[Git][security-tracker-team/security-tracker][master] Check pending updates for buster against changelog for 10.2
Salvatore Bonaccorso
carnil at debian.org
Sat Nov 16 09:31:27 GMT 2019
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c95e670f by Salvatore Bonaccorso at 2019-11-16T09:30:21Z
Check pending updates for buster against changelog for 10.2
Track those included, some were either not yet acked or maintainer has
not uploaded further to buster-pu. Keep those in the list.
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -4211,7 +4211,7 @@ CVE-2019-18199 (An issue was discovered on Fujitsu Wireless Keyboard Set LX390 G
CVE-2019-18197 (In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable i ...)
{DLA-1973-1}
- libxslt 1.1.32-2.2 (bug #942646)
- [buster] - libxslt <no-dsa> (Minor issue)
+ [buster] - libxslt 1.1.32-2.2~deb10u1
[stretch] - libxslt <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
@@ -6482,14 +6482,14 @@ CVE-2019-17596 (Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an atte
NOTE: https://groups.google.com/forum/#!msg/golang-announce/lVEm7llp0w0/VbafyRkgCgAJ
CVE-2019-17595 (There is a heap-based buffer over-read in the fmt_entry function in ti ...)
- ncurses 6.1+20191019-1 (low; bug #942401)
- [buster] - ncurses <no-dsa> (Minor issue)
+ [buster] - ncurses 6.1+20181013-2+deb10u2
[stretch] - ncurses <no-dsa> (Minor issue)
[jessie] - ncurses <no-dsa> (Minor issue)
NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00013.html
NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00045.html
CVE-2019-17594 (There is a heap-based buffer over-read in the _nc_find_entry function ...)
- ncurses 6.1+20191019-1 (low; bug #942401)
- [buster] - ncurses <no-dsa> (Minor issue)
+ [buster] - ncurses 6.1+20181013-2+deb10u2
[stretch] - ncurses <no-dsa> (Minor issue)
[jessie] - ncurses <no-dsa> (Minor issue)
NOTE: https://lists.gnu.org/archive/html/bug-ncurses/2019-10/msg00017.html
@@ -6822,7 +6822,7 @@ CVE-2019-17505 (D-Link DAP-1320 A2-V1.21 routers have some web interfaces withou
CVE-2017-18638 (send_email in graphite-web/webapp/graphite/composer/views.py in Graphi ...)
{DLA-1962-1}
- graphite-web 1.1.4-5
- [buster] - graphite-web <no-dsa> (Minor issue)
+ [buster] - graphite-web 1.1.4-3+deb10u1
NOTE: https://github.com/graphite-project/graphite-web/issues/2008
NOTE: https://github.com/graphite-project/graphite-web/pull/2499
NOTE: https://github.com/graphite-project/graphite-web/security/advisories/GHSA-vfj6-275q-4pvm
@@ -8179,7 +8179,7 @@ CVE-2019-16935 (The documentation XML-RPC server in Python through 2.7.16, 3.x t
- python3.4 <removed>
[jessie] - python3.4 <ignored> (Minor Issue, XSS in an unlikely use-case)
- python2.7 <unfixed>
- [buster] - python2.7 <no-dsa> (Minor issue, will be fixed via point release)
+ [buster] - python2.7 2.7.16-2+deb10u1
[stretch] - python2.7 <no-dsa> (Minor issue)
[jessie] - python2.7 <ignored> (Minor Issue, XSS in an unlikely use-case)
- jython <unfixed>
@@ -10657,7 +10657,7 @@ CVE-2019-16056 (An issue was discovered in Python through 2.7.16, 3.x through 3.
- python3.5 <removed>
- python3.4 <removed>
- python2.7 2.7.17~rc1-1 (bug #940901)
- [buster] - python2.7 <no-dsa> (Minor issue, will be fixed via point release)
+ [buster] - python2.7 2.7.16-2+deb10u1
[stretch] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue34155
NOTE: https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9 (master)
@@ -11542,7 +11542,7 @@ CVE-2019-15719 (Altair PBS Professional through 19.1.2 allows Privilege Escalati
NOT-FOR-US: Altair PBS Professional
CVE-2019-15718 (In systemd 240, bus_open_system_watch_bind_with_description in shared/ ...)
