[Git][security-tracker-team/security-tracker][master] netty fixed

Moritz Muehlenhoff jmm at debian.org
Mon Feb 24 17:01:07 GMT 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
71361394 by Moritz Muehlenhoff at 2020-02-24T18:00:46+01:00
netty fixed
buster/stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2080,7 +2080,7 @@ CVE-2020-8433
 	RESERVED
 CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length  ...)
 	{DLA-2110-1 DLA-2109-1}
-	- netty <unfixed> (bug #950967)
+	- netty 1:4.1.45-1 (bug #950967)
 	- netty-3.9 <removed>
 	NOTE: https://github.com/netty/netty/issues/9861
 	NOTE: https://github.com/netty/netty/commit/8494b046ec7e4f28dbd44bc699cc4c4c92251729 (4.1)
@@ -2088,7 +2088,7 @@ CVE-2019-20445 (HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-L
 	NOTE: https://github.com/netty/netty/commit/5f68897880467c00f29495b0aa46ed19bf7a873c (tests)
 CVE-2019-20444 (HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header th ...)
 	{DLA-2110-1 DLA-2109-1}
-	- netty <unfixed> (bug #950966)
+	- netty 1:4.1.45-1 (bug #950966)
 	- netty-3.9 <removed>
 	NOTE: https://github.com/netty/netty/issues/9866
 	NOTE: https://github.com/netty/netty/commit/a7c18d44b46e02dadfe3da225a06e5091f5f328e (4.1)
@@ -4737,7 +4737,7 @@ CVE-2019-20382
 	RESERVED
 CVE-2020-7238 (Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles ...)
 	{DLA-2110-1 DLA-2109-1}
-	- netty <unfixed> (bug #950967)
+	- netty 1:4.1.45-1 (bug #950967)
 	- netty-3.9 <removed>
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1796225
 	NOTE: https://github.com/jdordonezn/CVE-2020-72381/issues/1
@@ -5030,6 +5030,8 @@ CVE-2020-7106 (Cacti 1.2.8 has stored XSS in data_sources.php, color_templates_i
 CVE-2020-7105 (async.c and dict.c in libhiredis.a in hiredis through 0.14.0 allow a N ...)
 	{DLA-2083-1}
 	- hiredis 0.14.0-5 (bug #949995)
+	[buster] - hiredis <no-dsa> (Minor issue)
+	[stretch] - hiredis <no-dsa> (Minor issue)
 	NOTE: https://github.com/redis/hiredis/pull/754
 	NOTE: https://github.com/redis/hiredis/pull/756
 CVE-2020-7104 (The chained-quiz plugin 1.1.8.1 for WordPress has reflected XSS via th ...)
@@ -35968,7 +35970,9 @@ CVE-2019-14576
 	RESERVED
 CVE-2019-14575 [DxeImageVerificationHandler() fails open in case of dbx signature check]
 	RESERVED
-	- edk2 <unfixed>
+	- edk2 <unfixed> (low)
+	[buster] - edk2 <no-dsa> (Minor issue)
+	[stretch] - edk2 <no-dsa> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
 CVE-2019-14574 (Out of bounds read in a subsystem for Intel(R) Graphics Driver version ...)
@@ -35995,7 +35999,9 @@ CVE-2019-14564
 	RESERVED
 CVE-2019-14563 [numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib]
 	RESERVED
-	- edk2 <unfixed>
+	- edk2 <unfixed> (low)
+	[buster] - edk2 <no-dsa> (Minor issue)
+	[stretch] - edk2 <no-dsa> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://github.com/tianocore/edk2/commit/322ac05f8bbc1bce066af1dabd1b70ccdbe28891
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2001
@@ -36008,6 +36014,8 @@ CVE-2019-14560
 CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc]
 	RESERVED
 	- edk2 <unfixed>
+	[buster] - edk2 <no-dsa> (Minor issue)
+	[stretch] - edk2 <no-dsa> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2031
 CVE-2019-14558


=====================================
data/dsa-needed.txt
=====================================
@@ -18,6 +18,8 @@ amd64-microcode
   NOTE: 20200224: The maintainer says version 3.20191218.1 can be
   NOTE: 20200224: backported to all stable releases.
 --
+curl (ghedo)
+--
 glusterfs/oldstable
 --
 graphicsmagick



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/71361394f9acfb958a686aa8673b9b37d20a001e

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/71361394f9acfb958a686aa8673b9b37d20a001e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200224/956613a3/attachment.html>

More information about the debian-security-tracker-commits mailing list