[Git][security-tracker-team/security-tracker][master] stretch triage
Moritz Muehlenhoff
jmm at debian.org
Thu May 9 21:12:33 BST 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c51aa39a by Moritz Muehlenhoff at 2019-05-09T20:12:06Z
stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -570,11 +570,15 @@ CVE-2019-11599 (The coredump implementation in the Linux kernel before 5.0.10 do
NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1790
CVE-2019-11598 (In ImageMagick 7.0.8-40 Q16, there is a heap-based buffer over-read in ...)
- imagemagick <unfixed> (bug #928206)
+ [stretch] - imagemagick <postponed> (Fix along in next DSA)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1540
NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e2a21735e3a3f3930bd431585ec36334c4c2eb77
CVE-2019-11597 (In ImageMagick 7.0.8-43 Q16, there is a heap-based buffer over-read in ...)
- imagemagick <unfixed> (bug #928207)
+ [stretch] - imagemagick <postponed> (Fix along in next DSA)
NOTE: https://github.com/ImageMagick/ImageMagick/issues/1555
+ NOTE: https://github.com/ImageMagick/ImageMagick6/commit/1d6c036f0388d7857c725342f7212b60e39a14c1
+ NOTE: https://github.com/ImageMagick/ImageMagick6/commit/c979b348d64a25a04f12ea7fe7888b2b23f230a7
CVE-2019-11596 (In memcached before 1.5.14, a NULL pointer dereference was found in th ...)
- memcached <unfixed> (bug #928205)
[stretch] - memcached <not-affected> (Vulnerable code introduced later)
@@ -794,10 +798,12 @@ CVE-2019-11505 (In GraphicsMagick from version 1.3.8 to 1.4 snapshot-20190403 Q8
CVE-2019-11504 (Zotonic before version 0.47 has mod_admin XSS. ...)
NOT-FOR-US: Zotonic
CVE-2019-11503 (snap-confine as included in snapd before 2.39 did not guard against sy ...)
- - snapd <unfixed> (bug #928052)
+ - snapd <unfixed> (low; bug #928052)
+ [stretch] - snapd <no-dsa> (Minor issue)
NOTE: https://github.com/snapcore/snapd/pull/6642
CVE-2019-11502 (snap-confine in snapd before 2.38 incorrectly set the ownership of a s ...)
- - snapd <unfixed> (bug #928052)
+ - snapd <unfixed> (low; bug #928052)
+ [stretch] - snapd <no-dsa> (Minor issue)
NOTE: https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1
CVE-2017-18367 (libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR ...)
- golang-github-seccomp-libseccomp-golang 0.9.0-2 (bug #927981)
@@ -1910,6 +1916,7 @@ CVE-2019-11037 (In PHP imagick extension in versions between 3.3.0 and 3.4.4, wr
CVE-2019-11036 (When processing certain files, PHP EXIF extension in versions 7.1.x be ...)
- php7.3 <unfixed> (bug #928421)
- php7.0 <removed>
+ [stretch] - php7.0 <postponed> (Fix along in future update)
- php5 <removed>
NOTE: Fixed in 7.1.29, 7.2.18, 7.3.5
NOTE: PHP Bug: https://bugs.php.net/bug.php?id=77950
@@ -6083,6 +6090,7 @@ CVE-2019-9636 (Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:
NOTE: https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
NOTE: https://github.com/python/cpython/commit/daad2c482c91de32d8305abbccc76a5de8b3a8be (3.7.x)
NOTE: https://github.com/python/cpython/commit/e37ef41289b77e0f0bb9a6aedb0360664c55bdd5 (2.7.x)
+ NOTE: Regression fix: https://bugs.python.org/issue36742
CVE-2019-9635 (NULL pointer dereference in Google TensorFlow before 1.12.2 could caus ...)
- tensorflow <itp> (bug #804612)
CVE-2019-1003039 (An insufficiently protected credentials vulnerability exists in Jenkin ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -17,14 +17,18 @@ If needed, specify the release by adding a slash after the name of the source pa
--
bind9
--
+drupal7
+--
evolution
--
faad2
not yet fixed upstream
--
-ffmpeg
+ffmpeg (jmm)
ping upstream for 3.2.14 release catching up with recent issues
--
+ghostscript
+--
glusterfs
--
graphicsmagick
@@ -44,6 +48,10 @@ nss
--
openjdk-8
--
+python2.7 (jmm)
+--
+python3.5 (jmm)
+--
simplesamlphp
--
smarty3
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c51aa39a4eb35afae9bf815ba255a48f0a23ecf5
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c51aa39a4eb35afae9bf815ba255a48f0a23ecf5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190509/282bc069/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list