[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff
jmm at debian.org
Sat Mar 23 21:00:46 GMT 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
7834dc81 by Moritz Muehlenhoff at 2019-03-23T21:00:11Z
buster triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -48839,13 +48839,15 @@ CVE-2018-10911 (A flaw was found in the way dic_unserialize function of glusterf
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1601657
NOTE: https://github.com/gluster/glusterfs/commit/cc3271ebf3aacdbbc77fdd527375af78ab12ea8d
CVE-2018-10910 (A bug in Bluez may allow for the Bluetooth Discoverable state being se ...)
- - bluez <unfixed>
+ - bluez <unfixed> (low)
+ [buster] - bluez <ignored> (Minor issue)
[stretch] - bluez <ignored> (Minor issue, does not affected Gnome Bluetooth in stretch)
[jessie] - bluez <no-dsa> (Minor issue because in gnome-bluetooth <= 3.26 the D-Bus calls were synchronous and thus the issue in bluez will have no actual affect)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1606203
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1602985
NOTE: Bug in src:bluez itself and would need fixing there, but it is workaroundable in
NOTE: gnome-bluetooth: https://gitlab.gnome.org/GNOME/gnome-bluetooth/commit/6b5086d42ea64d46277f3c93b43984f331d12f89
+ NOTE: workaround in gnome-bluetooth landed in 3.28.2
CVE-2018-10909
RESERVED
CVE-2018-10908 (It was found that vdsm before version 4.20.37 invokes qemu-img on untr ...)
@@ -58667,7 +58669,7 @@ CVE-2018-1000079 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3
[wheezy] - ruby1.9.1 <no-dsa> (Minor issue, too intrusive to backport)
- rubygems <removed>
[wheezy] - rubygems <not-affected> (Vulnerable code not present)
- - jruby <unfixed> (bug #895778)
+ - jruby 9.1.17.0-1 (bug #895778)
[jessie] - jruby <not-affected> (Vulnerable code not present)
[wheezy] - jruby <not-affected> (Vulnerable code not present)
NOTE: https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759
@@ -58691,7 +58693,7 @@ CVE-2018-1000077 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3
- ruby2.1 <removed>
- ruby1.9.1 <removed>
- rubygems <removed>
- - jruby <unfixed> (bug #895778)
+ - jruby 9.1.17.0-1 (bug #895778)
[jessie] - jruby <end-of-life> (See DSA-4219-1)
NOTE: https://github.com/rubygems/rubygems/commit/feadefc2d351dcb95d6492f5ad17ebca546eb964
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
@@ -58702,7 +58704,7 @@ CVE-2018-1000076 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3
- ruby2.1 <removed>
- ruby1.9.1 <removed>
- rubygems <removed>
- - jruby <unfixed> (bug #895778)
+ - jruby 9.1.17.0-1 (bug #895778)
[jessie] - jruby <end-of-life> (See DSA-4219-1)
NOTE: https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
@@ -58713,7 +58715,7 @@ CVE-2018-1000075 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3
- ruby2.1 <removed>
- ruby1.9.1 <removed>
- rubygems <removed>
- - jruby <unfixed> (bug #895778)
+ - jruby 9.1.17.0-1 (bug #895778)
[jessie] - jruby <end-of-life> (See DSA-4219-1)
NOTE: https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
@@ -58726,7 +58728,7 @@ CVE-2018-1000074 (RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3
[wheezy] - ruby1.9.1 <no-dsa> (Minor issue, too intrusive to backport)
- rubygems <removed>
[wheezy] - rubygems <no-dsa> (Minor issue)
- - jruby <unfixed> (bug #895778)
+ - jruby 9.1.17.0-1 (bug #895778)
[jessie] - jruby <end-of-life> (See DSA-4219-1)
NOTE: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d
NOTE: https://www.ruby-lang.org/en/news/2018/02/17/multiple-vulnerabilities-in-rubygems/
@@ -121779,17 +121781,13 @@ CVE-2016-9921 (Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulato
NOTE: Fixed by: http://git.qemu.org/?p=qemu.git;a=commit;h=4299b90e9ba9ce5ca9024572804ba751aa1a7e70 (v2.8.0-rc3)
NOTE: CVE for the "'cirrus_get_bpp' returns zero(0), which could lead to a divide by zero" issue.
CVE-2016-9918 (In BlueZ 5.42, an out-of-bounds read was identified in "packet_hexdump ...)
- - bluez <unfixed> (bug #847837)
- [stretch] - bluez <no-dsa> (Minor issue)
- [jessie] - bluez <no-dsa> (Minor issue)
- [wheezy] - bluez <no-dsa> (Minor issue)
+ - bluez <unfixed> (unimportant; bug #847837)
NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68898.html
+ NOTE: Crash in btmon CLI tool, no security impact
CVE-2016-9917 (In BlueZ 5.42, a buffer overflow was observed in "read_n" function in ...)
