[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Moritz Muehlenhoff jmm at debian.org
Tue Apr 28 20:36:14 BST 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
44d451f2 by Moritz Muehlenhoff at 2020-04-28T21:35:53+02:00
buster/stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -5009,6 +5009,7 @@ CVE-2020-10704
 CVE-2020-10703 [Potential denial of service via active pool without target path]
 	RESERVED
 	- libvirt 6.0.0-2
+	[buster] - libvirt <no-dsa> (Minor issue)
 	[stretch] - libvirt <not-affected> (Vulnerable code introduced later)
 	[jessie] - libvirt <not-affected> (Vulnerable code introduced later)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1790725
@@ -5126,6 +5127,7 @@ CVE-2020-10676
 	RESERVED
 CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows attacker ...)
 	- golang-github-buger-jsonparser 0.0~git20200322.0.f7e751e-1 (bug #954373)
+	[buster] - golang-github-buger-jsonparser <no-dsa> (Minor issue)
 	NOTE: https://github.com/buger/jsonparser/issues/188
 	NOTE: https://github.com/buger/jsonparser/commit/91ac96899e492584984ded0c8f9a08f10b473717
 CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
@@ -5158,6 +5160,8 @@ CVE-2020-10666
 	RESERVED
 CVE-2020-10674 (PerlSpeak through 2.01 allows attackers to execute arbitrary OS comman ...)
 	- libperlspeak-perl <removed> (bug #954238)
+	[buster] - libperlspeak-perl <ignored> (Will be removed in next point release)
+	[stretch] - libperlspeak-perl <ignored> (Will be removed in next point release)
 	[jessie] - libperlspeak-perl <end-of-life> (Not supported in jessie LTS)
 	NOTE: https://rt.cpan.org/Public/Bug/Display.html?id=132173
 CVE-2020-10665 (Docker Desktop allows local privilege escalation to NT AUTHORITY\SYSTE ...)
@@ -5170,7 +5174,9 @@ CVE-2020-10663 [Unsafe Object Creation Vulnerability in JSON (Additional fix to
 	- ruby-json 2.3.0+dfsg-1
 	- ruby2.7 <not-affected> (Fixed before initial upload to Debian)
 	- ruby2.5 <unfixed>
+	[buster] - ruby2.5 <no-dsa> (Minor issue)
 	- ruby2.3 <removed>
+	[stretch] - ruby2.3 <no-dsa> (Minor issue)
 	- ruby2.1 <removed>
 	NOTE: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
 	NOTE: https://hackerone.com/reports/706934
@@ -5818,6 +5824,7 @@ CVE-2020-10381 (An issue was discovered in the MB CONNECT LINE mymbCONNECT24 and
 	NOT-FOR-US: MB CONNECT LINE mymbCONNECT24 and mbCONNECT24 software
 CVE-2020-10380 (RMySQL through 0.10.19 allows SQL Injection. ...)
 	- rmysql 0.10.20-1
+	[buster] - rmysql <no-dsa> (Minor issue)
 	[jessie] - rmysql <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/r-dbi/RMySQL/commit/c2467c466684b4733a7b0df4689987e1f9dcfc32
 	NOTE: Test: https://github.com/r-dbi/RMySQL/commit/6137ce887c1e36b278f11656a9a9fc1cae6a5f40
@@ -6258,11 +6265,15 @@ CVE-2020-10186
 CVE-2020-10185 (The sync endpoint in YubiKey Validation Server before 2.40 allows remo ...)
 	{DLA-2141-1}
 	- yubikey-val <removed>
+	[buster] - yubikey-val <no-dsa> (Minor issue)
+	[stretch] - yubikey-val <no-dsa> (Minor issue)
 	NOTE: https://www.yubico.com/support/security-advisories/ysa-2020-01/
