[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Moritz Muehlenhoff jmm at debian.org
Fri Jan 17 10:30:06 GMT 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d55a0584 by Moritz Muehlenhoff at 2020-01-17T11:29:46+01:00
buster/stretch triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -22093,10 +22093,9 @@ CVE-2019-17402 (Exiv2 0.27.2 allows attackers to trigger a crash in Exiv2::getUL
 	NOTE: https://github.com/Exiv2/exiv2/commit/50e9dd964a439da357798344ed1dd86edcadf0ec (0.27-branch)
 	NOTE: Follow-up: https://github.com/Exiv2/exiv2/issues/1026
 CVE-2019-17401 (** DISPUTED ** libyal liblnk 20191006 has a heap-based buffer over-rea ...)
-	- liblnk <unfixed> (low)
-	[buster] - liblnk <no-dsa> (Minor issue)
-	[stretch] - liblnk <no-dsa> (Minor issue)
+	- liblnk <unfixed> (unimportant)
 	NOTE: https://github.com/libyal/liblnk/issues/40
+	NOTE: Negligible/questionable security impact
 CVE-2019-17400 (The unoconv package before 0.9 mishandles untrusted pathnames, leading ...)
 	- unoconv 0.7-2 (low; bug #943561)
 	[buster] - unoconv <no-dsa> (Minor issue)
@@ -22167,12 +22166,10 @@ CVE-2019-17373 (Certain NETGEAR devices allow unauthenticated access to critical
 CVE-2019-17372 (Certain NETGEAR devices allow remote attackers to disable all authenti ...)
 	NOT-FOR-US: NETGEAR
 CVE-2019-17371 (libpng 1.6.37 has memory leaks in png_malloc_warn and png_create_info_ ...)
-	- libpng1.6 <unfixed> (low)
-	[buster] - libpng1.6 <no-dsa> (Minor issue)
-	[stretch] - libpng1.6 <no-dsa> (Minor issue)
-	- libpng <removed>
-	[jessie] - libpng <no-dsa> (Minor issue)
+	- gif2png <removed> (unimportant)
 	NOTE: https://github.com/glennrp/libpng/issues/307
+	NOTE: Initially filed for libpng, but the bug is actually in gif2png
+	NOTE: Memory leak in CLI tool, no security impact
 CVE-2019-17370 (OTCMS v3.85 allows arbitrary PHP Code Execution because admin/sysCheck ...)
 	NOT-FOR-US: OTCMS
 CVE-2019-17369 (OTCMS v3.85 has CSRF in the admin/member_deal.php Admin Panel page, le ...)
@@ -22386,20 +22383,16 @@ CVE-2019-17266 (libsoup from versions 2.65.1 until 2.68.1 have a heap-based buff
 CVE-2019-17265
 	RESERVED
 CVE-2019-17264 (** DISPUTED ** In libyal liblnk before 20191006, liblnk_location_infor ...)
-	- liblnk <unfixed> (low)
-	[buster] - liblnk <no-dsa> (Minor issue)
-	[stretch] - liblnk <no-dsa> (Minor issue)
+	- liblnk <unfixed> (unimportant)
 	NOTE: https://github.com/libyal/liblnk/issues/38
 	NOTE: https://github.com/libyal/liblnk/commit/c4d04de2c76f62129677c90a616d049be9c52482
+	NOTE: Negligible/questionable security impact
 CVE-2019-17263 (** DISPUTED ** In libyal libfwsi before 20191006, libfwsi_extension_bl ...)
-	- liblnk <unfixed> (low)
-	[buster] - liblnk <no-dsa> (Minor issue)
-	[stretch] - liblnk <no-dsa> (Minor issue)
-	- libfwsi <unfixed> (low)
-	[buster] - libfwsi <no-dsa> (Minor issue)
-	[stretch] - libfwsi <no-dsa> (Minor issue)
+	- liblnk <unfixed> (unimportant)
+	- libfwsi <unfixed> (unimportant)
 	NOTE: https://github.com/libyal/libfwsi/issues/13
 	NOTE: https://github.com/libyal/libfwsi/commit/54afa5c71d6c795a555dbcb1e160fea393b98fb3
+	NOTE: Negligible/questionable security impact
 CVE-2019-17262 (XnView Classic 2.49.1 allows a User Mode Write AV starting at Xwsq+0x0 ...)
