[Git][security-tracker-team/security-tracker][master] stretch triage
Moritz Muehlenhoff
jmm at debian.org
Wed Mar 20 21:43:59 GMT 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
448cc3d0 by Moritz Muehlenhoff at 2019-03-20T21:43:12Z
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -753,7 +753,8 @@ CVE-2018-20808 (An XSS issue has been found with rd.cgi in Pulse Secure Pulse Co
CVE-2018-20807 (An XSS issue has been found in welcome.cgi in Pulse Secure Pulse Conne ...)
NOT-FOR-US: Pulse Secure Pulse Connect Secure
CVE-2018-20806 (Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the ...)
- - phamm <unfixed> (bug #924731)
+ - phamm <unfixed> (low; bug #924731)
+ [stretch] - phamm <no-dsa> (Minor issue)
NOTE: https://github.com/lota/phamm/issues/24
CVE-2019-9839
RESERVED
@@ -1016,16 +1017,19 @@ CVE-2019-9753
CVE-2019-9752 (An issue was discovered in Open Ticket Request System (OTRS) 5.x befor ...)
{DLA-1721-1}
- otrs2 6.0.16-1
+ [stretch] - otrs2 <no-dsa> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2019-01-security-update-for-otrs-framework/
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/341c4096222819a108feb02256aba878943bf810
NOTE: OTRS 5: https://github.com/OTRS/otrs/commit/d4e3dfbaa054762b29df54705aa412685dd37e15
CVE-2019-9751 (An issue was discovered in Open Ticket Request System (OTRS) 6.x befor ...)
- otrs2 6.0.17-1
+ [stretch] - otrs2 <no-dsa> (Non-free not supported)
[jessie] - otrs2 <not-affected> (Vulnerable code not present)
NOTE: https://community.otrs.com/security-advisory-2019-02-security-update-for-otrs-framework
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/1afb2b995e59551b927c2105e234e8b87efcc37a
CVE-2018-20800 (An issue was discovered in Open Ticket Request System (OTRS) 5.0.31 an ...)
- otrs2 6.0.14-1
+ [stretch] - otrs2 <no-dsa> (Non-free not supported)
[jessie] - otrs2 <not-affected> (Vulnerable code not present)
NOTE: https://community.otrs.com/security-advisory-2018-10-security-update-for-otrs-framework/
NOTE: OTRS 6: https://github.com/OTRS/otrs/commit/8d17d58029efbb0bba25c4208e09e2d320eeb0c3
@@ -1055,7 +1059,9 @@ CVE-2019-9741 (An issue was discovered in net/http in Go 1.11.5. CRLF injection
- golang-1.12 1.12-1
- golang-1.11 1.11.6-1 (bug #924630)
- golang-1.8 <removed>
+ [stretch] - golang-1.8 <postponed> (Minor issue, can be fixed along in future DSA)
- golang-1.7 <removed>
+ [stretch] - golang-1.7 <postponed> (Minor issue, can be fixed along in future DSA)
- golang <removed>
NOTE: https://github.com/golang/go/issues/30794
NOTE: https://github.com/golang/go/commit/829c5df58694b3345cb5ea41206783c8ccf5c3ca#diff-b97af51863ce82bf2a13003b52034aa9
@@ -1109,13 +1115,15 @@ CVE-2019-9722
RESERVED
CVE-2019-9721 (A denial of service in the subtitle decoder in FFmpeg 4.1 allows attac ...)
- ffmpeg <unfixed>
+ [stretch] - ffmpeg <not-affected> (Vulnerable code not present)
NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc4838dedc3932e65
CVE-2019-9720
RESERVED
CVE-2019-9719
RESERVED
CVE-2019-9718 (In FFmpeg 4.1, a denial of service in the subtitle decoder allows atta ...)
- - ffmpeg <unfixed>
+ - ffmpeg <unfixed> (low)
+ [stretch] - ffmpeg <postponed> (Wait until fixed in 3.2.x release)
NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1f00c97bc3475c477f3c468cf2d924d5761d0982
CVE-2019-9717
RESERVED
@@ -1185,6 +1193,7 @@ CVE-2019-9688 (sftnow through 2018-12-29 allows index.php?g=Admin&m=User&
NOT-FOR-US: sftnow
CVE-2019-9687 (PoDoFo 0.9.6 has a heap-based buffer overflow in PdfString::ConvertUTF ...)
- libpodofo <unfixed> (bug #924430)
+ [stretch] - libpodofo <no-dsa> (Minor issue)
NOTE: https://sourceforge.net/p/podofo/code/1969
CVE-2019-9686 (pacman before 5.1.3 allows directory traversal when installing a remot ...)
NOT-FOR-US: pacman package manager for arch, different from src:pacman
@@ -1255,8 +1264,9 @@ CVE-2019-9658 (Checkstyle before 8.18 loads external DTDs by default. ...)