 	NOTE: https://github.com/Yubico/yubikey-val/commit/d0e4db3245deb5ce0c8d7d26069c78071a140286
 CVE-2020-10184 (The verify endpoint in YubiKey Validation Server before 2.40 does not  ...)
 	{DLA-2141-1}
 	- yubikey-val <removed>
+	[buster] - yubikey-val <no-dsa> (Minor issue)
+	[stretch] - yubikey-val <no-dsa> (Minor issue)
 	NOTE: https://www.yubico.com/support/security-advisories/ysa-2020-01/
 	NOTE: https://github.com/Yubico/yubikey-val/commit/d0e4db3245deb5ce0c8d7d26069c78071a140286
 CVE-2020-10183
@@ -11395,6 +11406,7 @@ CVE-2020-7956 (HashiCorp Nomad and Nomad Enterprise up to 0.10.2 incorrectly val
 	NOTE: https://github.com/hashicorp/nomad/issues/7003
 CVE-2020-7955 (HashiCorp Consul and Consul Enterprise 1.4.1 through 1.6.2 did not uni ...)
 	- consul 1.7.0+dfsg1-1 (bug #950736)
+	[buster] - consul <no-dsa> (Minor issue)
 	NOTE: https://github.com/hashicorp/consul/issues/7160
 	NOTE: Fixed in 1.6.3.
 CVE-2020-7954 (An issue was discovered in OpServices OpMon 9.3.2. Starting from the a ...)
@@ -13063,6 +13075,7 @@ CVE-2020-7220 (HashiCorp Vault Enterprise 0.11.0 through 1.3.1 fails, in certain
 	NOT-FOR-US: HashiCorp Vault
 CVE-2020-7219 (HashiCorp Consul and Consul Enterprise up to 1.6.2 HTTP/RPC services a ...)
 	- consul 1.7.0+dfsg1-1 (bug #950736)
+	[buster] - consul <no-dsa> (Minor issue)
 	NOTE: https://github.com/hashicorp/consul/issues/7159
 	NOTE: Fixed in 1.6.3.
 CVE-2020-7218 (HashiCorp Nomad and Nomad Enterprise before 0.10.3 allow unbounded res ...)
@@ -17822,6 +17835,8 @@ CVE-2020-5209 (In NetHack before 3.6.5, unknown options starting with -de and -i
 CVE-2020-5208 (It's been found that multiple functions in ipmitool before 1.8.19 negl ...)
 	{DLA-2098-1}
 	- ipmitool <unfixed> (bug #950761)
+	[buster] - ipmitool <no-dsa> (Minor issue)
+	[stretch] - ipmitool <no-dsa> (Minor issue)
 	NOTE: https://github.com/ipmitool/ipmitool/security/advisories/GHSA-g659-9qxw-p7cp
 	NOTE: https://github.com/ipmitool/ipmitool/commit/e824c23316ae50beb7f7488f2055ac65e8b341f2
 	NOTE: https://github.com/ipmitool/ipmitool/commit/840fb1cbb4fb365cb9797300e3374d4faefcdb10
@@ -84240,6 +84255,7 @@ CVE-2018-19654 (An issue was discovered in Sales & Company Management System
 	NOT-FOR-US: Sales & Company Management System (SCMS)
 CVE-2018-19653 (HashiCorp Consul 0.5.1 through 1.4.0 can use cleartext agent-to-agent  ...)
 	- consul 1.4.4~dfsg1-1
+	[buster] - consul <no-dsa> (Minor issue)
 	NOTE: https://github.com/hashicorp/consul/pull/5069
 CVE-2018-19652
 	RESERVED


=====================================
data/dsa-needed.txt
=====================================
@@ -37,6 +37,8 @@ squid/stable
 --
 squid3/oldstable
 --
+teeworlds/stable
+--
 tiff/oldstable (carnil)
   Maintainer prepared an update
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44d451f2bac8802f930da2c2f602b0cafae52a01

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44d451f2bac8802f930da2c2f602b0cafae52a01
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200428/7b9e2873/attachment.html>

More information about the debian-security-tracker-commits mailing list