[Git][security-tracker-team/security-tracker][master] buster/stretch triage
Moritz Muehlenhoff
jmm at debian.org
Fri Sep 13 22:36:37 BST 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d18a0848 by Moritz Muehlenhoff at 2019-09-13T21:36:17Z
buster/stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1107,7 +1107,10 @@ CVE-2019-15891
RESERVED
CVE-2019-15890 (libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reas ...)
- slirp4netns <unfixed> (bug #939868)
+ [buster] - slirp4netns <no-dsa> (Minor issue)
- qemu <unfixed> (bug #939869)
+ [buster] - qemu <postponed> (Minor issue, can be fixed along in future update)
+ [stretch] - qemu <postponed> (Minor issue, can be fixed along in future update)
- qemu-kvm <removed>
NOTE: https://www.openwall.com/lists/oss-security/2019/09/06/3
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/c59279437eda91841b9d26079c70b8a540d41204
@@ -3283,6 +3286,8 @@ CVE-2019-15133 (In GIFLIB before 2019-02-16, a malformed GIF file triggers a div
NOTE: https://sourceforge.net/p/giflib/bugs/119/
CVE-2019-15132 (Zabbix through 4.4.0alpha1 allows User Enumeration. With login request ...)
- zabbix <unfixed> (bug #935027)
+ [buster] - zabbix <no-dsa> (Minor issue)
+ [stretch] - zabbix <no-dsa> (Minor issue)
[jessie] - zabbix <postponed> (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-16532
CVE-2019-15131
@@ -4704,6 +4709,8 @@ CVE-2019-14665 (Brandy 1.20.1 has a heap-based buffer overflow in define_array i
NOTE: Negligible security impact
CVE-2019-14664 (In Enigmail below 2.1, an attacker in possession of PGP encrypted emai ...)
- enigmail <unfixed>
+ [buster] - enigmail <ignored> (Minor issue and too intrusive to backport)
+ [stretch] - enigmail <ignored> (Minor issue and too intrusive to backport)
[jessie] - enigmail <end-of-life> (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html)
NOTE: https://sourceforge.net/p/enigmail/bugs/984/
CVE-2019-14663 (Brandy 1.20.1 has a stack-based buffer overflow in fileio_openin in fi ...)
@@ -16567,6 +16574,8 @@ CVE-2019-10752
RESERVED
CVE-2019-10751 (All versions of the HTTPie package prior to version 1.0.3 are vulnerab ...)
- httpie <unfixed> (bug #940058)
+ [buster] - httpie <no-dsa> (Minor issue)
+ [stretch] - httpie <no-dsa> (Minor issue)
NOTE: https://snyk.io/vuln/SNYK-PYTHON-HTTPIE-460107
NOTE: https://github.com/jakubroztocil/httpie/commit/df36d6255df5793129b02ac82f1010171bd8a0a8
CVE-2019-10750 (deeply is vulnerable to Prototype Pollution in versions before 3.1.0. ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -18,10 +18,16 @@ If needed, specify the release by adding a slash after the name of the source pa
apache2
Possible regression: #936034, sf will look into it
--
+bird/stable
+--
chromium
--
+curl (ghedo)
+--
evince/oldstable
--
+expat
+--
freeimage
--
glusterfs/oldstable
@@ -43,6 +49,10 @@ nodejs
nss/oldstable (jmm)
Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508
--
+openssl1.0/oldstable
+--
+openssl
+--
poppler (jmm)
--
python2.7 (jmm)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d18a08481fd170f65dbd17c09ab8ddf3d85fa4bc
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d18a08481fd170f65dbd17c09ab8ddf3d85fa4bc
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190913/f2d85cd8/attachment.html>
More information about the debian-security-tracker-commits
mailing list