[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Wed Oct 30 19:31:52 GMT 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
35bde860 by Moritz Muehlenhoff at 2019-10-30T19:31:26Z
buster/stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5028,6 +5028,7 @@ CVE-2019-16935 (The documentation XML-RPC server in Python through 2.7.16, 3.x t
 	[jessie] - python3.4 <ignored> (Minor Issue, XSS in an unlikely use-case)
 	- python2.7 <unfixed>
 	[buster] - python2.7 <no-dsa> (Minor issue, will be fixed via point release)
+	[stretch] - python2.7 <no-dsa> (Minor issue)
 	[jessie] - python2.7 <ignored> (Minor Issue, XSS in an unlikely use-case)
 	- jython <unfixed>
 	[jessie] - jython <ignored> (Minor Issue, XSS in an unlikely use-case)
@@ -5096,6 +5097,8 @@ CVE-2019-16911
 	RESERVED
 CVE-2019-16910 (Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when dete ...)
 	- mbedtls 2.16.3-1 (bug #941265)
+	[buster] - mbedtls <no-dsa> (Minor issue)
+	[stretch] - mbedtls <no-dsa> (Minor issue)
 	- polarssl <removed>
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-10
 	NOTE: https://github.com/ARMmbed/mbedtls/commit/298a43a77ec0ed2c19a8c924ddd8571ef3e65dfd (2.7.12)
@@ -5596,6 +5599,7 @@ CVE-2019-16730
 	RESERVED
 CVE-2019-16728 (DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (m ...)
 	- dompurify.js <removed>
+	[stretch] - dompurify.js <ignored> (Minor issue)
 	NOTE: https://research.securitum.com/dompurify-bypass-using-mxss/
 CVE-2019-16746 (An issue was discovered in net/wireless/nl80211.c in the Linux kernel  ...)
 	- linux 5.3.7-1
@@ -7496,6 +7500,7 @@ CVE-2019-16056 (An issue was discovered in Python through 2.7.16, 3.x through 3.
 	- python3.4 <removed>
 	- python2.7 2.7.17~rc1-1 (bug #940901)
 	[buster] - python2.7 <no-dsa> (Minor issue, will be fixed via point release)
+	[stretch] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue34155
 	NOTE: https://github.com/python/cpython/commit/8cb65d1381b027f0b09ee36bfed7f35bb4dec9a9 (master)
 	NOTE: https://github.com/python/cpython/commit/217077440a6938a0b428f67cfef6e053c4f8673c (v3.8.0b4)
@@ -11150,6 +11155,8 @@ CVE-2019-14851 [assertion failure by issuing commands in the wrong order]
 CVE-2019-14850 [denial of service due to premature opening of back-end connection]
 	RESERVED
 	- nbdkit 1.14.1-1
+	[buster] - nbdkit <no-dsa> (Minor issue)
+	[stretch] - nbdkit <no-dsa> (Minor issue)
 	[jessie] - nbdkit <ignored> (Minor issue, DoS/amplification for specific configuration, non-trivial backport, low popcon)
 	NOTE: https://www.redhat.com/archives/libguestfs/2019-September/msg00084.html
 	NOTE: 1.15 (development branch):
@@ -11222,6 +11229,7 @@ CVE-2019-14827
 	RESERVED
 CVE-2019-14826 (A flaw was found in FreeIPA versions 4.5.0 and later. Session cookies  ...)
 	- freeipa <unfixed> (bug #940913)
+	[buster] - freeipa <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1746944
 	NOTE: Introduced by https://pagure.io/freeipa/c/b895f4a34bcbd0b1787d2bfc1db25f34c3584b9c
 	NOTE: due to fix for https://fedorahosted.org/freeipa/ticket/6682.
@@ -16089,6 +16097,7 @@ CVE-2018-20852 (http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookie
 	- python3.4 <removed>
 	- python2.7 2.7.16-3
 	[buster] - python2.7 <no-dsa> (Minor issue, will be fixed via point release)
+	[stretch] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue35121
 	NOTE: https://python-security.readthedocs.io/vuln/cookie-domain-check.html
 	NOTE: https://github.com/python/cpython/commit/979daae300916adb399ab5b51410b6ebd0888f13 (2.7.x branch)
@@ -16115,6 +16124,8 @@ CVE-2019-13569 (A SQL injection vulnerability exists in the Icegram Email Subscr
 	NOT-FOR-US: Icegram Email Subscribers & Newsletters plugin for WordPress
 CVE-2019-13568 (CImg through 2.6.7 has a heap-based buffer overflow in _load_bmp in CI ...)
 	- cimg <unfixed> (bug #940952)
+	[buster] - cimg <no-dsa> (Minor issue)
+	[stretch] - cimg <no-dsa> (Minor issue)
 	[jessie] - cimg <not-affected> (Vulnerable code added later)
 	NOTE: https://github.com/dtschump/CImg/commit/ac8003393569aba51048c9d67e1491559877b1d1
 CVE-2019-13567 (The Zoom Client before 4.4.53932.0709 on macOS allows remote code exec ...)
@@ -26295,6 +26306,7 @@ CVE-2019-1010306 (Slanger 0.6.0 is affected by: Remote Code Execution (RCE). The
 CVE-2019-1010305 (libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: I ...)
 	{DLA-1895-1}
 	- libmspack 0.10.1-1
+	[stretch] - libmspack <no-dsa> (Minor issue)
 	NOTE: https://github.com/kyz/libmspack/commit/2f084136cfe0d05e5bf5703f3e83c6d955234b4d
 	NOTE: https://github.com/kyz/libmspack/issues/27
 CVE-2019-1010304 (Saleor Issue was introduced by merge commit: e1b01bad0703afd08d297ed3f ...)
@@ -27839,6 +27851,7 @@ CVE-2019-9636 (Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by:
 	- python3.5 <removed>
 	- python3.4 <removed>
 	- python2.7 2.7.16-2 (bug #924073)
+	[stretch] - python2.7 <no-dsa> (Minor issue)
 	NOTE: https://bugs.python.org/issue36216
 	NOTE: https://github.com/python/cpython/pull/12201
 	NOTE: https://python-security.readthedocs.io/vuln/urlsplit-nfkc-normalization.html
@@ -47707,7 +47720,8 @@ CVE-2019-2388
 CVE-2019-2387
 	RESERVED
 CVE-2019-2386 (After user deletion in MongoDB Server the improper invalidation of aut ...)
-	- mongodb <unfixed> (bug #934783)
+	- mongodb <unfixed> (low; bug #934783)
+	[stretch] - mongodb <ignored> (Minor issue)
 	[jessie] - mongodb <ignored> (Trivial workaround available)
 	NOTE: https://jira.mongodb.org/browse/SERVER-38984
 	NOTE: https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0829


=====================================
data/dsa-needed.txt
=====================================
@@ -32,6 +32,8 @@ ibus
 --
 jruby/oldstable
 --
+libarchive
+--
 libidn/oldstable
   santiago proposed debdiffs for jessie and stretch
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35bde86030b26f3c84e92898079537f32abfbdb5

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/35bde86030b26f3c84e92898079537f32abfbdb5
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191030/d8d9e84a/attachment.html>