CVE-2019-9657
RESERVED
CVE-2019-9656 (An issue was discovered in LibOFX 0.9.14. There is a NULL pointer dere ...)
- - libofx <unfixed> (bug #924350)
+ - libofx <unfixed> (unimportant; bug #924350)
NOTE: https://github.com/libofx/libofx/issues/22
+ NOTE: Negligible security impact
CVE-2019-9655
RESERVED
CVE-2019-9654
@@ -1365,6 +1375,7 @@ CVE-2019-9638 (An issue was discovered in the EXIF component in PHP before 7.1.2
CVE-2019-9633 (gio/gsocketclient.c in GNOME GLib 2.59.2 does not ensure that a parent ...)
[experimental] - glib2.0 2.59.2-1
- glib2.0 <unfixed> (bug #924344)
+ [stretch] - glib2.0 <no-dsa> (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/glib/issues/1649
NOTE: https://gitlab.gnome.org/GNOME/glib/commit/d553d92d6e9f53cbe5a34166fcb919ba652c6a8e (2.59.2)
CVE-2019-9632 (ESAFENET CDG V3 and V5 has an arbitrary file download vulnerability vi ...)
@@ -1488,7 +1499,8 @@ CVE-2019-9580 (In st2web in StackStorm Web UI before 2.9.3 and 2.10.x before 2.1
CVE-2019-9579
RESERVED
CVE-2019-9578 (In devs.c in Yubico libu2f-host before 1.1.8, the response to init is ...)
- - libu2f-host 1.1.9-1 (bug #923874)
+ - libu2f-host 1.1.9-1 (low; bug #923874)
+ [stretch] - libu2f-host <no-dsa> (Minor issue)
NOTE: https://github.com/Yubico/libu2f-host/commit/e4bb58cc8b6202a421e65f8230217d8ae6e16eb5
CVE-2019-9577
RESERVED
@@ -2484,6 +2496,7 @@ CVE-2018-20796 (In the GNU C Library (aka glibc or libc6) through 2.29, check_ds
CVE-2009-5155 (In the GNU C Library (aka glibc or libc6) before 2.28, parse_reg_exp i ...)
[experimental] - gnulib 20180621~6979c25-1
- gnulib 20140202+stable-3.2 (bug #924613)
+ [stretch] - gnulib <no-dsa> (Minor issue)
- glibc 2.28-1
[stretch] - glibc <no-dsa> (Minor issue)
[jessie] - glibc <no-dsa> (Minor issue)
@@ -2807,69 +2820,82 @@ CVE-2019-9040 (S-CMS PHP v3.0 has a CSRF vulnerability to add a new admin user v
CVE-2019-9039
RESERVED
CVE-2019-9038 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
- - libmatio <unfixed> (bug #924185)
+ - libmatio <unfixed> (low; bug #924185)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/103
NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
CVE-2019-9037 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
- - libmatio <unfixed> (bug #924185)
+ - libmatio <unfixed> (low; bug #924185)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/103
NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
CVE-2019-9036 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
- - libmatio <unfixed> (bug #924185)
+ - libmatio <unfixed> (low; bug #924185)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/103
NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
NOTE: Not completely fixed with the initial two commits, cf.
NOTE: https://github.com/tbeu/matio/issues/103#issuecomment-472020538 ff
CVE-2019-9035 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
- - libmatio <unfixed> (bug #924185)
+ - libmatio <unfixed> (low; bug #924185)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/103
NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
CVE-2019-9034 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
- - libmatio <unfixed> (bug #924185)
+ - libmatio <unfixed> (low; bug #924185)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/103
NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
CVE-2019-9033 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
- - libmatio <unfixed> (bug #924185)
+ - libmatio <unfixed> (low; bug #924185)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/103
NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
CVE-2019-9032 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
- - libmatio <unfixed> (bug #924185)
+ - libmatio <unfixed> (low; bug #924185)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/103
NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
CVE-2019-9031 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
- - libmatio <unfixed> (bug #924185)
+ - libmatio <unfixed> (low; bug #924185)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/103
NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
CVE-2019-9030 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
- - libmatio <unfixed> (bug #924185)
+ - libmatio <unfixed> (low; bug #924185)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/103
NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
CVE-2019-9029 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
- - libmatio <unfixed> (bug #924185)
+ - libmatio <unfixed> (low; bug #924185)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/103
NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
CVE-2019-9028 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
- - libmatio <unfixed> (bug #924185)
+ - libmatio <unfixed> (low; bug #924185)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/103
NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
CVE-2019-9027 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
- - libmatio <unfixed> (bug #924185)
+ - libmatio <unfixed> (low; bug #924185)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/103
NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
CVE-2019-9026 (An issue was discovered in libmatio.a in matio (aka MAT File I/O Libra ...)
