[Git][security-tracker-team/security-tracker][master] buster triage

Moritz Muehlenhoff jmm at debian.org
Fri Mar 15 07:01:51 GMT 2019 

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ed21bb0c by Moritz Muehlenhoff at 2019-03-15T07:01:14Z
buster triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -510,8 +510,9 @@ CVE-2019-9626 (PHPSHE 1.7 allows module/index/cart.php pintuan_id SQL Injection
 	NOT-FOR-US: PHPSHE
 CVE-2019-9625 (JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN URI to ...)
 	NOT-FOR-US: JBMC DirectAdmin
-CVE-2019-XXXX [high memory usage with long running sessions]
+CVE-2019-XXXX [high memory usage with some long running sessions]
 	- proftpd-dfsg 1.3.5d-1 (bug #923926)
+	[stretch] - proftpd-dfsg <no-dsa> (Minor issue)
 	NOTE: https://github.com/proftpd/proftpd/issues/330#issuecomment-276891713
 	NOTE: https://forum.armbian.com/topic/9692-nanopi-neo-2-memory-leak-in-proftpd-even-worse-if-ssl-encrypted/?do=findComment&comment=73069
 CVE-2019-9624 (Webmin 1.900 allows remote attackers to execute arbitrary code by ...)
@@ -46875,10 +46876,7 @@ CVE-2018-11206 (An out of bounds read was discovered in H5O_fill_new_decode and
 	[jessie] - hdf5 <no-dsa> (Minor issue)
 	[wheezy] - hdf5 <no-dsa> (Minor issue)
 CVE-2018-11205 (A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c in the ...)
-	- hdf5 <unfixed> (low)
-	[stretch] - hdf5 <no-dsa> (Minor issue)
-	[jessie] - hdf5 <no-dsa> (Minor issue)
-	[wheezy] - hdf5 <no-dsa> (Minor issue)
+	- hdf5 <undetermined>
 CVE-2018-11204 (A NULL pointer dereference was discovered in H5O__chunk_deserialize in ...)
 	- hdf5 1.10.4+repack-1 (low)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
@@ -68282,9 +68280,8 @@ CVE-2018-3631
 CVE-2018-3630 [Logic error in FV parsing in MdeModulePkg\Core\Pei\FwVol\FwVol.c]
 	RESERVED
 	- edk2 <unfixed> (unimportant)
-	[jessie] - edk2 <end-of-life> (non-free is not supported)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1683653
-	NOTE: No security impact
+	NOTE: Non issue, no security impact
 CVE-2018-3629 (Buffer overflow in event handler in Intel Active Management Technology ...)
 	NOT-FOR-US: Intel
 CVE-2018-3628 (Buffer overflow in HTTP handler in Intel Active Management Technology ...)
@@ -72277,8 +72274,7 @@ CVE-2017-17690
 	RESERVED
 CVE-2017-17689 (The S/MIME specification allows a Cipher Block Chaining (CBC) ...)
 	- evolution <unfixed> (bug #898633; unimportant)
-	- kmail <unfixed> (bug #898634)
-	- kf5-messagelib <unfixed> (bug #899127)
+	- kf5-messagelib 4:18.08.1-1 (bug #899127)
 	[stretch] - kf5-messagelib <no-dsa> (Defaults to secure handling, change to disable it entirely can be fixed via spu)
 	- kdepim <removed> (bug #899128)
 	[stretch] - kdepim <no-dsa> (Defaults to secure handling, change to disable it entirely can be fixed via spu)
@@ -72287,6 +72283,7 @@ CVE-2017-17689 (The S/MIME specification allows a Cipher Block Chaining (CBC) ..
 	NOTE: https://bugzilla.gnome.org/show_bug.cgi?id=796135
 	NOTE: https://dot.kde.org/2018/05/15/efail-and-kmail
 	NOTE: protocol vulnerability can't be fixed in implementations but they can prevent exploitation by disabling loading of remote content
+	NOTE: kmail bug is #898634, but src:kmail is not affected, the code in question is in kf5-messagelib
 CVE-2017-17688 (** DISPUTED ** The OpenPGP specification allows a Cipher Feedback Mode ...)
