[Git][security-tracker-team/security-tracker][master] Mark all Apport related entries as NFU

Salvatore Bonaccorso carnil at debian.org
Wed May 1 13:08:58 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
62dc2699 by Salvatore Bonaccorso at 2019-05-01T12:06:26Z
Mark all Apport related entries as NFU

src:apport itself was ever only in experimental and never migrated to
unstable as it needed extra services to actually function.

Maintainer recently asked for complete removal of Apport, tracked as
https://bugs.debian.org/924960 .

As it was never in unstable or any other supported suites, we can mark
it safely as NFU considering it was never in Debian.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -65564,9 +65564,7 @@ CVE-2018-6553 (The CUPS AppArmor profile incorrectly confined the dnssd backend
 	{DSA-4243-1 DLA-1426-1}
 	- cups 2.2.8-5 (bug #903605)
 CVE-2018-6552 (Apport does not properly handle crashes originating from a PID namespa ...)
-	[experimental] - apport <unfixed>
-	NOTE: apport only in experimental, so we cannot track this in security-tracker
-	NOTE: add it, to have an explicit reference for apport if it ever enters unstable
+	NOT-FOR-US: Apport
 CVE-2018-6551 (The malloc implementation in the GNU C Library (aka glibc or libc6), f ...)
 	[experimental] - glibc 2.26.9000+20180127.7e23a7dd-0experimental0
 	- glibc 2.27-1
@@ -93998,21 +93996,15 @@ CVE-2017-14183
 CVE-2017-14182 (A Denial of Service (DoS) vulnerability in Fortinet FortiOS 5.4.0 to 5 ...)
 	NOT-FOR-US: Fortinet
 CVE-2017-14180 (Apport 2.13 through 2.20.7 does not properly handle crashes originatin ...)
-	[experimental] - apport <unfixed>
-	NOTE: apport only in experimental, so we cannot track this in security-tracker
-	NOTE: add it, to have an explicit reference for apport if it ever enters unstable
+	NOT-FOR-US: Apport
 CVE-2017-14179 (Apport before 2.13 does not properly handle crashes originating from a ...)
-	[experimental] - apport <unfixed>
-	NOTE: apport only in experimental, so we cannot track this in security-tracker
-	NOTE: add it, to have an explicit reference for apport if it ever enters unstable
+	NOT-FOR-US: Apport
 CVE-2017-14178 (In snapd 2.27 through 2.29.2 the 'snap logs' command could be made to  ...)
 	- snapd 2.30-1
 	[stretch] - snapd <not-affected> (Issue introduced in 2.27)
 	NOTE: https://launchpad.net/bugs/1730255
 CVE-2017-14177 (Apport through 2.20.7 does not properly handle core dumps from setuid  ...)
-	[experimental] - apport <unfixed>
-	NOTE: apport only in experimental, so we cannot track this in security-tracker
-	NOTE: add it, to have an explicit reference for apport if it ever enters unstable
+	NOT-FOR-US: Apport
 CVE-2017-14181 (DeleteBitBuffer in libbitbuf/bitbuffer.c in mp4tools aacplusenc 0.17.5 ...)
 	NOT-FOR-US: aacplusenc
 CVE-2017-14175 (In coders/xbm.c in ImageMagick 7.0.6-1 Q16, a DoS in ReadXBMImage() du ...)
@@ -104525,8 +104517,7 @@ CVE-2017-10710
 CVE-2017-10709 (The lockscreen on Elephone P9000 devices (running Android 6.0) allows  ...)
 	NOT-FOR-US: Elephone P9000 devices
 CVE-2017-10708 (An issue was discovered in Apport through 2.20.x. In apport/report.py, ...)
-	[experimental] - apport 2.20.4-2 (bug #868831)
-	NOTE: apport only in experimental, so we cannot track this in security-tracker
+	NOT-FOR-US: Apport
 CVE-2017-10707
 	RESERVED
 CVE-2017-10706 (When Antiy Antivirus Engine before 5.0.0.05171547 scans a special ZIP  ...)
@@ -126233,23 +126224,11 @@ CVE-2016-9956 (The route manager in FlightGear before 2016.4.4 allows remote att
 	- flightgear 1:2016.4.3+dfsg-1 (bug #848114)
 	NOTE: http://www.openwall.com/lists/oss-security/2016/12/14/11
 CVE-2016-9951 (An issue was discovered in Apport before 2.20.4. A malicious Apport cr ...)
-	[experimental] - apport 2.20.4-1 (bug #848213)
-	NOTE: apport only in experimental, so we cannot track this in security-tracker
-	NOTE: add it, as we have an explicit (bug) reference for apport
-	NOTE: https://bugs.launchpad.net/apport/+bug/1648806
-	NOTE: https://donncha.is/2016/12/compromising-ubuntu-desktop/
+	NOT-FOR-US: Apport
 CVE-2016-9950 (An issue was discovered in Apport before 2.20.4. There is a path trave ...)
-	[experimental] - apport 2.20.4-1 (bug #848213)
-	NOTE: apport only in experimental, so we cannot track this in security-tracker
-	NOTE: add it, as we have an explicit (bug) reference for apport
-	NOTE: https://bugs.launchpad.net/apport/+bug/1648806
