[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Moritz Muehlenhoff jmm at debian.org
Fri Sep 20 16:32:41 BST 2019 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
66258cf5 by Moritz Muehlenhoff at 2019-09-20T15:32:21Z
buster/stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1026,11 +1026,13 @@ CVE-2019-16167 (sysstat before 12.1.6 has memory corruption due to an Integer Ov
 	NOTE: Introduced after: https://github.com/sysstat/sysstat/commit/65ac30359e49ee717397e39950d7c24a6610d57c (v11.7.1)
 	NOTE: Fixed by: https://github.com/sysstat/sysstat/commit/edbf507678bf10914e9804ff8a06737fdcb2e781
 CVE-2019-16166 (GNU cflow through 1.6 has a heap-based buffer over-read in the nexttok ...)
-	- cflow <unfixed> (bug #939916)
+	- cflow <unfixed> (unimportant; bug #939916)
 	NOTE: https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00000.html
+	NOTE: Crash in CLI tool, no security impact
 CVE-2019-16165 (GNU cflow through 1.6 has a use-after-free in the reference function i ...)
-	- cflow <unfixed> (bug #939915)
+	- cflow <unfixed> (unimportant; bug #939915)
 	NOTE: https://lists.gnu.org/archive/html/bug-cflow/2019-04/msg00001.html
+	NOTE: Crash in CLI tool, no security impact
 CVE-2019-16164 (MyHTML through 4.0.5 has a NULL pointer dereference in myhtml_tree_nod ...)
 	NOT-FOR-US: MyHTML
 CVE-2019-16163 (Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of ...)
@@ -1109,6 +1111,7 @@ CVE-2019-16138 (An issue was discovered in the image crate before 0.21.3 for Rus
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0014.html
 CVE-2019-16137 (An issue was discovered in the spin crate before 0.5.2 for Rust, when  ...)
 	- rust-spin 0.5.2-1
+	[buster] - rust-spin <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0013.html
 CVE-2019-16136
 	RESERVED
@@ -1292,6 +1295,8 @@ CVE-2019-16059 (Sentrifugo 3.2 lacks CSRF protection. This could lead to an atta
 	NOT-FOR-US: Sentrifugo
 CVE-2019-16058 (An issue was discovered in the pam_p11 component 0.2.0 and 0.3.0 for O ...)
 	- pam-p11 <unfixed> (bug #939664)
+	[buster] - pam-p11 <no-dsa> (Minor issue)
+	[stretch] - pam-p11 <no-dsa> (Minor issue)
 	NOTE: https://github.com/OpenSC/pam_p11/commit/d150b60e1e14c261b113f55681419ad1dfa8a76c
 CVE-2019-16057 (The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnera ...)
 	NOT-FOR-US: D-Link
@@ -2617,6 +2622,7 @@ CVE-2019-15553 (An issue was discovered in the memoffset crate before 0.5.0 for
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0011.html
 CVE-2019-15552 (An issue was discovered in the libflate crate before 0.1.25 for Rust.  ...)
 	- rust-libflate 0.1.25-1
+	[buster] - rust-libflate <no-dsa> (Minor issue)
 	NOTE: https://github.com/sile/libflate/issues/35
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0010.html
 CVE-2019-15551 (An issue was discovered in the smallvec crate before 0.6.10 for Rust.  ...)
@@ -3342,8 +3348,9 @@ CVE-2019-15299
 CVE-2019-15298
 	RESERVED
 CVE-2019-15297 (res_pjsip_t38 in Sangoma Asterisk 13.21-cert4, 15.7.3, and 16.5.0 allo ...)
-	- asterisk <unfixed> (bug #940060)
-	[jessie] - asterisk <not-affected> (The vulnerable code is not present)
+	- asterisk <unfixed> (low; bug #940060)
+	[buster] - asterisk <no-dsa> (Minor issue)
+	[stretch] - asterisk <no-dsa> (Minor issue)
 	NOTE: https://downloads.asterisk.org/pub/security/AST-2019-004.html
 	NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-28495
 CVE-2019-15296 (An issue was discovered in Freeware Advanced Audio Decoder 2 (FAAD2) 2 ...)
@@ -5706,13 +5713,14 @@ CVE-2019-14513 (Improper bounds checking in Dnsmasq before 2.76 allows an attack
 CVE-2019-14512
 	RESERVED
 CVE-2019-14511 (Sphinx Technologies Sphinx 3.1.1 by default has no authentication and  ...)
-	- sphinxsearch <unfixed> (bug #939762)
+	- sphinxsearch <unfixed> (unimportant; bug #939762)
 	NOTE: Issue is just with the default configuration, but can be easily reconfigured
 	NOTE: to listen on localhost only. sphinxsearch will not be started automatically
 	NOTE: and an admin needs first to create anyway a /etc/sphinxsearch/sphinx.conf
 	NOTE: starting from a sample.
 	NOTE: sphinxsearch should ideally update the defaults in sample configs to bind
 	NOTE: listeners to localhost.
+	NOTE: This is not treated as a vulnerability, subject to design choices for deployment
 CVE-2019-14510
 	RESERVED
 CVE-2019-14509
@@ -6666,6 +6674,7 @@ CVE-2018-20862 (cPanel before 76.0.8 unsafely performs PostgreSQL password chang
 	NOT-FOR-US: cPanel
 CVE-2018-20861 (libopenmpt before 0.3.11 allows a crash with certain malformed custom  ...)
