[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Moritz Muehlenhoff jmm at debian.org
Thu Jan 2 19:27:49 GMT 2020



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fef3c2b9 by Moritz Muehlenhoff at 2020-01-02T20:27:26+01:00
buster/stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -61,6 +61,8 @@ CVE-2019-20209
 	RESERVED
 CVE-2019-20208 (dimC_Read in isomedia/box_code_3gpp.c in GPAC 0.8.0 has a stack-based  ...)
 	- gpac <unfixed>
+	[buster] - gpac <no-dsa> (Minor issue)
+	[stretch] - gpac <no-dsa> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/issues/1348
 CVE-2019-20207
 	RESERVED
@@ -230,7 +232,9 @@ CVE-2019-20178
 CVE-2019-20177
 	RESERVED
 CVE-2019-20176 (In Pure-FTPd 1.0.49, a stack exhaustion issue was discovered in the li ...)
-	- pure-ftpd 1.0.49-2 (bug #947869)
+	- pure-ftpd 1.0.49-2 (low; bug #947869)
+	[buster] - pure-ftpd <no-dsa> (Minor issue)
+	[stretch] - pure-ftpd <no-dsa> (Minor issue)
 	NOTE: https://github.com/jedisct1/pure-ftpd/commit/aea56f4bcb9948d456f3fae4d044fd3fa2e19706
 CVE-2019-20175 (** DISPUTED ** An issue was discovered in ide_dma_cb() in hw/ide/core. ...)
 	- qemu <unfixed> (unimportant)
@@ -2906,6 +2910,8 @@ CVE-2019-20053 (An invalid memory address dereference was discovered in the canU
 	NOTE: https://github.com/upx/upx/commit/819c33fee2b2c33b96bef27a13cb20f2589819aa
 CVE-2019-20052 (A memory leak was discovered in Mat_VarCalloc in mat.c in matio 1.5.17 ...)
 	- libmatio <unfixed>
+	[buster] - libmatio <no-dsa> (Minor issue)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/131
 CVE-2019-20051 (A floating-point exception was discovered in PackLinuxElf::elf_hash in ...)
 	- upx-ucl <unfixed> (unimportant)
@@ -2990,15 +2996,23 @@ CVE-2019-20021 (A heap-based buffer over-read was discovered in canUnpack in p_m
 	NOTE: https://github.com/upx/upx/commit/819c33fee2b2c33b96bef27a13cb20f2589819aa
 CVE-2019-20020 (A stack-based buffer over-read was discovered in ReadNextStructField i ...)
 	- libmatio <unfixed>
+	[buster] - libmatio <no-dsa> (Minor issue)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/128
 CVE-2019-20019 (An attempted excessive memory allocation was discovered in Mat_VarRead ...)
 	- libmatio <unfixed>
+	[buster] - libmatio <no-dsa> (Minor issue)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/130
 CVE-2019-20018 (A stack-based buffer over-read was discovered in ReadNextCell in mat5. ...)
 	- libmatio <unfixed>
+	[buster] - libmatio <no-dsa> (Minor issue)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/129
 CVE-2019-20017 (A stack-based buffer over-read was discovered in Mat_VarReadNextInfo5  ...)
 	- libmatio <unfixed>
+	[buster] - libmatio <no-dsa> (Minor issue)
+	[stretch] - libmatio <no-dsa> (Minor issue)
 	NOTE: https://github.com/tbeu/matio/issues/127
 CVE-2019-20016 (libmysofa before 2019-11-24 does not properly restrict recursive funct ...)
 	- libmysofa 0.9~dfsg0-1
@@ -3249,6 +3263,8 @@ CVE-2019-19922 (kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.c
 CVE-2019-19921 [Volume mount race condition with shared mounts]
 	RESERVED
 	- runc <unfixed>
+	[buster] - runc <no-dsa> (Minor issue)
+	[stretch] - runc <no-dsa> (Minor issue)
 	NOTE: https://github.com/opencontainers/runc/issues/2197
 	NOTE: https://github.com/opencontainers/runc/pull/2190
 CVE-2019-19919 (Versions of handlebars prior to 4.3.0 are vulnerable to Prototype Poll ...)