- systemd 242-7 (bug #939353)
- [buster] - systemd <no-dsa> (Minor issue; systemd-resolved not enabled by default)
+ [buster] - systemd 241-7~deb10u2
[stretch] - systemd <not-affected> (Vulnerable code introduced later)
[jessie] - systemd <not-affected> (Vulnerable code introduced later)
NOTE: https://www.openwall.com/lists/oss-security/2019/09/03/1
@@ -14531,7 +14531,7 @@ CVE-2019-14807 (In the MobileFrontend extension 1.31 through 1.33 for MediaWiki,
NOT-FOR-US: MobileFrontend extension for MediaWiki
CVE-2019-14806 (Pallets Werkzeug before 0.15.3, when used with Docker, has insufficien ...)
- python-werkzeug 0.15.6+dfsg1-1 (low; bug #940935)
- [buster] - python-werkzeug <no-dsa> (Minor issue)
+ [buster] - python-werkzeug 0.14.1+dfsg1-4+deb10u1
[stretch] - python-werkzeug <no-dsa> (Minor issue)
[jessie] - python-werkzeug <not-affected> (Vulnerable code not present)
NOTE: https://github.com/pallets/werkzeug/commit/00bc43b1672e662e5e3b8cecd79e67fc968fa246
@@ -19353,7 +19353,7 @@ CVE-2018-20852 (http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookie
- python3.5 <removed>
- python3.4 <removed>
- python2.7 2.7.16-3
- [buster] - python2.7 <no-dsa> (Minor issue, will be fixed via point release)
+ [buster] - python2.7 2.7.16-2+deb10u1
[stretch] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue35121
NOTE: https://python-security.readthedocs.io/vuln/cookie-domain-check.html
@@ -19627,7 +19627,7 @@ CVE-2019-13465
RESERVED
CVE-2019-13464 (An issue was discovered in OWASP ModSecurity Core Rule Set (CRS) 3.0.2 ...)
- modsecurity-crs 3.2.0-1 (low; bug #943773)
- [buster] - modsecurity-crs <no-dsa> (Minor issue)
+ [buster] - modsecurity-crs 3.1.0-1+deb10u1
[stretch] - modsecurity-crs <no-dsa> (Minor issue)
[jessie] - modsecurity-crs <not-affected> (incorrect rule does not exist)
NOTE: https://github.com/SpiderLabs/owasp-modsecurity-crs/commit/6090d6b0a90417f1a60aa68a01eb777cef2e1184
@@ -20226,7 +20226,7 @@ CVE-2019-13242 (IrfanView 4.52 has a User Mode Write AV starting at image0040000
NOT-FOR-US: IrfanView
CVE-2019-13241 (FlightCrew v0.9.2 and older are vulnerable to a directory traversal, a ...)
- flightcrew 0.7.2+dfsg-14
- [buster] - flightcrew <no-dsa> (Minor issue, can be fixed via point release)
+ [buster] - flightcrew 0.7.2+dfsg-13+deb10u1
[stretch] - flightcrew <no-dsa> (Minor issue, can be fixed via point release)
NOTE: https://github.com/Sigil-Ebook/flightcrew/issues/52
CVE-2019-13240 (An issue was discovered in GLPI before 9.4.1. After a successful passw ...)
@@ -20428,7 +20428,7 @@ CVE-2019-13174
RESERVED
CVE-2019-13173 (fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extra ...)
- node-fstream 1.0.12-1 (bug #931408)
- [buster] - node-fstream <no-dsa> (Minor issue)
+ [buster] - node-fstream 1.0.10-1+deb10u1
[stretch] - node-fstream <ignored> (Nodejs in stretch not covered by security support)
[jessie] - node-fstream <ignored> (Nodejs in jessie not covered by security support)
NOTE: https://www.npmjs.com/advisories/886
@@ -20842,6 +20842,7 @@ CVE-2019-13033
RESERVED
CVE-2019-13032 (An issue was discovered in FlightCrew v0.9.2 and earlier. A NULL point ...)
