[Git][security-tracker-team/security-tracker][master] stretch triage

Wed May 22 22:28:09 BST 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8ff9be23 by Moritz Muehlenhoff at 2019-05-22T21:27:37Z
stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -135,22 +135,30 @@ CVE-2019-12223
 	RESERVED
 CVE-2019-12222 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4621
 	TODO: check details and correct vulnerability location
 CVE-2019-12221 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4628
 	TODO: check details and correct vulnerability location
 CVE-2019-12220 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4627
 	TODO: check details and correct vulnerability location
 CVE-2019-12219 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4625
 	TODO: check details and correct vulnerability location
 CVE-2019-12218 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
@@ -160,7 +168,9 @@ CVE-2019-12218 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer
 	TODO: check details and correct vulnerability location
 CVE-2019-12217 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
 	- libsdl2 <unfixed>
+	[stretch] - libsdl1.2 <no-dsa> (Minor issue)
 	- libsdl1.2 <unfixed>
+	[stretch] - libsdl2 <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.libsdl.org/show_bug.cgi?id=4626
 	TODO: check details and correct vulnerability location
 CVE-2019-12216 (An issue was discovered in libSDL2.a in Simple DirectMedia Layer (SDL) ...)
@@ -2265,10 +2275,13 @@ CVE-2019-11340 (util/emailutils.py in Matrix Sydent before 1.0.2 mishandles regi
 	NOT-FOR-US: Matrix Sydent
 CVE-2019-11339 (The studio profile decoder in libavcodec/mpeg4videodec.c in FFmpeg 4.0 ...)
 	- ffmpeg 7:4.1.3-1
+	[stretch] - ffmpeg <not-affected> (Vulnerable code not present)
+	- libav <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/1f686d023b95219db933394a7704ad9aa5f01cbb
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/d227ed5d598340e719eff7156b1aa0a4469e9a6a
 CVE-2019-11338 (libavcodec/hevcdec.c in FFmpeg 4.1.2 mishandles detection of duplicate ...)
 	- ffmpeg 7:4.1.3-1
+	- libav <undetermined>
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/54655623a82632e7624714d7b2a3e039dc5faa7e
 CVE-2019-11337
 	RESERVED
@@ -7008,14 +7021,15 @@ CVE-2019-9721 (A denial of service in the subtitle decoder in FFmpeg 4.1 allows
 	- ffmpeg 7:4.1.3-1 (bug #926666)
 	[stretch] - ffmpeg <not-affected> (Vulnerable code not present)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/894995c41e0795c7a44f81adc4838dedc3932e65
+	- libav <undetermined>
 CVE-2019-9720
 	RESERVED
 CVE-2019-9719
 	RESERVED
 CVE-2019-9718 (In FFmpeg 4.1, a denial of service in the subtitle decoder allows atta ...)
 	- ffmpeg 7:4.1.3-1 (low; bug #926666)
-	[stretch] - ffmpeg <postponed> (Wait until fixed in 3.2.x release)
 	NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1f00c97bc3475c477f3c468cf2d924d5761d0982
+	- libav <undetermined>
 CVE-2019-9717
 	RESERVED
 CVE-2019-9716
@@ -12879,6 +12893,7 @@ CVE-2019-1000016 (FFMPEG version 4.1 contains a CWE-129: Improper Validation of
 	- ffmpeg 7:4.1.1-1 (low; bug #922066)
 	[stretch] - ffmpeg <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/b97a4b658814b2de8b9f2a3bce491c002d34de31#diff-cd7e24986650014d67f484f3ffceef3f
+	- libav <undetermined>
 CVE-2019-1000015 (Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site S ...)
 	NOT-FOR-US: Chamilo Chamilo-lms
 CVE-2019-1000014 (Erlang/OTP Rebar3 version 3.7.0 through 3.7.5 contains a Signing oracl ...)
@@ -22946,15 +22961,15 @@ CVE-2018-20407 (An issue was discovered in Bento4 1.5.1-627. There is a memory l
 	NOT-FOR-US: Bento4
 CVE-2018-20406 (Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a ...)
 	{DLA-1663-1}
-	- python3.7 3.7.0-7
-	- python3.6 3.6.7~rc1-1
-	- python3.5 <removed>
-	[stretch] - python3.5 <no-dsa> (Minor issue)
-	- python3.4 <removed>
+	- python3.7 3.7.0-7 (unimportant)
+	- python3.6 3.6.7~rc1-1 (unimportant)
+	- python3.5 <removed> (unimportant)
+	- python3.4 <removed> (unimportant)
 	NOTE: https://bugs.python.org/issue34656
 	NOTE: https://github.com/python/cpython/commit/a4ae828ee416a66d8c7bf5ee71d653c2cc6a26dd (master)
 	NOTE: https://github.com/python/cpython/commit/ef4306b24c9034d6b37bb034e2ebe82e745d4b77 (3.7)
 	NOTE: https://github.com/python/cpython/commit/71a9c65e74a70b6ed39adc4ba81d311ac1aa2acc (3.6)
+	NOTE: Negligible security impact
 CVE-2018-20405 (BigTree 4.3 allows full path disclosure via authenticated admin/news/  ...)
 	NOT-FOR-US: BigTree CMS
 CVE-2018-20404 (ETK_E900.sys, a SmartETK driver for VIA Technologies EPIA-E900 system  ...)
@@ -42283,8 +42298,8 @@ CVE-2018-15823
 	RESERVED
 CVE-2018-15822 (The flv_write_packet function in libavformat/flvenc.c in FFmpeg throug ...)
 	- ffmpeg 7:4.0.3-1 (low)
-	[stretch] - ffmpeg <postponed> (Minor issue, wait for next 3.2 release)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/6b67d7f05918f7a1ee8fc6ff21355d7e8736aa10
+	- libav <undetermined>
 CVE-2018-15821
 	RESERVED
 CVE-2018-15820
@@ -45520,7 +45535,6 @@ CVE-2018-1999012 (FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/9807d3976be0e92e4ece3b4b1701be894cd7c2e
 CVE-2018-1999011 (FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains ...)
 	- ffmpeg 7:4.0.2-1
-	[stretch] - ffmpeg <postponed> (Minor issue, wait for next 3.2 release)
 	- libav <removed>
 	[jessie] - libav <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/FFmpeg/FFmpeg/commit/2b46ebdbff1d8dec7a3d8ea280a612b91a58286


=====================================
data/dsa-needed.txt
=====================================
@@ -23,6 +23,8 @@ faad2
 ffmpeg (jmm)
   ping upstream for 3.2.14 release catching up with recent issues  
 --
+freeimage
+--
 glusterfs
 --
 graphicsmagick



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ff9be23909174bba25dcdba1126db05f360a2e7

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ff9be23909174bba25dcdba1126db05f360a2e7
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190522/530351d2/attachment.html>