@@ -3325,6 +3341,7 @@ CVE-2019-19908 (phpMyChat-Plus 1.98 is vulnerable to reflected XSS via JavaScrip
 	NOT-FOR-US: phpMyChat
 CVE-2019-19907 (HrAddFBBlock in libfreebusy/freebusyutil.cpp in Kopano Groupware Core  ...)
 	- kopanocore <unfixed> (bug #947312)
+	[buster] - kopanocore <no-dsa> (Minor issue)
 	NOTE: https://stash.kopano.io/projects/KC/repos/kopanocore/commits/4e02b420fff
 CVE-2019-19904
 	RESERVED
@@ -4243,6 +4260,7 @@ CVE-2019-19795 (samurai 0.7 has a heap-based buffer overflow in canonpath in uti
 	NOT-FOR-US: samurai
 CVE-2019-19794 (The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6. ...)
 	- golang-github-miekg-dns <unfixed> (bug #947403)
+	[buster] - golang-github-miekg-dns <no-dsa> (Minor issue)
 	NOTE: https://github.com/coredns/coredns/issues/3519
 	NOTE: https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33
 	NOTE: https://github.com/miekg/dns/issues/1043
@@ -19002,6 +19020,8 @@ CVE-2019-16782 (There's a possible information leak / session hijack vulnerabili
 	NOTE: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
 CVE-2019-16779 (In RubyGem excon before 0.71.0, there was a race condition around pers ...)
 	- ruby-excon <unfixed> (bug #946904)
+	[buster] - ruby-excon <no-dsa> (Minor issue)
+	[stretch] - ruby-excon <no-dsa> (Minor issue)
 	NOTE: https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9
 	NOTE: https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29
 CVE-2019-16778 (In TensorFlow before 1.15, a heap buffer overflow in UnsortedSegmentSu ...)
@@ -26598,6 +26618,8 @@ CVE-2015-9291 (cPanel before 11.52.0.13 does not prevent arbitrary file-read ope
 	NOT-FOR-US: cPanel
 CVE-2019-14452 (Sigil before 0.9.16 is vulnerable to a directory traversal, allowing a ...)
 	- sigil 0.9.16+dfsg-1 (bug #933797)
+	[buster] - sigil <no-dsa> (Minor issue)
+	[stretch] - sigil <no-dsa> (Minor issue)
 	NOTE: https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4
 	NOTE: https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f
 	NOTE: https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4
@@ -26860,12 +26882,16 @@ CVE-2019-14371 (An issue was discovered in Libav 12.3. There is an infinite loop
 	NOTE: fixed through CVE-2018-11102 / https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/7abf394814d818973db562102f21ab9d10540840
 CVE-2019-14370 (In Exiv2 0.27.99.0, there is an out-of-bounds read in Exiv2::MrwImage: ...)
 	- exiv2 <unfixed>
+	[buster] - exiv2 <no-dsa> (Minor issue)
+	[stretch] - exiv2 <no-dsa> (Minor issue)
 	[jessie] - exiv2 <not-affected> (poc not triggered with asan/valgrind, different MemIo::seek bound check)
 	NOTE: https://github.com/Exiv2/exiv2/issues/954
 	NOTE: fixed through CVE-2019-13504
 	NOTE: https://github.com/Exiv2/exiv2/commit/bd0afe0390439b2c424d881c8c6eb0c5624e31d9
 CVE-2019-14369 (Exiv2::PngImage::readMetadata() in pngimage.cpp in Exiv2 0.27.99.0 all ...)
