[Git][security-tracker-team/security-tracker][master] libsass triage

Fri Dec 18 13:34:22 GMT 2020


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0bf25015 by Moritz Muehlenhoff at 2020-12-18T14:34:10+01:00
libsass triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -104704,7 +104704,7 @@ CVE-2018-20822 (LibSass 3.5.4 allows attackers to cause a denial-of-service (unc
 	NOTE: Possibly introduced after https://github.com/sass/libsass/commit/25c9b4952f5838b615da996035453967d0420f57 (3.4.7)
 	NOTE: Fixed in 3.6.1, but 3.6.3 first to land in unstable
 CVE-2018-20821 (The parsing component in LibSass through 3.5.5 allows attackers to cau ...)
-	- libsass <unfixed> (low)
+	- libsass 3.6.3-1 (low)
 	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/sass/libsass/issues/2658
@@ -133481,10 +133481,11 @@ CVE-2018-19799 (Dolibarr ERP/CRM through 8.0.3 has /exports/export.php?datatoexp
 CVE-2018-19798 (Fleetco Fleet Maintenance Management (FMM) 1.2 and earlier allows uplo ...)
 	NOT-FOR-US: Fleetco Fleet Maintenance Management (FMM)
 CVE-2018-19797 (In LibSass 3.5.5, a NULL Pointer Dereference in the function Sass::Sel ...)
-	- libsass <unfixed>
+	- libsass 3.6.3-1
 	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2779
+	NOTE: https://github.com/sass/libsass/commit/e94b5f91ec372a84be1f9c0da32cb6e0af0b99fe
 CVE-2018-19796 (An open redirect in the Ninja Forms plugin before 3.3.19.1 for WordPre ...)
 	NOT-FOR-US: Ninja Forms plugin for WordPress
 CVE-2018-19795 (ChipsBank UMPTool saves the password to the NAND with a simple substit ...)
@@ -158219,12 +158220,13 @@ CVE-2018-11700
 CVE-2018-11699
 	RESERVED
 CVE-2018-11698 (An issue was discovered in LibSass through 3.5.4. An out-of-bounds rea ...)
-	- libsass <unfixed>
+	- libsass 3.6.3-1
 	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2662
+	NOTE: https://github.com/sass/libsass/commit/8f40dc03e5ab5a8b2ebeb72b31f8d1adbb2fd6ae
 CVE-2018-11697 (An issue was discovered in LibSass through 3.5.4. An out-of-bounds rea ...)
-	- libsass <unfixed>
+	- libsass 3.6.3-1
 	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2656
@@ -158241,7 +158243,7 @@ CVE-2018-11695 (An issue was discovered in LibSass <3.5.3. A NULL pointer der
 	NOTE: https://github.com/sass/libsass/commit/0bc35e3d26922229d5a3e3308860cf0fcee5d1cf (master)
 	NOTE: https://github.com/sass/libsass/commit/e3512120403dc7863a38bf2f122e7523593718ad (3.5.3)
 CVE-2018-11694 (An issue was discovered in LibSass through 3.5.4. A NULL pointer deref ...)
-	- libsass <unfixed> (low)
+	- libsass 3.6.3-1 (low)
 	[buster] - libsass <no-dsa> (Minor issue)
 	[stretch] - libsass <no-dsa> (Minor issue)
 	NOTE: https://github.com/sass/libsass/issues/2663
@@ -204228,16 +204230,11 @@ CVE-2017-12966 (The asn1f_lookup_symbol_impl function in asn1fix_retrieve.c in l
 CVE-2017-12965 (Session fixation vulnerability in Apache2Triad 1.5.4 allows remote att ...)
 	NOT-FOR-US: Apache2Triad
 CVE-2017-12964 (There is a stack consumption issue in LibSass 3.4.5 that is triggered  ...)
-	- libsass <undetermined> (low; bug #873034)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482397
+	NOTE: Bogus report against historic libsass version
 CVE-2017-12963 (There is an illegal address access in Sass::Eval::operator() in eval.c ...)
-	- libsass <undetermined> (low; bug #873034)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482335
-	NOTE: Similar issue to CVE-2017-11555 but for the issue which remains unfixed
-	NOTE: with the upstream patch for CVE-2017-11555.
+	NOTE: Bogus report against historic libsass version
 CVE-2017-12962 (There are memory leaks in LibSass 3.4.5 triggered by deeply nested cod ...)
-	- libsass <undetermined> (low; bug #873034)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482331
+	NOTE: Bogus report against historic libsass version
 CVE-2017-12961 (There is an assertion abort in the function parse_attributes() in data ...)
 	- pspp 1.0.1-1 (unimportant)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1482436
@@ -208711,8 +208708,7 @@ CVE-2017-11607
 CVE-2017-11606
 	RESERVED
 CVE-2017-11605 (There is a heap based buffer over-read in LibSass 3.4.5, related to ad ...)
-	- libsass <undetermined> (bug #870184)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1474019
+	NOTE: Bogus report against historic libsass version
 CVE-2017-11604
 	RESERVED
 CVE-2017-11603
@@ -209520,11 +209516,9 @@ CVE-2017-11343 (Due to an incomplete fix for CVE-2012-6125, all versions of CHIC
 	[wheezy] - chicken <no-dsa> (Minor issue)
 	NOTE: http://lists.nongnu.org/archive/html/chicken-announce/2017-07/msg00000.html
 CVE-2017-11342 (There is an illegal address access in ast.cpp of LibSass 3.4.5. A craf ...)
-	- libsass <undetermined> (bug #868577)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470722
+	NOTE: Bogus report against historic libsass version
 CVE-2017-11341 (There is a heap based buffer over-read in lexer.hpp of LibSass 3.4.5.  ...)
-	- libsass <undetermined> (bug #868577)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1470714
+	NOTE: Bogus report against historic libsass version
 CVE-2017-11340 (There is a Segmentation fault in the XmpParser::terminate() function i ...)
 	- exiv2 <not-affected> (Vulnerable code introduced after 0.25; only affected experimental; bug #868578)
 	NOTE: https://github.com/Exiv2/exiv2/issues/53
@@ -211502,8 +211496,7 @@ CVE-2017-10688 (In LibTIFF 4.0.8, there is a assertion abort in the TIFFWriteDir
 	NOTE: http://bugzilla.maptools.org/show_bug.cgi?id=2712
 	NOTE: Fixed by: https://github.com/vadz/libtiff/commit/6173a57d39e04d68b139f8c1aa499a24dbe74ba1
 CVE-2017-10687 (In LibSass 3.4.5, there is a heap-based buffer over-read in the functi ...)
-	- libsass <undetermined> (low; bug #866672)
-	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1466411
+	NOTE: Bogus report against historic libsass version
 CVE-2017-10686 (In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after ...)
 	{DLA-1041-1}
 	- nasm 2.13.02-0.1 (bug #867988)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bf25015cb4ea5135c2d55af421547ed286dc2cc

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bf25015cb4ea5135c2d55af421547ed286dc2cc
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201218/0b5a65b9/attachment.html>
