass <undetermined> (low; bug #866672)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1466411
 CVE-2017-10686 (In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after ...)
 	{DLA-1041-1}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/197a83a5d6500207287e3eb02f16ad17e9f721bd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/197a83a5d6500207287e3eb02f16ad17e9f721bd
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190621/180b0367/attachment.html>
