[Git][security-tracker-team/security-tracker][master] stretch triage

Fri Mar 1 19:07:49 GMT 2019

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e2f24f90 by Moritz Muehlenhoff at 2019-03-01T19:07:14Z
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -558,10 +558,12 @@ CVE-2019-9211 (There is a reachable assertion abort in the function ...)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1683499
 	NOTE: Crash in CLI tool, no security impact
 CVE-2019-9210 (In AdvanceCOMP 2.1, png_compress in pngex.cc in advpng has an integer ...)
-	- advancecomp <unfixed> (bug #923416)
+	- advancecomp <unfixed> (low; bug #923416)
+	[stretch] - advancecomp <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/advancemame/bugs/277/
 CVE-2018-20797 (An issue was discovered in PoDoFo 0.9.6. There is an attempted ...)
-	- libpodofo <unfixed> (bug #923415)
+	- libpodofo <unfixed> (low; bug #923415)
+	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/podofo/tickets/34/
 CVE-2019-9209 (In Wireshark 2.4.0 to 2.4.12 and 2.6.0 to 2.6.6, the ASN.1 BER and ...)
@@ -663,6 +665,7 @@ CVE-2019-9170
 	RESERVED
 CVE-2019-9169 (In the GNU C Library (aka glibc or libc6) through 2.29, ...)
 	- glibc <unfixed>
+	[stretch] - glibc <no-dsa> (Minor issue)
 	- eglibc <removed>
 	NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34140
 	NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34142
@@ -697,14 +700,16 @@ CVE-2019-9192 (** DISPUTED ** In the GNU C Library (aka glibc or libc6) through
 	- eglibc <removed> (unimportant)
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24269
 CVE-2018-20796 (In the GNU C Library (aka glibc or libc6) through 2.29, ...)
-	- glibc <unfixed>
-	- eglibc <removed>
+	- glibc <unfixed> (unimportant)
+	- eglibc <removed> (unimportant)
 	NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
 	NOTE: https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
+	NOTE: No treated as vulnerability: https://sourceware.org/glibc/wiki/Security%20Exceptions
 CVE-2009-5155 (In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp in ...)
 	[experimental] - gnulib 20180621~6979c25-1
 	- gnulib <unfixed>
 	- glibc 2.28-1
+	[stretch] - glibc <no-dsa> (Minor issue)
 	- eglibc <removed>
 	NOTE: http://git.savannah.gnu.org/cgit/gnulib.git/commit/?id=5513b40999149090987a0341c018d05d3eea1272
 	NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=22793
@@ -6428,6 +6433,7 @@ CVE-2019-6707 (PHPSHE 1.7 has SQL injection via the admin.php?mod=product&ac
 	NOT-FOR-US: PHPSHE
 CVE-2019-6706 (Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For ...)
 	- lua5.3 <unfixed> (bug #920321)
+	[stretch] - lua5.3 <postponed> (Minor issue, revisit when fixed upstream)
 	- lua5.2 <not-affected> (Vulnerable code introduced later)
 	- lua5.1 <not-affected> (Vulnerable code introduced later)
 	- lua50 <not-affected> (Vulnerable code introduced later)
@@ -6991,7 +6997,8 @@ CVE-2019-6466
 CVE-2019-6465 [Zone transfer controls for writable DLZ zones were not effective]
 	RESERVED
 	{DLA-1697-1}
-	- bind9 1:9.11.5.P4+dfsg-1 (bug #922955)
+	- bind9 1:9.11.5.P4+dfsg-1 (low; bug #922955)
+	[stretch] - bind9 <postponed> (Can be fixed along in future DSA)
 	NOTE: https://kb.isc.org/docs/cve-2019-6465
 	NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/a9307de85e147f4756c75d15aa221d2262df7d67
 CVE-2019-6464
@@ -14924,8 +14931,7 @@ CVE-2018-1000854 (esigate.org esigate version 5.2 and earlier contains a CWE-74:
 	NOT-FOR-US: esigate
 CVE-2018-1000852 (FreeRDP FreeRDP 2.0.0-rc3 released version before commit ...)
 	- freerdp2 2.0.0~git20181120.1.e21b72c95+dfsg1-1
-	- freerdp <removed>
-	[jessie] - freerdp <not-affected> (Vulnerable code not present)
+	- freerdp <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/FreeRDP/FreeRDP/issues/4866
 	NOTE: https://github.com/FreeRDP/FreeRDP/pull/4871
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/baee520e3dd9be6511c45a14c5f5e77784de1471
@@ -44052,6 +44058,7 @@ CVE-2018-11784 (When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9
 CVE-2018-11783 [Apache Traffic Server vulnerability with sslheader plugin]
 	RESERVED
 	- trafficserver 8.0.2+ds-1
+	[stretch] - trafficserver <postponed> (Minor issue, experimental plugin, will be fixed along in next DSA)
 	NOTE: https://github.com/apache/trafficserver/pull/4701
 	NOTE: https://www.openwall.com/lists/oss-security/2019/02/13/6
 CVE-2018-11782
@@ -61434,7 +61441,8 @@ CVE-2018-5746
 CVE-2018-5745 [An assertion failure can occur if a trust anchor rolls over to an unsupported key algorithm when using managed-keys]
 	RESERVED
 	{DLA-1697-1}
-	- bind9 1:9.11.5.P4+dfsg-1 (bug #922954)
+	- bind9 1:9.11.5.P4+dfsg-1 (low; bug #922954)
+	[stretch] - bind9 <postponed> (Can be fixed along in future DSA)
 	NOTE: https://kb.isc.org/docs/cve-2018-5745
 	NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/235a64a5a4c0143b183bd55f6ed756741d4d7880
 	NOTE: https://gitlab.isc.org/isc-projects/bind9/commit/38c2bdba0a5b785ef9f2da2329838b931754b3e4 (test)


=====================================
data/dsa-needed.txt
=====================================
@@ -22,6 +22,8 @@ glusterfs
 --
 graphicsmagick
 --
+koji
+--
 libidn
   santiago proposed debdiffs for jessie and stretch
 --
@@ -57,3 +59,8 @@ sox
 sssd
   Maintainer prepared an update and proposed debdiff, acked for upload, but update needs further testing before release.
 --
+trafficserver
+--
+wireshark
+  update to 2.6.7
+--



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2f24f901e43684b2272da4e12221d4d943256c7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/e2f24f901e43684b2272da4e12221d4d943256c7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190301/31f45530/attachment-0001.html>