- flightcrew 0.7.2+dfsg-14 (unimportant; bug #931246)
+ [buster] - flightcrew 0.7.2+dfsg-13+deb10u1
NOTE: https://github.com/Sigil-Ebook/flightcrew/issues/53
NOTE: https://github.com/Sigil-Ebook/flightcrew/commit/c75c100218ed5c0e7652947051e28b54a75212ae
NOTE: https://github.com/Sigil-Ebook/flightcrew/commit/b4f4a70f604ddcb4e8e343aa0e690764fc46d780
@@ -27146,7 +27147,7 @@ CVE-2019-10748 (Sequelize all versions prior to 3.35.1, 4.44.3, and 5.8.11 are v
CVE-2019-10747 (set-value is vulnerable to Prototype Pollution in versions lower than ...)
[experimental] - node-set-value 3.0.1-1
- node-set-value 0.4.0-2 (bug #941189)
- [buster] - node-set-value <no-dsa> (Minor issue, will be fixed via point release)
+ [buster] - node-set-value 0.4.0-1+deb10u1
[stretch] - node-set-value <ignored> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-SETVALUE-450213
CVE-2019-10746 (mixin-deep is vulnerable to Prototype Pollution in versions before 1.3 ...)
@@ -28725,7 +28726,7 @@ CVE-2019-10160 (A security regression of CVE-2019-9636 was discovered in python
- python3.5 <not-affected> (Incomplete fix for CVE-2019-9636 not applied)
- python3.4 <not-affected> (Incomplete fix for CVE-2019-9636 not applied)
- python2.7 2.7.16-3
- [buster] - python2.7 <no-dsa> (Minor issue, will be fixed via point release)
+ [buster] - python2.7 2.7.16-2+deb10u1
[stretch] - python2.7 <not-affected> (Incomplete fix for CVE-2019-9636 not applied)
[jessie] - python2.7 <not-affected> (Incomplete fix for CVE-2019-9636 not applied)
NOTE: Introduced by: https://github.com/python/cpython/commit/d537ab0ff9767ef024f26246899728f0116b1ec3 (v3.8.0a4)
@@ -29385,7 +29386,7 @@ CVE-2019-9947 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 a
- python3.5 <removed>
- python3.4 <removed>
- python2.7 2.7.16-3
- [buster] - python2.7 <no-dsa> (Minor issue, will be fixed via point release)
+ [buster] - python2.7 2.7.16-2+deb10u1
[stretch] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue35906
NOTE: Introduced by: https://github.com/python/cpython/commit/cc54c1c0d2d05fe7404ba64c53df4b1352ed2262
@@ -30925,7 +30926,7 @@ CVE-2019-9740 (An issue was discovered in urllib2 in Python 2.x through 2.7.16 a
- python3.5 <removed>
- python3.4 <removed>
- python2.7 2.7.16-3
- [buster] - python2.7 <no-dsa> (Minor issue, will be fixed via point release)
+ [buster] - python2.7 2.7.16-2+deb10u1
[stretch] - python2.7 <no-dsa> (Minor issue)
NOTE: https://bugs.python.org/issue36276
NOTE: https://bugs.python.org/issue30458
@@ -31141,6 +31142,7 @@ CVE-2019-9657 (Alarm.com ADC-V522IR 0100b9 devices have Incorrect Access Control
NOT-FOR-US: Alarm.com ADC-V522IR 0100b9 devices
CVE-2019-9656 (An issue was discovered in LibOFX 0.9.14. There is a NULL pointer dere ...)
- libofx 1:0.9.15-1 (unimportant; bug #924350)
+ [buster] - libofx 1:0.9.14-1+deb10u1
NOTE: https://github.com/libofx/libofx/issues/22
NOTE: Negligible security impact
CVE-2019-9655
@@ -42311,7 +42313,7 @@ CVE-2019-5449 (A missing check in the Nextcloud Server prior to version 15.0.1 c
- nextcloud <itp> (bug #835086)
CVE-2019-5448 (Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive Da ...)
