[Git][security-tracker-team/security-tracker][master] bullseye triage

Moritz Muehlenhoff jmm at debian.org
Wed Dec 9 17:10:31 GMT 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c932c2dd by Moritz Muehlenhoff at 2020-12-09T18:10:10+01:00
bullseye triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -58898,31 +58898,38 @@ CVE-2020-6624 (jhead through 3.04 has a heap-based buffer over-read in process_D
 	NOTE: Crash in CLI tool, no security impact
 CVE-2020-6623 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff ...)
 	- libstb <unfixed> (low; bug #949560)
+	[bullseye] - libstb <no-dsa> (Minor issue)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/865
 	NOTE: Potentially affects mame, embree, libtcod, sumo, goxel, mesa, godot, dart
 CVE-2020-6622 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...)
 	- libstb <unfixed> (low; bug #949559)
+	[bullseye] - libstb <no-dsa> (Minor issue)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/869
 CVE-2020-6621 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in t ...)
 	- libstb <unfixed> (low; bug #949558)
+	[bullseye] - libstb <no-dsa> (Minor issue)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/867
 CVE-2020-6620 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...)
 	- libstb <unfixed> (low; bug #949557)
+	[bullseye] - libstb <no-dsa> (Minor issue)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/868
 CVE-2020-6619 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__buf ...)
 	- libstb <unfixed> (low; bug #949556)
+	[bullseye] - libstb <no-dsa> (Minor issue)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/863
 CVE-2020-6618 (stb stb_truetype.h through 1.22 has a heap-based buffer over-read in s ...)
 	- libstb <unfixed> (low; bug #949555)
+	[bullseye] - libstb <no-dsa> (Minor issue)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/866
 CVE-2020-6617 (stb stb_truetype.h through 1.22 has an assertion failure in stbtt__cff ...)
 	- libstb <unfixed> (low; bug #949554)
+	[bullseye] - libstb <no-dsa> (Minor issue)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/867
 CVE-2020-6616 (Some Broadcom chips mishandle Bluetooth random-number generation becau ...)
@@ -65761,6 +65768,7 @@ CVE-2019-20056 (stb_image.h (aka the stb image loader) 2.23, as used in libsixel
 	[stretch] - libsixel <no-dsa> (Minor issue)
 	[jessie] - libsixel <no-dsa> (Minor issue)
 	- libstb <unfixed> (low)
+	[bullseye] - libstb <no-dsa> (Minor issue)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: libsixel PR: https://github.com/saitoha/libsixel/issues/126
 	NOTE: libsixel patch: https://github.com/saitoha/libsixel/commit/814f831555ea2492d442e784ab5d594f6a8e2e8d
@@ -88327,6 +88335,7 @@ CVE-2019-15059
 	RESERVED
 CVE-2019-15058 (stb_image.h (aka the stb image loader) 2.23 has a heap-based buffer ov ...)
 	- libstb <unfixed> (bug #934973)
+	[bullseye] - libstb <no-dsa> (Minor issue)
 	[buster] - libstb <no-dsa> (Minor issue)
 	NOTE: https://github.com/nothings/stb/issues/790
 	NOTE: Potentially also affects libsixel, mame, libsfml, love, zynaddsubfx, yquake2, ccextractor, zam-plugins, osgearth, catimg, darknet, gem, retroarch, renderdoc, goxel
@@ -89770,8 +89779,7 @@ CVE-2019-14665 (Brandy 1.20.1 has a heap-based buffer overflow in define_array i
 	NOTE: https://sourceforge.net/p/brandy/bugs/8/
 	NOTE: Negligible security impact
 CVE-2019-14664 (In Enigmail below 2.1, an attacker in possession of PGP encrypted emai ...)
-	- enigmail <unfixed>
-	[buster] - enigmail <ignored> (Minor issue and too intrusive to backport)
+	- enigmail 2:2.1.3+ds1-1
 	[jessie] - enigmail <end-of-life> (see https://lists.debian.org/debian-lts-announce/2019/02/msg00002.html)
 	NOTE: https://sourceforge.net/p/enigmail/bugs/984/
 CVE-2019-14663 (Brandy 1.20.1 has a stack-based buffer overflow in fileio_openin in fi ...)
@@ -109973,19 +109981,26 @@ CVE-2019-8431
 CVE-2019-8430
 	RESERVED
 CVE-2019-8429 (ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php fil ...)