- - libmatio <unfixed> (bug #924185)
+ - libmatio <unfixed> (low; bug #924185)
+ [stretch] - libmatio <no-dsa> (Minor issue)
NOTE: https://github.com/tbeu/matio/issues/103
NOTE: https://github.com/tbeu/matio/commit/a0539135c9b1ab7613aa7953279da9224da88775
NOTE: https://github.com/tbeu/matio/commit/2c20d2178017b3eb13ab160cef239648f9915bdb
@@ -5642,10 +5668,12 @@ CVE-2019-7735
CVE-2019-7734
RESERVED
CVE-2019-7733 (In Live555 0.95, there is a buffer overflow via a large integer in a C ...)
- - liblivemedia <unfixed>
+ - liblivemedia <unfixed> (low)
+ [stretch] - liblivemedia <no-dsa> (Minor issue)
NOTE: https://github.com/rgaufman/live555/issues/21
CVE-2019-7732 (In Live555 0.95, a setup packet can cause a memory leak leading to DoS ...)
- - liblivemedia <unfixed>
+ - liblivemedia <unfixed> (low)
+ [stretch] - liblivemedia <no-dsa> (Minor issue)
NOTE: https://github.com/rgaufman/live555/issues/20
CVE-2019-7731 (MyWebSQL 3.7 has a remote code execution (RCE) vulnerability after an ...)
NOT-FOR-US: MyWebSQL
@@ -5875,7 +5903,8 @@ CVE-2019-7650
RESERVED
CVE-2019-7653 (The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CL ...)
{DLA-1717-1}
- - rdflib 4.2.2-2 (bug #921751)
+ - rdflib 4.2.2-2 (low; bug #921751)
+ [stretch] - rdflib <no-dsa> (Minor issue)
NOTE: Debian specific issue as respective scripts are overwritten in Debian
NOTE: packaging as wrappers invoking python -m.
CVE-2019-7649 (global.encryptPassword in bootstrap/global.js in CMSWing 1.3.7 relies ...)
@@ -21942,7 +21971,7 @@ CVE-2018-19873 (An issue was discovered in Qt before 5.11.3. QBmpHandler has a b
NOTE: https://github.com/qt/qtbase/commit/621ab8ab59901cc3f9bd98be709929c9eac997a8
CVE-2018-19872 (An issue was discovered in Qt 5.11. A malformed PPM image causes a div ...)
- qtbase-opensource-src 5.11.2+dfsg-3 (low)
- [stretch] - qtimageformats-opensource-src <no-dsa> (Minor issue)
+ [stretch] - qtbase-opensource-src <no-dsa> (Minor issue)
NOTE: https://bugreports.qt.io/browse/QTBUG-69449
TODO: check if affects qt4-x11 as well
CVE-2018-19871 (An issue was discovered in Qt before 5.11.3. There is QTgaFile Uncontr ...)
@@ -26916,6 +26945,7 @@ CVE-2018-19121 (An issue has been found in libIEC61850 v1.3. It is a SEGV in Eth
CVE-2018-19141 (Open Ticket Request System (OTRS) 4.0.x before 4.0.33 and 5.0.x before ...)
{DLA-1592-1}
- otrs2 6.0.1-1
+ [stretch] - otrs2 <no-dsa> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2018-09-security-update-for-otrs-framework/
NOTE: Only the 4.x and 5.x series are affected (and possibly earlier versions).
NOTE: Add workaround and mark first 6.x version as fixing version
@@ -26927,6 +26957,7 @@ CVE-2018-19142 (Open Ticket Request System (OTRS) 6.0.x before 6.0.13 allows an
CVE-2018-19143 (Open Ticket Request System (OTRS) 4.0.x before 4.0.33, 5.0.x before 5. ...)
{DLA-1592-1}
- otrs2 6.0.13-1
+ [stretch] - otrs2 <no-dsa> (Non-free not supported)
NOTE: https://community.otrs.com/security-advisory-2018-07-security-update-for-otrs-framework/
CVE-2018-19120 (The HTML thumbnailer plugin in KDE Applications before 18.12.0 allows ...)
- kio-extras 4:18.08.3-1 (bug #913595)
=====================================
data/dsa-needed.txt
=====================================
@@ -17,6 +17,8 @@ If needed, specify the release by adding a slash after the name of the source pa
--
drupal7
--
+evolution
+--
faad2
not yet fixed upstream
--
@@ -37,6 +39,8 @@ libidn
libpng1.6
wait for final patch
--
+libssh2
+--
linux
Wait until more issues have piled up
--
@@ -52,6 +56,8 @@ openjdk-8 (jmm)
--
passenger (carnil)
--
+pdns
+--
simplesamlphp
--
smarty3
@@ -66,3 +72,5 @@ wireshark
--
wordpress
--
+xen
+--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/448cc3d08c01e2cec750d3c37946c3b7445b81fa
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/448cc3d08c01e2cec750d3c37946c3b7445b81fa
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190320/eb3594f0/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list