- node-yarnpkg 1.13.0-3 (bug #941354)
- [buster] - node-yarnpkg <no-dsa> (Minor issue, can be fixed via point release)
+ [buster] - node-yarnpkg 1.13.0-1+deb10u1
NOTE: https://hackerone.com/reports/640904
NOTE: https://github.com/ChALkeR/notes/blob/master/Yarn-vuln.md
NOTE: https://github.com/yarnpkg/yarn/pull/7393
@@ -46503,13 +46505,13 @@ CVE-2019-3575 (Sqla_yaml_fixtures 0.9.1 allows local users to execute arbitrary
NOT-FOR-US: Sqla_yaml_fixtures
CVE-2019-3574 (In libsixel v1.8.2, there is a heap-based buffer over-read in the func ...)
- libsixel 1.8.2-2 (low; bug #922460)
- [buster] - libsixel <no-dsa> (Minor issue)
+ [buster] - libsixel 1.8.2-1+deb10u1
[stretch] - libsixel <no-dsa> (Minor issue)
[jessie] - libsixel <no-dsa> (Minor issue)
NOTE: https://github.com/saitoha/libsixel/issues/83
CVE-2019-3573 (In libsixel v1.8.2, there is an infinite loop in the function sixel_de ...)
- libsixel 1.8.2-2 (low; bug #922460)
- [buster] - libsixel <no-dsa> (Minor issue)
+ [buster] - libsixel 1.8.2-1+deb10u1
[stretch] - libsixel <no-dsa> (Minor issue)
[jessie] - libsixel <postponed> (Minor issue)
NOTE: https://github.com/saitoha/libsixel/issues/83
@@ -53725,21 +53727,21 @@ CVE-2018-19764
REJECTED
CVE-2018-19763 (There is a heap-based buffer over-read at writer.c (function: write_pn ...)
- libsixel 1.8.2-2 (bug #931311)
- [buster] - libsixel <no-dsa> (Minor issue)
+ [buster] - libsixel 1.8.2-1+deb10u1
[stretch] - libsixel <no-dsa> (Minor issue)
[jessie] - libsixel <not-affected> (The vulnerable code is not present)
NOTE: https://github.com/saitoha/libsixel/issues/82
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649201 (reproducer)
CVE-2018-19762 (There is a heap-based buffer overflow at fromsixel.c (function: image_ ...)
- libsixel 1.8.2-2 (bug #931311)
- [buster] - libsixel <no-dsa> (Minor issue)
+ [buster] - libsixel 1.8.2-1+deb10u1
[stretch] - libsixel <no-dsa> (Minor issue)
[jessie] - libsixel <not-affected> (The vulnerable code is not present)
NOTE: https://github.com/saitoha/libsixel/issues/81
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649199 (reproducer)
CVE-2018-19761 (There is an illegal address access at fromsixel.c (function: sixel_dec ...)
- libsixel 1.8.2-2 (bug #931311)
- [buster] - libsixel <no-dsa> (Minor issue)
+ [buster] - libsixel 1.8.2-1+deb10u1
[stretch] - libsixel <no-dsa> (Minor issue)
[jessie] - libsixel <no-dsa> (Minor issue)
NOTE: https://github.com/saitoha/libsixel/issues/78
@@ -53753,7 +53755,7 @@ CVE-2018-19760 (cfg_init in confuse.c in libConfuse 3.2.2 has a memory leak. ...
NOTE: not in the library; Negligible security impact in itself and disputed.
CVE-2018-19759 (There is a heap-based buffer over-read at stb_image_write.h (function: ...)
- libsixel 1.8.2-2 (bug #931311)
- [buster] - libsixel <no-dsa> (Minor issue)
+ [buster] - libsixel 1.8.2-1+deb10u1
[stretch] - libsixel <no-dsa> (Minor issue)
[jessie] - libsixel <no-dsa> (Minor issue)
NOTE: https://github.com/saitoha/libsixel/issues/77
@@ -53768,14 +53770,14 @@ CVE-2018-19758 (There is a heap-based buffer over-read at wav.c in wav_write_hea
NOTE: when fixing this issue, the fix needs to be made complete to not open CVE-2019-3832
CVE-2018-19757 (There is a NULL pointer dereference at function sixel_helper_set_addit ...)