-	- zoneminder <unfixed> (bug #922724)
+	- zoneminder <unfixed> (unimportant; bug #922724)
+	NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
 CVE-2019-8428 (ZoneMinder before 1.32.3 has SQL Injection via the skins/classic/views ...)
-	- zoneminder <unfixed> (bug #922724)
+	- zoneminder <unfixed> (unimportant; bug #922724)
+	NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
 CVE-2019-8427 (daemonControl in includes/functions.php in ZoneMinder before 1.32.3 al ...)
-	- zoneminder <unfixed> (bug #922724)
+	- zoneminder <unfixed> (unimportant; bug #922724)
+	NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
 CVE-2019-8426 (skins/classic/views/controlcap.php in ZoneMinder before 1.32.3 has XSS ...)
-	- zoneminder <unfixed> (bug #922724)
+	- zoneminder <unfixed> (unimportant; bug #922724)
+	NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
 CVE-2019-8425 (includes/database.php in ZoneMinder before 1.32.3 has XSS in the const ...)
-	- zoneminder <unfixed> (bug #922724)
+	- zoneminder <unfixed> (unimportant; bug #922724)
+	NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
 CVE-2019-8424 (ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sor ...)
-	- zoneminder <unfixed> (bug #922724)
+	- zoneminder <unfixed> (unimportant; bug #922724)
+	NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
 CVE-2019-8423 (ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/view ...)
-	- zoneminder <unfixed> (bug #922724)
+	- zoneminder <unfixed> (unimportant; bug #922724)
+	NOTE: See README.Debian.security, only supported behind an authenticated HTTP zone
 CVE-2019-8422 (A SQL Injection vulnerability exists in PbootCMS v1.3.2 via the descri ...)
 	NOT-FOR-US: PbootCMS
 CVE-2019-8421 (upload/protected/modules/admini/views/post/index.php in BageCMS throug ...)
@@ -153661,25 +153676,29 @@ CVE-2018-11741 (NEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable Sess
 	NOT-FOR-US: NEC Univerge Sv9100 WebPro devices
 CVE-2018-11740 (An issue was discovered in libtskbase.a in The Sleuth Kit (TSK) from r ...)
 	- sleuthkit <unfixed> (low; bug #902187)
-	[buster] - sleuthkit <no-dsa> (Minor issue)
+	[bullseye] - sleuthkit <ignored> (Minor issue)
+	[buster] - sleuthkit <ignored> (Minor issue)
 	[stretch] - sleuthkit <no-dsa> (Minor issue)
 	[jessie] - sleuthkit <no-dsa> (Minor issue)
 	NOTE: https://github.com/sleuthkit/sleuthkit/issues/1264
 CVE-2018-11739 (An issue was discovered in libtskimg.a in The Sleuth Kit (TSK) from re ...)
 	- sleuthkit <unfixed> (low; bug #902187)
-	[buster] - sleuthkit <no-dsa> (Minor issue)
+	[bullseye] - sleuthkit <ignored> (Minor issue)
+	[buster] - sleuthkit <ignored> (Minor issue)
 	[stretch] - sleuthkit <no-dsa> (Minor issue)
 	[jessie] - sleuthkit <no-dsa> (Minor issue)
 	NOTE: https://github.com/sleuthkit/sleuthkit/issues/1267
 CVE-2018-11738 (An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from rel ...)
 	- sleuthkit <unfixed> (low; bug #902187)
-	[buster] - sleuthkit <no-dsa> (Minor issue)
+	[bullseye] - sleuthkit <ignored> (Minor issue)
+	[buster] - sleuthkit <ignored> (Minor issue)
 	[stretch] - sleuthkit <no-dsa> (Minor issue)
 	[jessie] - sleuthkit <no-dsa> (Minor issue)
 	NOTE: https://github.com/sleuthkit/sleuthkit/issues/1265
 CVE-2018-11737 (An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from rel ...)
 	- sleuthkit <unfixed> (low; bug #902187)
-	[buster] - sleuthkit <no-dsa> (Minor issue)
+	[bullseye] - sleuthkit <ignored> (Minor issue)
+	[buster] - sleuthkit <ignored> (Minor issue)
 	[stretch] - sleuthkit <no-dsa> (Minor issue)
 	[jessie] - sleuthkit <no-dsa> (Minor issue)
 	NOTE: https://github.com/sleuthkit/sleuthkit/issues/1266



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c932c2dd4dd07defc90b9b7f3ee24c160e1cd79b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c932c2dd4dd07defc90b9b7f3ee24c160e1cd79b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201209/ca4913ac/attachment.html>

More information about the debian-security-tracker-commits mailing list