[Git][security-tracker-team/security-tracker][master] buster/stretch triage
Moritz Muehlenhoff
jmm at debian.org
Tue Nov 5 12:11:49 GMT 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
f81893a7 by Moritz Muehlenhoff at 2019-11-05T12:11:02Z
buster/stretch triage
xorg-server CVE ID needs further clarification
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -5794,7 +5794,8 @@ CVE-2019-17626 (ReportLab through 3.5.26 allows remote code execution because of
CVE-2019-17625 (There is a stored XSS in Rambox 0.6.9 that can lead to code execution. ...)
NOT-FOR-US: Rambox
CVE-2019-17624 (In X.Org X Server 1.20.4, there is a stack-based buffer overflow in th ...)
- TODO: check
+ - xorg-server <undetermined>
+ NOTE: https://packetstormsecurity.com/files/154868/X.Org-X-Server-1.20.4-Local-Stack-Overflow.html
CVE-2019-17623
RESERVED
CVE-2019-17622
@@ -5895,6 +5896,7 @@ CVE-2019-17597
RESERVED
CVE-2017-1002201 (In haml versions prior to version 5.0.0.beta.2, when using user input ...)
- ruby-haml 5.0.4-1
+ [stretch] - ruby-haml <no-dsa> (Minor issue)
NOTE: https://snyk.io/vuln/SNYK-RUBY-HAML-20362
NOTE: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2
CVE-2019-17596 (Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to ...)
@@ -7603,7 +7605,9 @@ CVE-2019-16935 (The documentation XML-RPC server in Python through 2.7.16, 3.x t
[jessie] - python2.7 <ignored> (Minor Issue, XSS in an unlikely use-case)
- jython <unfixed>
[jessie] - jython <ignored> (Minor Issue, XSS in an unlikely use-case)
- - pypy <unfixed>
+ - pypy <unfixed> (low)
+ [buster] - pypy <no-dsa> (Minor issue)
+ [stretch] - pypy <no-dsa> (Minor issue)
[jessie] - pypy <ignored> (Minor Issue, XSS in an unlikely use-case)
NOTE: https://bugs.python.org/issue38243
NOTE: https://github.com/python/cpython/pull/16373
@@ -13654,7 +13658,9 @@ CVE-2019-14867
RESERVED
CVE-2019-14866 [improper input validation when writing tar header fields leads to unexpect tar generation]
RESERVED
- - cpio <unfixed> (bug #941412)
+ - cpio <unfixed> (low; bug #941412)
+ [buster] - cpio <no-dsa> (Minor issue)
+ [stretch] - cpio <no-dsa> (Minor issue)
NOTE: https://lists.gnu.org/archive/html/bug-cpio/2019-08/msg00003.html
NOTE: http://git.savannah.gnu.org/cgit/cpio.git/commit/?id=7554e3e42cd72f6f8304410c47fe6f8918e9bfd7
CVE-2019-14865
@@ -17535,6 +17541,8 @@ CVE-2019-13628 (wolfSSL and wolfCrypt 4.0.0 and earlier (when configured without
CVE-2019-13627 (It was discovered that there was a ECDSA timing attack in the libgcryp ...)
{DLA-1931-1}
- libgcrypt20 1.8.5-1 (bug #938938)
+ [buster] - libgcrypt20 <no-dsa> (Minor issue)
+ [stretch] - libgcrypt20 <no-dsa> (Minor issue)
- libgcrypt11 <removed>
NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=b9577f7c89b4327edc09f2231bc8b31521102c79 (master)
NOTE: https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=7c2943309d14407b51c8166c4dcecb56a3628567 (master)
@@ -18961,7 +18969,9 @@ CVE-2019-13466 (Western Digital SSD Dashboard before 2.5.1.0 and SanDisk SSD Das
CVE-2019-13465
RESERVED
CVE-2019-13464 (An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2 ...)
- - modsecurity-crs 3.2.0-1 (bug #943773)
+ - modsecurity-crs 3.2.0-1 (low; bug #943773)
+ [buster] - modsecurity-crs <no-dsa> (Minor issue)
+ [stretch] - modsecurity-crs <no-dsa> (Minor issue)
[jessie] - modsecurity-crs <not-affected> (incorrect rule does not exist)
NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs/commit/6090d6b0a90417f1a60aa68a01eb777cef2e1184
NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1386
@@ -29293,6 +29303,8 @@ CVE-2019-1010143
RESERVED
CVE-2019-1010142 (scapy 2.4.0 is affected by: Denial of Service. The impact is: infinite ...)
- scapy 2.4.2-1
+ [buster] - scapy <no-dsa> (Minor issue)
+ [stretch] - scapy <not-affected> (Vulnerable code not present)
[jessie] - scapy <not-affected> (Vulnerable code not present)
NOTE: https://github.com/secdev/scapy/pull/1409
NOTE: https://github.com/secdev/scapy/commit/0d7ae2b039f650a40e511d09eb961c782da025d9 (v2.4.1)
=====================================
data/dsa-needed.txt
=====================================
@@ -69,7 +69,9 @@ sssd
--
thunderbird
--
+tiff
+--
wordpress
--
-xen/oldstable
+xen
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f81893a7b92222c0bd57acf7b625ff1f2e47e3de
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f81893a7b92222c0bd57acf7b625ff1f2e47e3de
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191105/2dddbdee/attachment.html>
More information about the debian-security-tracker-commits
mailing list