- libsixel 1.8.2-2 (bug #931311)
- [buster] - libsixel <no-dsa> (Minor issue)
+ [buster] - libsixel 1.8.2-1+deb10u1
[stretch] - libsixel <no-dsa> (Minor issue)
[jessie] - libsixel <no-dsa> (Minor issue)
NOTE: https://github.com/saitoha/libsixel/issues/79
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1649197 (reproducer)
CVE-2018-19756 (There is a heap-based buffer over-read at stb_image.h (function: stbi_ ...)
- libsixel 1.8.2-2 (bug #931311)
- [buster] - libsixel <no-dsa> (Minor issue)
+ [buster] - libsixel 1.8.2-1+deb10u1
[stretch] - libsixel <no-dsa> (Minor issue)
[jessie] - libsixel <not-affected> (The vulnerable code is not present)
NOTE: https://github.com/saitoha/libsixel/issues/80
=====================================
data/next-point-update.txt
=====================================
@@ -1,57 +1,3 @@
-CVE-2019-13173
- [buster] - node-fstream 1.0.10-1+deb10u1
-CVE-2019-13241
- [buster] - flightcrew 0.7.2+dfsg-13+deb10u1
-CVE-2019-13032
- [buster] - flightcrew 0.7.2+dfsg-13+deb10u1
-CVE-2018-19756
- [buster] - libsixel 1.8.2-1+deb10u1
-CVE-2018-19757
- [buster] - libsixel 1.8.2-1+deb10u1
-CVE-2018-19759
- [buster] - libsixel 1.8.2-1+deb10u1
-CVE-2018-19761
- [buster] - libsixel 1.8.2-1+deb10u1
-CVE-2018-19762
- [buster] - libsixel 1.8.2-1+deb10u1
-CVE-2018-19763
- [buster] - libsixel 1.8.2-1+deb10u1
-CVE-2019-3573
- [buster] - libsixel 1.8.2-1+deb10u1
-CVE-2019-3574
- [buster] - libsixel 1.8.2-1+deb10u1
-CVE-2019-10747
- [buster] - node-set-value 0.4.0-1+deb10u1
-CVE-2019-5448
- [buster] - node-yarnpkg 1.13.0-1+deb10u1
-CVE-2018-20852
- [buster] - python2.7 2.7.16-2+deb10u1
-CVE-2019-10160
- [buster] - python2.7 2.7.16-2+deb10u1
-CVE-2019-16056
- [buster] - python2.7 2.7.16-2+deb10u1
-CVE-2019-16935
- [buster] - python2.7 2.7.16-2+deb10u1
-CVE-2019-9740
- [buster] - python2.7 2.7.16-2+deb10u1
-CVE-2019-9947
- [buster] - python2.7 2.7.16-2+deb10u1
-CVE-2017-18638
- [buster] - graphite-web 1.1.4-3+deb10u1
-CVE-2019-15718
- [buster] - systemd 241-7~deb10u2
-CVE-2019-14806
- [buster] - python-werkzeug 0.14.1+dfsg1-4+deb10u1
-CVE-2019-9656
- [buster] - libofx 1:0.9.14-1+deb10u1
-CVE-2019-17594
- [buster] - ncurses 6.1+20181013-2+deb10u2
-CVE-2019-17595
- [buster] - ncurses 6.1+20181013-2+deb10u2
-CVE-2019-18197
- [buster] - libxslt 1.1.32-2.2~deb10u1
-CVE-2019-13464
- [buster] - modsecurity-crs 3.1.0-1+deb10u1
CVE-2019-14267
[buster] - pdfresurrect 0.15-2+deb10u1
CVE-2019-1020014
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c95e670f83c01675db2acc3a136b3109b8a7b6c6
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c95e670f83c01675db2acc3a136b3109b8a7b6c6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191116/65e3866c/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list