 	- enigmail 2:2.0.6.1-4 (bug #898630)
 	[jessie] - enigmail <end-of-life> (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html)
@@ -74837,7 +74834,8 @@ CVE-2017-17508 (In HDF5 1.10.1, there is a divide-by-zero vulnerability in the f
 	NOTE: POC: https://github.com/xiaoqx/pocs/blob/master/hdf5/1-hdf5-divbyzero-H5T_set_loc
 	NOTE: https://github.com/xiaoqx/pocs/blob/master/hdf5/readme.md
 CVE-2017-17507 (In HDF5 1.10.1, there is an out of bounds read vulnerability in the ...)
-	- hdf5 <unfixed> (bug #915807)
+	- hdf5 <unfixed> (low; bug #915807)
+	[buster] - hdf5 <no-dsa> (Minor issue, requires ABI change)
 	[stretch] - hdf5 <no-dsa> (Minor issue)
 	[jessie] - hdf5 <no-dsa> (Minor issue)
 	[wheezy] - hdf5 <no-dsa> (Minor issue)
@@ -75992,10 +75990,12 @@ CVE-2018-1100 (zsh through version 5.4.2 is vulnerable to a stack-based buffer .
 	NOTE: https://sourceforge.net/p/zsh/code/ci/31f72205630687c1cef89347863aab355296a27f/
 CVE-2018-1099 (DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An ...)
 	- etcd <unfixed> (low; bug #921156)
+	[buster] - etcd <no-dsa> (Minor issue)
 	NOTE: https://github.com/coreos/etcd/issues/9353
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1552717
 CVE-2018-1098 (A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. ...)
 	- etcd <unfixed> (low; bug #921156)
+	[buster] - etcd <no-dsa> (Minor issue)
 	NOTE: https://github.com/coreos/etcd/issues/9353
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1552714
 CVE-2018-1097 (A flaw was found in foreman before 1.16.1. The issue allows users with ...)
@@ -94373,9 +94373,10 @@ CVE-2017-12171 (A regression was found in the Red Hat Enterprise Linux 6.9 versi
 CVE-2017-12170 (Downstream version 1.0.46-1 of pure-ftpd as shipped in Fedora was ...)
 	- pure-ftpd <not-affected> (Fedora specific packaging error)
 CVE-2017-12169 (It was found that FreeIPA 4.2.0 and later could disclose password ...)
-	- freeipa <unfixed> (low; bug #895950)
+	- freeipa <unfixed> (unimportant; bug #895950)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1487697
 	NOTE: Proposed patch: https://bugzilla.redhat.com/attachment.cgi?id=1331008
+	NOTE: Negligible security impact
 CVE-2017-12168 (The access_pmu_evcntr function in arch/arm64/kvm/sys_regs.c in the ...)
 	- linux 4.8.11-1
 	[jessie] - linux <not-affected> (Vulnerable code not present)
@@ -170830,8 +170831,9 @@ CVE-2015-5180 (res_query in libresolv in glibc before 2.25 allows remote attacke
 	NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=18784
 	NOTE: Originally proposed for jessie 8.8, but breaks the NSS ABI so was retracted
 CVE-2015-5179 (FreeIPA might display user data improperly via vectors involving ...)
-	- freeipa <unfixed> (bug #795399)
+	- freeipa <unfixed> (unimportant; bug #795399)
 	NOTE: https://fedorahosted.org/freeipa/ticket/5153
+	NOTE: Negligible security impact
 CVE-2015-5178 (The Management Console in Red Hat Enterprise Application Platform ...)
 	NOT-FOR-US: JBoss EAP
 CVE-2015-5177 (Double free vulnerability in the SLPDKnownDAAdd function in ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed21bb0c20a2272745fb959f4c1da58a44ce32e7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed21bb0c20a2272745fb959f4c1da58a44ce32e7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190315/f892bed2/attachment.html>

More information about the debian-security-tracker-commits mailing list