 	NOT-FOR-US: XnView
 CVE-2019-17261 (XnView Classic 2.49.1 allows a User Mode Write AV starting at Xwsq+0x0 ...)
@@ -37511,8 +37504,8 @@ CVE-2019-12496 (An issue was discovered in Hybrid Group Gobot before 1.13.0. The
 	NOT-FOR-US: Hybrid Group Gobot
 CVE-2019-12495 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. ...)
 	- tcc <unfixed> (bug #929872)
-	[buster] - tcc <no-dsa> (Minor issue)
-	[stretch] - tcc <no-dsa> (Minor issue)
+	[buster] - tcc <ignored> (Minor issue)
+	[stretch] - tcc <ignored> (Minor issue)
 	[jessie] - tcc <no-dsa> (Minor issue)
 	NOTE: https://lists.nongnu.org/archive/html/tinycc-devel/2019-05/msg00044.html
 	NOTE: https://repo.or.cz/tinycc.git/commit/d04ce7772c2bc2781ab2502e0b1f1964488814b5
@@ -46232,8 +46225,8 @@ CVE-2019-9755 (An integer underflow issue exists in ntfs-3g 2017.3.23. A local a
 	NOTE: https://sourceforge.net/p/ntfs-3g/ntfs-3g/ci/85c1634a26faa572d3c558d4cf8aaaca5202d4e9/
 CVE-2019-9754 (An issue was discovered in Tiny C Compiler (aka TinyCC or TCC) 0.9.27. ...)
 	- tcc <unfixed> (low; bug #925127)
-	[buster] - tcc <no-dsa> (Minor issue)
-	[stretch] - tcc <no-dsa> (Minor issue)
+	[buster] - tcc <ignored> (Minor issue)
+	[stretch] - tcc <ignored> (Minor issue)
 	[jessie] - tcc <no-dsa> (Minor issue)
 	NOTE: https://lists.nongnu.org/archive/html/tinycc-devel/2019-03/msg00038.html
 CVE-2019-9753 (An issue was discovered in Open Ticket Request System (OTRS) 7.x befor ...)
@@ -101412,8 +101405,8 @@ CVE-2018-8832 (enhavo 0.4.0 has XSS via a user-group that contains executable Ja
 	NOT-FOR-US: enhavo
 CVE-2018-8831 (A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through  ...)
 	- kodi <unfixed> (low)
-	[buster] - kodi <no-dsa> (Minor issue)
-	[stretch] - kodi <no-dsa> (Minor issue)
+	[buster] - kodi <ignored> (Minor issue)
+	[stretch] - kodi <ignored> (Minor issue)
 	- xbmc <removed>
 	[jessie] - xbmc <no-dsa> (Minor issue)
 	[wheezy] - xbmc <no-dsa> (Minor issue)
@@ -239167,8 +239160,8 @@ CVE-2014-XXXX [rsync collision attack]
 CVE-2014-8242 (librsync before 1.0.0 uses a truncated MD4 checksum to match blocks, w ...)
 	[experimental] - librsync 1.0.0-1~exp1
 	- librsync 2.0.2-1 (low; bug #776246)
-	[buster] - librsync <no-dsa> (Minor issue, too instrusive to backport)
-	[stretch] - librsync <no-dsa> (Minor issue, too instrusive to backport)
+	[buster] - librsync <ignored> (Minor issue, too instrusive to backport)
+	[stretch] - librsync <ignored> (Minor issue, too instrusive to backport)
 	[jessie] - librsync <no-dsa> (Minor issue, too instrusive to backport)
 	[wheezy] - librsync <no-dsa> (Minor issue, too instrusive to backport)
 	[squeeze] - librsync <no-dsa> (Minor issue, too instrusive to backport)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d55a0584c3d3d13b0da4a1bc0c7278ae67bdfd8d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/d55a0584c3d3d13b0da4a1bc0c7278ae67bdfd8d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200117/056e0275/attachment.html>

More information about the debian-security-tracker-commits mailing list