 	- libopenmpt 0.3.11-1
+	[stretch] - libopenmpt <no-dsa> (Minor issue)
 	NOTE: https://lib.openmpt.org/libopenmpt/2018/07/28/security-updates-0.3.11-0.2.10635-beta34-0.2.7561-beta20.5-p10-0.2.7386-beta20.3-p13/
 	NOTE: https://source.openmpt.org/browse/openmpt/trunk/?op=revision&rev=10615 (0.3.11)
 	NOTE: https://source.openmpt.org/browse/openmpt/trunk/?op=revision&rev=10616 (0.2.10635-beta34)
@@ -6807,6 +6816,8 @@ CVE-2019-14319 (The TikTok (formerly Musical.ly) application 12.2.0 for Android
 CVE-2019-14318 (Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA sig ...)
 	[experimental] - libcrypto++ 8.2.0-2
 	- libcrypto++ 5.6.4-9 (low; bug #934326)
+	[buster] - libcrypto++ <no-dsa> (Minor issue)
+	[stretch] - libcrypto++ <no-dsa> (Minor issue)
 	NOTE: https://github.com/weidai11/cryptopp/issues/869
 CVE-2019-14317
 	RESERVED
@@ -13361,7 +13372,9 @@ CVE-2019-12177 (Privilege escalation due to insecure directory permissions affec
 CVE-2019-12176 (Privilege escalation in the "HTC Account Service" and "ViveportDesktop ...)
 	NOT-FOR-US: HTC VIVEPORT
 CVE-2019-12175 (In Zeek Network Security Monitor (formerly known as Bro) before 2.6.2, ...)
-	- bro 2.6.4+ds1-1
+	- bro 2.6.4+ds1-1 (low)
+	[buster] - bro <no-dsa> (Minor issue)
+	[stretch] - bro <no-dsa> (Minor issue)
 CVE-2019-12174 (hide.me before 2.4.4 on macOS suffers from a privilege escalation vuln ...)
 	NOT-FOR-US: hide.me
 CVE-2019-12173 (MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, w ...)
@@ -19013,6 +19026,7 @@ CVE-2019-10094 (A carefully crafted package/compressed file that, when unzipped/
 	NOTE: https://github.com/apache/tika/commit/c4e63c9be8665cccea8b680c59a6f5cfbc03e0fc
 CVE-2019-10093 (In Apache Tika 1.19 to 1.21, a carefully crafted 2003ml or 2006ml file ...)
 	- tika 1.22-1 (bug #933745)
+	[buster] - tika <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/08/02/3
 	NOTE: https://github.com/apache/tika/commit/81c21ab0aac6b3e4102a1a8906c8c7eab6f96dae
 CVE-2019-10092 [Limited cross-site scripting in mod_proxy]
@@ -19033,6 +19047,7 @@ CVE-2019-10089
 	- jspwiki <removed>
 CVE-2019-10088 (A carefully crafted or corrupt zip file can cause an OOM in Apache Tik ...)
 	- tika 1.22-1 (bug #933744)
+	[buster] - tika <no-dsa> (Minor issue)
 	[jessie] - tika <not-affected> (Vulnerable feature introduced in 1.7)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/08/02/2
 	NOTE: https://github.com/apache/tika/commit/426be73b9e7500fa3d441231fa4e473de34743f6
@@ -19161,11 +19176,15 @@ CVE-2019-10053 (An issue was discovered in Suricata 4.1.x before 4.1.4. If the i
 	NOTE: https://github.com/OISF/suricata/commit/51790d3824bc381e24aaeef20338dd6b8bd4e453
 CVE-2019-10052 (An issue was discovered in Suricata 4.1.3. If the network packet does  ...)
 	- suricata 1:4.1.4-1
+	[buster] - suricata <no-dsa> (Minor issue)
+	[stretch] - suricata <no-dsa> (Minor issue)
 	[jessie] - suricata <not-affected> (Vulnerable code not present)
 	NOTE: https://redmine.openinfosecfoundation.org/issues/2902
 	NOTE: https://redmine.openinfosecfoundation.org/issues/2947
 CVE-2019-10051 (An issue was discovered in Suricata 4.1.3. If the function filetracker ...)
 	- suricata 1:4.1.4-1
+	[buster] - suricata <no-dsa> (Minor issue)
+	[stretch] - suricata <no-dsa> (Minor issue)
 	[jessie] - suricata <not-affected> (Vulnerable code not present)
 	NOTE: https://github.com/OISF/suricata/pull/3734
 	NOTE: https://redmine.openinfosecfoundation.org/issues/2896


=====================================
data/dsa-needed.txt
=====================================
@@ -50,10 +50,14 @@ nodejs
 nss/oldstable (jmm)
   Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508
 --
+openjpeg2
+--
 openssl1.0/oldstable
 --
 openssl
 --
+php7.0/oldstable (jmm)
+--
 poppler (jmm)
 --
 python2.7 (jmm)
@@ -62,6 +66,8 @@ python3.5 (jmm)
 --
 simplesamlphp/oldstable
 --
+slurm-llnl (jmm)
+--
 smarty3/oldstable
 --
 spip



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66258cf5d79509f6524df632fb9d4a2213c0be3c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/66258cf5d79509f6524df632fb9d4a2213c0be3c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190920/84e194a3/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list