 	- exiv2 <unfixed>
+	[buster] - exiv2 <no-dsa> (Minor issue)
+	[stretch] - exiv2 <no-dsa> (Minor issue)
 	[jessie] - exiv2 <not-affected> (poc not triggered with asan/valgrind, different MemIo::seek bound check)
 	NOTE: https://github.com/Exiv2/exiv2/issues/953
 	NOTE: fixed through CVE-2019-13504
@@ -36294,6 +36320,8 @@ CVE-2019-11282 (Cloud Foundry UAA, versions prior to v74.3.0, contains an endpoi
 	NOT-FOR-US: Cloud Foundry
 CVE-2019-11281 (Pivotal RabbitMQ, versions prior to v3.7.18, and RabbitMQ for PCF, ver ...)
 	- rabbitmq-server 3.7.18-1 (low)
+	[buster] - rabbitmq-server <no-dsa> (Minor issue)
+	[stretch] - rabbitmq-server <no-dsa> (Minor issue)
 	[jessie] - rabbitmq-server <no-dsa> (Minor issue; one plugin not vulnerable, the other only exploitable by malicious admin)
 	NOTE: https://pivotal.io/security/cve-2019-11281
 	NOTE: fix for vhost limit feature: https://github.com/rabbitmq/rabbitmq-management/commit/42def1b51243397c1cb9192d6d064351e358bacc
@@ -71740,27 +71768,39 @@ CVE-2018-18199 (Mediamanager in REDAXO before 5.6.4 has XSS. ...)
 CVE-2018-18198 (The $opener_input_field variable in addons/mediapool/pages/index.php i ...)
 	NOT-FOR-US: REDAXO
 CVE-2018-18197 (An issue was discovered in libgig 4.1.0. There is an operator new[] fa ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md
 CVE-2018-18196 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer  ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md
 CVE-2018-18195 (An issue was discovered in libgig 4.1.0. There is an FPE (divide-by-ze ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md
 CVE-2018-18194 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer  ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md
 CVE-2018-18193 (An issue was discovered in libgig 4.1.0. There is operator new[] failu ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md
 CVE-2018-18192 (An issue was discovered in libgig 4.1.0. There is a NULL pointer deref ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README-1008.md
 CVE-2018-18191 (Cross-site request forgery (CSRF) vulnerability in /admin.php?c=member ...)
@@ -81506,47 +81546,69 @@ CVE-2018-14460 (An issue was discovered in the HDF HDF5 1.8.20 library. There is
 	- hdf5 <undetermined>
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/hdf5/README3.md
 CVE-2018-14459 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md
 CVE-2018-14458 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer  ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md
 CVE-2018-14457 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md
 CVE-2018-14456 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md
 CVE-2018-14455 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds wri ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md
 CVE-2018-14454 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds rea ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md
 CVE-2018-14453 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer  ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md
 CVE-2018-14452 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds rea ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md
 CVE-2018-14451 (An issue was discovered in libgig 4.1.0. There is a heap-based buffer  ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md
 CVE-2018-14450 (An issue was discovered in libgig 4.1.0. There is an out-of-bounds rea ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md
 CVE-2018-14449 (An issue was discovered in libgig 4.1.0. There is an out of bounds rea ...)
-	- libgig <unfixed> (bug #931309)
+	- libgig <unfixed> (low; bug #931309)
+	[buster] - libgig <ignored> (Minor issue)
+	[stretch] - libgig <ignored> (Minor issue)
 	[jessie] - libgig <no-dsa> (Minor issue)
 	NOTE: https://github.com/TeamSeri0us/pocs/blob/master/libgig/README.md
 CVE-2018-14448 (Codec::parse in track.cpp in Untrunc through 2018-06-07 has a NULL poi ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -34,6 +34,8 @@ linux (carnil)
 --
 mercurial/oldstable
 --
+netty
+--
 nodejs
 --
 nss/oldstable (jmm)
@@ -43,6 +45,8 @@ poppler (jmm)
 --
 python3.5 (jmm)
 --
+python-django
+--
 python-reportlab (hle)
 --
 smarty3/oldstable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fef3c2b9a01037e072cee089e3be3fa194caa01f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/fef3c2b9a01037e072cee089e3be3fa194caa01f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200102/618f7597/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list