- - bluez <unfixed> (bug #847837)
- [stretch] - bluez <no-dsa> (Minor issue)
- [jessie] - bluez <no-dsa> (Minor issue)
- [wheezy] - bluez <no-dsa> (Minor issue)
+ - bluez <unfixed> (unimportant; bug #847837)
NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html
+ NOTE: Crash in hcidump CLI tool, no security impact
CVE-2016-9906
REJECTED
CVE-2016-9905 (A potentially exploitable crash in "EnumerateSubDocuments" while addin ...)
@@ -130079,53 +130077,37 @@ CVE-2017-0381 (An information disclosure vulnerability in silk/NLSF_stabilize.c
NOTE: Fixed by: https://github.com/xiph/opus/commit/79e8f527b0344b0897a65be35e77f7885bd99409 (v1.2-alpha)
NOTE: https://git.xiph.org/?p=opus.git;a=commitdiff;h=70a3d641b
CVE-2016-9804 (In BlueZ 5.42, a buffer overflow was observed in "commands_dump" funct ...)
- - bluez <unfixed> (bug #847837)
- [stretch] - bluez <no-dsa> (Minor issue)
- [jessie] - bluez <no-dsa> (Minor issue)
- [wheezy] - bluez <no-dsa> (Minor issue)
+ - bluez <unfixed> (unimportant; bug #847837)
NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html
+ NOTE: Crash in hcidump CLI tool, no security impact
CVE-2016-9803 (In BlueZ 5.42, an out-of-bounds read was observed in "le_meta_ev_dump" ...)
- - bluez <unfixed> (bug #847837)
- [stretch] - bluez <no-dsa> (Minor issue)
- [jessie] - bluez <no-dsa> (Minor issue)
- [wheezy] - bluez <no-dsa> (Minor issue)
+ - bluez <unfixed> (unimportant; bug #847837)
NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html
+ NOTE: Crash in CLI tools, no security impact
CVE-2016-9802 (In BlueZ 5.42, a buffer over-read was identified in "l2cap_packet" fun ...)
- - bluez <unfixed> (bug #847837)
- [stretch] - bluez <no-dsa> (Minor issue)
- [jessie] - bluez <no-dsa> (Minor issue)
- [wheezy] - bluez <no-dsa> (Minor issue)
+ - bluez <unfixed> (unimportant; bug #847837)
NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68898.html
+ NOTE: Crash in btmon CLI tool, no security impact
CVE-2016-9801 (In BlueZ 5.42, a buffer overflow was observed in "set_ext_ctrl" functi ...)
- - bluez <unfixed> (bug #847837)
- [stretch] - bluez <no-dsa> (Minor issue)
- [jessie] - bluez <no-dsa> (Minor issue)
- [wheezy] - bluez <no-dsa> (Minor issue)
+ - bluez <unfixed> (unimportant; bug #847837)
NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html
+ NOTE: Crash in CLI tools, no security impact
CVE-2016-9800 (In BlueZ 5.42, a buffer overflow was observed in "pin_code_reply_dump" ...)
- - bluez <unfixed> (bug #847837)
- [stretch] - bluez <no-dsa> (Minor issue)
- [jessie] - bluez <no-dsa> (Minor issue)
- [wheezy] - bluez <no-dsa> (Minor issue)
+ - bluez <unfixed> (unimportant; bug #847837)
NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html
+ NOTE: Crash in CLI tools, no security impact
CVE-2016-9799 (In BlueZ 5.42, a buffer overflow was observed in "pklg_read_hci" funct ...)
- - bluez <unfixed> (bug #847837)
- [stretch] - bluez <no-dsa> (Minor issue)
- [jessie] - bluez <no-dsa> (Minor issue)
- [wheezy] - bluez <no-dsa> (Minor issue)
+ - bluez <unfixed> (unimportant; bug #847837)
NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68898.html
+ NOTE: Crash in btmon CLI tool, no security impact
CVE-2016-9798 (In BlueZ 5.42, a use-after-free was identified in "conf_opt" function ...)
- - bluez <unfixed> (bug #847837)
- [stretch] - bluez <no-dsa> (Minor issue)
- [jessie] - bluez <no-dsa> (Minor issue)
- [wheezy] - bluez <no-dsa> (Minor issue)
+ - bluez <unfixed> (unimportant; bug #847837)
NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html
+ NOTE: Crash in hcidump CLI tool, no security impact
CVE-2016-9797 (In BlueZ 5.42, a buffer over-read was observed in "l2cap_dump" functio ...)
- - bluez <unfixed> (bug #847837)
- [stretch] - bluez <no-dsa> (Minor issue)
- [jessie] - bluez <no-dsa> (Minor issue)
- [wheezy] - bluez <no-dsa> (Minor issue)
+ - bluez <unfixed> (unimportant; bug #847837)
NOTE: https://www.spinics.net/lists/linux-bluetooth/msg68892.html
+ NOTE: Crash in hcidump CLI tool, no security impact
CVE-2016-9794 (Race condition in the snd_pcm_period_elapsed function in sound/core/pc ...)
{DLA-772-1}
- linux 4.7.2-1
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7834dc8191c8ca0748122f7eba11d87a80222b01
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/7834dc8191c8ca0748122f7eba11d87a80222b01
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190323/145830e9/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list