[Git][security-tracker-team/security-tracker][master] buster triage

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2a09b65c by Moritz Muehlenhoff at 2019-03-11T21:59:09Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1987,6 +1987,7 @@ CVE-2019-8936 [Crafted null dereference attack in authenticated mode 6 packet]
 CVE-2019-8934 [ppc64: sPAPR emulator leaks the host hardware identity]
 	RESERVED
 	- qemu <unfixed> (bug #922923)
+	[buster] - qemu <ignored> (Too intrusive to backport, marginal impact)
 	- qemu-kvm <removed>
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2019-02/msg04821.html
 CVE-2019-8933 (In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ ...)
@@ -3052,6 +3053,7 @@ CVE-2019-8414
 	RESERVED
 CVE-2013-7469 (Seafile through 6.2.11 always uses the same Initialization Vector (IV) ...)
 	- seafile <unfixed> (bug #923009)
+	[buster] - seafile <ignored> (Minor issue)
 	NOTE: https://github.com/haiwen/seafile/issues/350
 CVE-2019-8413 (On Xiaomi MIX 2 devices with the 4.4.78 kernel, a NULL pointer ...)
 	NOT-FOR-US: Xiaomi
@@ -14606,6 +14608,7 @@ CVE-2018-20594 (An issue was discovered in hsweb 3.0.4. It is a reflected XSS ..
 	NOT-FOR-US: hsweb
 CVE-2018-20593 (In Mini-XML (aka mxml) v2.12, there is stack-based buffer overflow in ...)
 	- mxml <unfixed>
+	[buster] - mxml <ignored> (Minor issue)
 	[stretch] - mxml <ignored> (Minor issue)
 	[jessie] - mxml <no-dsa> (Minor issue, only affects the mxmldoc tool)
 	NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/so_mxmldoc.c:2971_1.txt
@@ -14616,6 +14619,7 @@ CVE-2018-20593 (In Mini-XML (aka mxml) v2.12, there is stack-based buffer overfl
 	NOTE: upstream tagged the issue with 'wontfix' and removed mxmldoc code completely
 CVE-2018-20592 (In Mini-XML (aka mxml) v2.12, there is a use-after-free in the mxmlAdd ...)
 	- mxml <unfixed>
+	[buster] - mxml <ignored> (Minor issue)
 	[stretch] - mxml <ignored> (Minor issue)
 	[jessie] - mxml <no-dsa> (Minor issue, only affected the mxmldoc tool)
 	NOTE: https://github.com/ntu-sec/pocs/blob/master/mxml-53c75b0/crashes/uaf_mxml-node.c:128_1.txt
@@ -18398,7 +18402,8 @@ CVE-2018-20074
 	RESERVED
 CVE-2018-20073 [chromium stores download meta data in extended attributes]
 	RESERVED
-	- chromium <unfixed>
+	- chromium <unfixed> (low)
+	[buster] - chromium <postponed> (Wait until fixed upstream)
 	[stretch] - chromium <postponed> (Wait until fixed upstream)
 CVE-2018-20072
 	RESERVED
@@ -32866,6 +32871,7 @@ CVE-2018-16385 (ThinkPHP before 5.1.23 allows SQL Injection via the ...)
 	NOT-FOR-US: ThinkPHP
 CVE-2018-16384 (A SQL injection bypass (aka PL1 bypass) exists in OWASP ModSecurity ...)
 	- modsecurity-crs <unfixed> (low)
+	[buster] - modsecurity-crs <no-dsa> (Minor issue)
 	[stretch] - modsecurity-crs <no-dsa> (Minor issue)
 	[jessie] - modsecurity-crs <no-dsa> (Minor issue)
 	NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1167
@@ -86595,6 +86601,7 @@ CVE-2017-14611 (SSRF (Server Side Request Forgery) in Cockpit 0.13.0 allows remo
 	NOT-FOR-US: Cockpit CMS (different from src:cockpit)
 CVE-2017-14610 (bareos-dir, bareos-fd, and bareos-sd in bareos-core in Bareos 16.2.6 ...)
 	- bareos <unfixed> (bug #877334)
+	[buster] - bareos <no-dsa> (Minor issue)
 	[stretch] - bareos <no-dsa> (Minor issue)
 	[jessie] - bareos <no-dsa> (Minor issue)
 	NOTE: https://bugs.bareos.org/view.php?id=847
@@ -121756,6 +121763,7 @@ CVE-2017-3225 (Das U-Boot is a device bootloader that can read its configuration
 	NOTE: Negligible security impact
 CVE-2017-3224 (Open Shortest Path First (OSPF) protocol implementations may ...)
 	- quagga <unfixed> (low; bug #871617)
+	[buster] - quagga <no-dsa> (Minor issue)
 	[stretch] - quagga <no-dsa> (Minor issue)
 	[jessie] - quagga <no-dsa> (Minor issue)
 	[wheezy] - quagga <no-dsa> (Minor issue)
@@ -140684,6 +140692,7 @@ CVE-2016-6185 (The XSLoader::load method in XSLoader in Perl does not properly l
 	- perl 5.22.2-2 (bug #829578)
 CVE-2016-6175 (Eval injection vulnerability in php-gettext 1.0.12 and earlier allows ...)
 	- php-gettext <unfixed> (bug #851771)
+	[buster] - php-gettext <no-dsa> (Minor issue)
 	[stretch] - php-gettext <no-dsa> (Minor issue)
 	[jessie] - php-gettext <no-dsa> (Minor issue)
 	[wheezy] - php-gettext <no-dsa> (Minor issue)
@@ -148156,7 +148165,8 @@ CVE-2016-3993 (Off-by-one error in the __imlib_MergeUpdate function in lib/updat
 	NOTE: https://git.enlightenment.org/legacy/imlib2.git/commit/?id=ce94edca1ccfbe314cb7cd9453433fad404ec7ef
 	NOTE: http://www.openwall.com/lists/oss-security/2016/04/09/5
 CVE-2012-XXXX [Option -localhost seems to fail to restrict ipv6 access]
-	- x11vnc <unfixed> (bug #672435)
+	- x11vnc <unfixed> (low; bug #672435)
+	[buster] - x11vnc <ignored> (Minor issue; workaround exits)
 	[stretch] - x11vnc <ignored> (Minor issue; workaround exits)
 	[jessie] - x11vnc <ignored> (Minor issue; workaround exits)
 	[wheezy] - x11vnc <ignored> (Minor issue; workaround exits)
@@ -185181,6 +185191,7 @@ CVE-2015-XXXX [Zoo directory traversal]
 	NOTE: CVE Request: https://marc.info/?l=oss-security&m=142024361327375&w=2
 CVE-2015-XXXX [buffer over-read]
 	- arc <unfixed> (low; bug #774439)
+	[buster] - arc <ignored> (Minor issue)
 	[stretch] - arc <ignored> (Minor issue)
 	[jessie] - arc <ignored> (Minor issue)
 	[wheezy] - arc <no-dsa> (Minor issue)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2a09b65c1a055cdb4f19d78dc865e686ad0d9c95

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2a09b65c1a055cdb4f19d78dc865e686ad0d9c95
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190311/901a5722/attachment-0001.html>