[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Fri Jan 17 21:47:10 GMT 2020


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
f6da83ed by Moritz Muehlenhoff at 2020-01-17T22:46:52+01:00
buster/stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -351,15 +351,19 @@ CVE-2020-7046
 	RESERVED
 CVE-2020-7045 (In Wireshark 3.0.x before 3.0.8, the BT ATT dissector could crash. Thi ...)
 	- wireshark 3.2.0-1
+	[buster] - wireshark <postponed> (Can be fixed along in next 3.0.x DSA)
+	[stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0)
 	NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16258
 	NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=01f261de41f4dd3233ef578e5c0ffb9c25c7d14d
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-02.html
 CVE-2020-7044 (In Wireshark 3.2.x before 3.2.1, the WASSP dissector could crash. This ...)
 	- wireshark <unfixed>
+	[buster] - wireshark <not-affected> (Vulnerable code not present)
+	[stretch] - wireshark <not-affected> (Vulnerable code not present)
+	[jessie] - wireshark <not-affected> (Vulnerable code not present)
 	NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16324
 	NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f90a3720b73ca140403315126e2a478c4f70ca03
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-01.html
-	TODO: check, might affect only 3.2.0.
 CVE-2020-7043
 	RESERVED
 CVE-2020-7042
@@ -371,6 +375,8 @@ CVE-2020-7040
 CVE-2020-7039 (tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, misman ...)
 	- libslirp 4.1.0-2 (bug #949084)
 	- qemu 1:4.1-2
+	[buster] - qemu <postponed> (Minor issue)
+	[stretch] - qemu <postponed> (Minor issue)
 	- qemu-kvm <removed>
 	- slirp <unfixed> (bug #949085)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/01/16/2
@@ -7358,6 +7364,8 @@ CVE-2019-20094 (An issue was discovered in libsixel 1.8.4. There is a heap-based
 	NOTE: https://github.com/saitoha/libsixel/issues/125
 CVE-2019-20093 (The PoDoFo::PdfVariant::DelayedLoad function in PdfVariant.h in PoDoFo ...)
 	- libpodofo <unfixed>
+	[buster] - libpodofo <no-dsa> (Minor issue)
+	[stretch] - libpodofo <no-dsa> (Minor issue)
 	[jessie] - libpodofo <no-dsa> (Minor issue)
 	NOTE: https://sourceforge.net/p/podofo/tickets/75/
 CVE-2019-20092 (An issue was discovered in Bento4 1.5.1.0. There is a NULL pointer der ...)
@@ -37823,7 +37831,9 @@ CVE-2019-12424
 CVE-2019-12423 (Apache CXF ships with a OpenId Connect JWK Keys service, which allows  ...)
 	NOT-FOR-US: Apache CFX
 CVE-2019-12422 (Apache Shiro before 1.4.2, when using the default "remember me" config ...)
-	- shiro <unfixed> (bug #947945)
+	- shiro <unfixed> (low; bug #947945)
+	[buster] - shiro <no-dsa> (Minor issue)
+	[stretch] - shiro <no-dsa> (Minor issue)
 	[jessie] - shiro <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2019/11/18/1
 	NOTE: Fixed by https://github.com/apache/shiro/commit/44f6548b97610cdf661976969d5735c0be14a57b#diff-a8fc9cf5d6f24966aa18cdf0850a730e
@@ -41827,8 +41837,12 @@ CVE-2015-9284 (The request phase of the OmniAuth Ruby gem is vulnerable to Cross
 CVE-2019-11027 (Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable ...)
 	{DLA-1956-1}
 	- ruby-openid 2.9.2debian-1 (bug #930388)
+	[buster] - ruby-openid <no-dsa> (Minor issue)
+	[stretch] - ruby-openid <no-dsa> (Minor issue)
 	NOTE: https://github.com/openid/ruby-openid/issues/122
 	NOTE: https://github.com/openid/ruby-openid/issues/122#issuecomment-520304211
+	NOTE: https://github.com/openid/ruby-openid/commit/8a4c31a6740a949cdc29d956c276ba3c4021dfa8
+	NOTE: https://github.com/openid/ruby-openid/commit/f526132c6cb5d9195351c16ed36dced4ca3db496
 CVE-2019-11026 (FontInfoScanner::scanFonts in FontInfo.cc in Poppler 0.75.0 has infini ...)
 	[experimental] - poppler 0.81.0-1
 	- poppler <unfixed> (low; bug #926721)
@@ -66979,7 +66993,9 @@ CVE-2019-2202 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible
 	NOT-FOR-US: Android media framework
 CVE-2019-2201 (In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is ...)
 	[experimental] - libjpeg-turbo 1:2.0.3-1~exp1
-	- libjpeg-turbo <unfixed>
+	- libjpeg-turbo <unfixed> (low)
+	[buster] - libjpeg-turbo <no-dsa> (Minor issue)
+	[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
 	[jessie] - libjpeg-turbo <ignored> (No package in Debian jessie uses the TurboJPEG API)
 	NOTE: https://source.android.com/security/bulletin/2019-11-01
 	NOTE: https://android.googlesource.com/platform/external/libjpeg-turbo/+/d3db2a2634c422286f75c4b38af98837f3d2f0ff


=====================================
data/dsa-needed.txt
=====================================
@@ -41,6 +41,14 @@ nodejs
 nss/oldstable (jmm)
   Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508
 --
+openjdk-8 (jmm)
+--
+openjdk-11 (jmm)
+--
+php7.0
+--
+php7.3
+--
 poppler (jmm)
 --
 python-reportlab (hle)
@@ -49,7 +57,7 @@ smarty3/oldstable
 --
 squid3/oldstable
 --
-tiff
+tiff (jmm)
   Maintainer working on updates
 --
 xcftools (hle)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6da83ed6b8c5e75fcbe8e3a1b3798eb14ac21fb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/f6da83ed6b8c5e75fcbe8e3a1b3798eb14ac21fb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200117/9b97647c/attachment.html>