-	NOTE: https://donncha.is/2016/12/compromising-ubuntu-desktop/
+	NOT-FOR-US: Apport
 CVE-2016-9949 (An issue was discovered in Apport before 2.20.4. In apport/ui.py, Appo ...)
-	[experimental] - apport 2.20.4-1 (bug #848213)
-	NOTE: apport only in experimental, so we cannot track this in security-tracker
-	NOTE: add it, as we have an explicit (bug) reference for apport
-	NOTE: https://bugs.launchpad.net/apport/+bug/1648806
-	NOTE: https://donncha.is/2016/12/compromising-ubuntu-desktop/
+	NOT-FOR-US: Apport
 CVE-2016-9948
 	RESERVED
 CVE-2016-9947
@@ -188077,9 +188056,7 @@ CVE-2015-1339 (Memory leak in the cuse_channel_release function in fs/fuse/cuse.
 	NOTE: Introduced in: https://git.kernel.org/linus/cc080e9e9be16ccf26135d366d7d2b65209f1d56 (v4.2-rc1)
 	NOTE: Fixed in: https://git.kernel.org/linus/2c5816b4beccc8ba709144539f6fdd764f8fa49c (v4.4-rc5)
 CVE-2015-1338 (kernel_crashdump in Apport before 2.19 allows local users to cause a d ...)
-	[experimental] - apport <unfixed>
-	NOTE: apport only in experimental, so we cannot track this in security-tracker
-	NOTE: add it, as we have an explicit (bug) reference for apport
+	NOT-FOR-US: Apport
 CVE-2015-1337 (Simple Streams (simplestreams) does not properly verify the GPG signat ...)
 	NOT-FOR-US: simplestreams
 CVE-2015-1336 (The daily mandb cleanup job in Man-db before 2.7.6.1-1 as packaged in  ...)
@@ -188134,9 +188111,9 @@ CVE-2015-1326 (python-dbusmock before version 0.15.1 AddTemplate() D-Bus method
 	[jessie] - python-dbusmock 0.11.4-1+deb8u1
 	NOTE: https://bugs.launchpad.net/python-dbusmock/+bug/1453815
 CVE-2015-1325 (Race condition in Apport before 2.17.2-0ubuntu1.1 as packaged in Ubunt ...)
-	[experimental] - apport 2.17.3-1
+	NOT-FOR-US: Apport
 CVE-2015-1324 (Apport before 2.17.2-0ubuntu1.1 as packaged in Ubuntu 15.04, before 2. ...)
-	[experimental] - apport 2.17.3-1
+	NOT-FOR-US: Apport
 CVE-2015-1323 (The simulate dbus method in aptdaemon before 1.1.1+bzr982-0ubuntu3.1 a ...)
 	{DLA-261-1}
 	- aptdaemon 1.1.1+bzr982-1 (bug #789162)
@@ -188154,9 +188131,7 @@ CVE-2015-1320 (The SeaMicro provisioning of Ubuntu MAAS logs credentials, includ
 CVE-2015-1319 (The Unity Settings Daemon before 14.04.0+14.04.20150825-0ubuntu2 and 1 ...)
 	- unity <itp> (bug #609278)
 CVE-2015-1318 (The crash reporting feature in Apport 2.13 through 2.17.x before 2.17. ...)
-	[experimental] - apport <unfixed>
-	NOTE: apport only in experimental, so we cannot track this in security-tracker
-	NOTE: add it, as we have an explicit (bug) reference for apport
+	NOT-FOR-US: Apport
 CVE-2015-1317 (Use-after-free vulnerability in Oxide before 1.5.6 and 1.6.x before 1. ...)
 	NOT-FOR-US: Oxide
 CVE-2015-1316 (Juju Core's Joyent provider before version 1.25.5 uploads the user's p ...)
@@ -234410,9 +234385,7 @@ CVE-2013-1068 (The OpenStack Nova (python-nova) package 1:2013.2.3-0 before 1:20
 	[wheezy] - cinder <not-affected> (Vulnerable code not present)
 	NOTE: Requires includedir to be defined in /etc/sudoers file
 CVE-2013-1067 (Apport 2.12.5 and earlier uses weak permissions for core dump files cr ...)
-	[experimental] - apport 2.12.6-1 (bug #727661)
-	NOTE: apport only in experimental, so we cannot track this in security-tracker
-	NOTE: add it, as we have an explicit (bug) reference for apport
+	NOT-FOR-US: Apport
 CVE-2013-1066 (language-selector 0.110.x before 0.110.1, 0.90.x before 0.90.1, and 0. ...)
 	NOT-FOR-US: language-selector
 CVE-2013-1065 (backend.py in Jockey before 0.9.7-0ubuntu7.11 does not properly use D- ...)
@@ -293025,7 +292998,7 @@ CVE-2009-1296 (The eCryptfs support utilities (ecryptfs-utils) 73-0ubuntu6.1 on
 	NOTE: encrypted home directories with ecryptfs, so no passphrase is stored in the
 	NOTE: installer logs on disk
 CVE-2009-1295 (Apport before 0.108.4 on Ubuntu 8.04 LTS, before 0.119.2 on Ubuntu 8.1 ...)
-	[experimental] - apport <not-affected> (Fixed before initial upload into Debian)
+	NOT-FOR-US: Apport
 CVE-2009-1294 (Multiple cross-site scripting (XSS) vulnerabilities in web/guest/home  ...)
 	NOT-FOR-US: Novell Teaming
 CVE-2009-1293 (The web login functionality (c/portal/login) in Novell Teaming 1.0 thr ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62dc2699ca7224c9cee5a90bc25f8ea86a2fb4e7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/62dc2699ca7224c9cee5a90bc25f8ea86a2fb4e7
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190501/75103ef2/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list