[Git][security-tracker-team/security-tracker][master] buster triage

Sat Mar 30 21:41:35 GMT 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
41237a80 by Moritz Muehlenhoff at 2019-03-30T21:41:04Z
buster triage
py3.6 removed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1504,7 +1504,7 @@ CVE-2019-9948 (urllib in Python 2.x through 2.7.16 supports the local_file: sche
 	NOTE: https://github.com/python/cpython/pull/11842
 CVE-2019-9947 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 and ur ...)
 	- python3.7 <unfixed>
-	- python3.6 <unfixed>
+	- python3.6 <removed>
 	- python3.5 <removed>
 	- python3.4 <removed>
 	- python2.7 <unfixed>
@@ -2790,7 +2790,7 @@ CVE-2019-9741 (An issue was discovered in net/http in Go 1.11.5. CRLF injection
 	NOTE: https://github.com/golang/go/commit/f1d662f34788f4a5f087581d0951cdf4e0f6e708#diff-b97af51863ce82bf2a13003b52034aa9
 CVE-2019-9740 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 and ur ...)
 	- python3.7 <unfixed>
-	- python3.6 <unfixed>
+	- python3.6 <removed>
 	- python3.5 <removed>
 	- python3.4 <removed>
 	- python2.7 <unfixed>
@@ -3030,7 +3030,7 @@ CVE-2019-9642
 	RESERVED
 CVE-2019-9636 (Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Impr ...)
 	- python3.7 3.7.3~rc1-1 (bug #924072)
-	- python3.6 <unfixed>
+	- python3.6 <removed>
 	- python3.5 <removed>
 	- python3.4 <removed>
 	- python2.7 <unfixed> (bug #924073)
@@ -14151,7 +14151,7 @@ CVE-2019-5010 [NULL pointer dereference using a specially crafted X509 certifica
 	RESERVED
 	{DLA-1663-1}
 	- python3.7 3.7.2-2 (bug #921064)
-	- python3.6 <unfixed> (bug #921063)
+	- python3.6 <removed> (bug #921063)
 	- python3.5 <removed>
 	[stretch] - python3.5 <postponed> (Minor issue, can be fixed along in a future DSA)
 	- python3.4 <removed>
@@ -24444,7 +24444,8 @@ CVE-2019-1545
 CVE-2019-1544
 	RESERVED
 CVE-2019-1543 (ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input ...)
-	- openssl <unfixed>
+	- openssl <unfixed> (low)
+	[buster] - openssl <postponed> (Minor issue, fix along in next 1.1.x)
 	[stretch] - openssl <postponed> (Minor issue, fix along in future DSA)
 	[jessie] - openssl <postponed> (Minor issue, fix along in future DLA)
 	- openssl1.0 <not-affected> (Vulnerability does not impact 1.0.2 series)
@@ -26024,7 +26025,7 @@ CVE-2019-0817
 	RESERVED
 CVE-2019-0816 [extra ssh keys added to authorized_keys]
 	RESERVED
-	- cloud-init <unfixed>
+	- cloud-init <unfixed> (bug #926043)
 	[jessie] - cloud-init <not-affected> (version uses a different mechanism to set public keys.)
 	NOTE: https://code.launchpad.net/~jasonzio/cloud-init/+git/cloud-init/+merge/363445
 	NOTE: https://support.microsoft.com/en-us/help/4491476/extraneous-ssh-public-keys-added-to-authorized-keys-file-on-linux-vm
@@ -28826,9 +28827,9 @@ CVE-2018-19143 (Open Ticket Request System (OTRS) 4.0.x before 4.0.33, 5.0.x bef
 	NOTE: https://community.otrs.com/security-advisory-2018-07-security-update-for-otrs-framework/
 CVE-2018-19120 (The HTML thumbnailer plugin in KDE Applications before 18.12.0 allows  ...)
 	- kio-extras 4:18.08.3-1 (bug #913595)
-	[buster] - kio-extras <no-dsa> (Minor issue)
 	[stretch] - kio-extras <no-dsa> (Minor issue)
 	- kde-runtime <unfixed> (bug #913596)
+	[buster] - kde-runtime <no-dsa> (Minor issue)
 	[stretch] - kde-runtime <no-dsa> (Minor issue)
 	[jessie] - kde-runtime <ignored> (Minor issue)
 	NOTE: https://www.kde.org/info/security/advisory-20181012-1.txt
@@ -77603,7 +77604,7 @@ CVE-2017-17522 (** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does no
 	- python3.2 <removed> (unimportant)
 	- python3.4 <removed> (unimportant)
 	- python3.5 <removed> (unimportant)
-	- python3.6 <unfixed> (unimportant)
+	- python3.6 <removed> (unimportant)
 	- python3.7 <unfixed> (unimportant)
 	NOTE: Lib/webbrowser.py does not validate strings before launching the program
 	NOTE: specified by the BROWSER environment variable.
@@ -78125,12 +78126,8 @@ CVE-2017-17448 (net/netfilter/nfnetlink_cthelper.c in the Linux kernel through 4
 CVE-2018-1280 (Pivotal Greenplum Command Center versions 2.x prior to 2.5.1 contains  ...)
 	NOT-FOR-US: Pivotal
 CVE-2018-1279 (Pivotal RabbitMQ for PCF, all versions, uses a deterministically gener ...)
-	- rabbitmq-server <unfixed> (bug #924768)
-	[stretch] - rabbitmq-server <no-dsa> (Minor issue)
-	[jessie] - rabbitmq-server <no-dsa> (Minor issue)
+	- rabbitmq-server <not-affected> (Specific to RabbitMQ setup in Pivotal, see bug #924768)
 	NOTE: https://pivotal.io/security/cve-2018-1279
-	NOTE: Underlying issue is the use of deterministically generated cookie.
-	NOTE: Issue can be mitigated by restricting network access from untrusted sources.
 CVE-2018-1278 (Apps Manager included in Pivotal Application Service, versions 1.12.x  ...)
 	NOT-FOR-US: Pivotal
 CVE-2018-1277 (Cloud Foundry Garden-runC, versions prior to 1.13.0, does not correctl ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/41237a803d39aa60422a6c94782ed2097a746556

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/41237a803d39aa60422a6c94782ed2097a746556
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190330/a5483f1d/attachment-0001.html>
