[Git][security-tracker-team/security-tracker][master] buster/stretch triage
Moritz Muehlenhoff
jmm at debian.org
Wed Jan 22 19:47:37 GMT 2020
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
8ade6a25 by Moritz Muehlenhoff at 2020-01-22T20:47:16+01:00
buster/stretch triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -5981,13 +5981,17 @@ CVE-2019-20172 (Kernel/VM/MemoryManager.cpp in SerenityOS before 2019-12-30 does
NOT-FOR-US: SerenityOS
CVE-2019-20171 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
{DLA-2072-1}
- - gpac <unfixed>
+ - gpac <unfixed> (low)
+ [buster] - gpac <no-dsa> (Minor issue)
+ [stretch] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1337
NOTE: https://github.com/gpac/gpac/commit/72cdc5048dead86bb1df7d21e0b9975e49cf2d97
NOTE: https://github.com/gpac/gpac/commit/2bcca3f1d4605100bb27d3ed7be25b53cddbc75c
CVE-2019-20170 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
{DLA-2072-1}
- - gpac <unfixed>
+ - gpac <unfixed> (low)
+ [buster] - gpac <no-dsa> (Minor issue)
+ [stretch] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1328
NOTE: https://github.com/gpac/gpac/commit/16856430287cc10f495eb241910b4dc45b193e03
CVE-2019-20169 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
@@ -6011,7 +6015,9 @@ CVE-2019-20166 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm
NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #2)
CVE-2019-20165 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
{DLA-2072-1}
- - gpac <unfixed>
+ - gpac <unfixed> (low)
+ [buster] - gpac <no-dsa> (Minor issue)
+ [stretch] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1338
NOTE: https://github.com/gpac/gpac/commit/5250afecbc770c8f26829e9566d5b226a3c5fa80 (chunk #1)
CVE-2019-20164 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
@@ -8674,8 +8680,8 @@ CVE-2019-20056 (stb_image.h (aka the stb image loader) 2.23, as used in libsixel
[jessie] - libsixel <no-dsa> (Minor issue)
- libstb <unfixed> (low)
[buster] - libstb <no-dsa> (Minor issue)
- NOTE: https://github.com/saitoha/libsixel/issues/126
- NOTE: Potentially affects catimg, yquake2, osgearth, renderdoc, goxel, ccextractor, zam-plugins, retroarch, libsfml, love, zynaddsubfx, gem, darknet, mame
+ NOTE: libsixel PR: https://github.com/saitoha/libsixel/issues/126
+ NOTE: libstb PR: https://github.com/nothings/stb/issues/886
CVE-2019-20055 (LuquidPixels LiquiFire OS 4.8.0 allows SSRF via the call%3Durl substri ...)
NOT-FOR-US: LuquidPixels LiquiFire OS
CVE-2019-20053 (An invalid memory address dereference was discovered in the canUnpack ...)
@@ -9169,12 +9175,10 @@ CVE-2019-19906 (cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write le
CVE-2019-16787
REJECTED
CVE-2019-19905 (NetHack 3.6.x before 3.6.4 is prone to a buffer overflow vulnerability ...)
- - nethack <unfixed> (low; bug #947005)
- [buster] - nethack <no-dsa> (Minor issue)
- [stretch] - nethack <no-dsa> (Minor issue)
- [jessie] - nethack <end-of-life> (https://lists.debian.org/debian-lts/2019/12/msg00062.html)
+ - nethack <unfixed> (unimportant; bug #947005)
NOTE: https://github.com/NetHack/NetHack/commit/f4a840a48f4bcf11757b3d859e9d53cc9d5ef226
NOTE: https://github.com/NetHack/NetHack/commit/f001de79542b8c38b1f8e6d7eaefbbd28ab94b47
+ NOTE: Negligible security impact
CVE-2020-3919
RESERVED
CVE-2020-3918
@@ -10121,10 +10125,7 @@ CVE-2019-19777 (stb_image.h (aka the stb image loader) 2.23, as used in libsixel
[buster] - libsixel <no-dsa> (Minor issue)
[stretch] - libsixel <no-dsa> (Minor issue)
[jessie] - libsixel <no-dsa> (Minor issue)
- - libstb <unfixed> (low)
- [buster] - libstb <no-dsa> (Minor issue)
NOTE: https://github.com/saitoha/libsixel/issues/109
- NOTE: Potentially affects catimg, mame, retroarch, yquake2, renderdoc, gem, goxel, libsfml, osgearth, darknet, ccextractor, love
CVE-2019-19776
RESERVED
CVE-2019-19775 (The image thumbnailing handler in Zulip Server versions 1.9.0 to befor ...)
@@ -12732,6 +12733,8 @@ CVE-2019-19649 (Zoho ManageEngine Applications Manager before 13620 allows a rem
NOT-FOR-US: Zoho ManageEngine Applications Manager
CVE-2019-19648 (In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, ...)
- yara <unfixed>
+ [buster] - yara <no-dsa> (Minor issue)
+ [stretch] - yara <no-dsa> (Minor issue)
NOTE: https://github.com/VirusTotal/yara/issues/1178
CVE-2019-19647 (radare2 through 4.0.0 lacks validation of the content variable in the ...)
- radare2 <unfixed> (bug #947402)
@@ -22932,9 +22935,9 @@ CVE-2019-17544 (libaspell.a in GNU Aspell before 0.60.8 has a stack-based buffer
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16109
NOTE: https://github.com/GNUAspell/aspell/commit/80fa26c74279fced8d778351cff19d1d8f44fe4e
CVE-2019-17543 (LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (rela ...)
- - lz4 1.9.2-1 (bug #943680)
- [buster] - lz4 <no-dsa> (Minor issue)
- [stretch] - lz4 <no-dsa> (Minor issue)
+ - lz4 1.9.2-1 (low; bug #943680)
+ [buster] - lz4 <ignored> (Minor issue)
+ [stretch] - lz4 <ignored> (Minor issue)
[jessie] - lz4 <no-dsa> (Very hard to exploit, low risk)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15941
NOTE: https://github.com/lz4/lz4/pull/756
@@ -36660,8 +36663,8 @@ CVE-2019-13314 (virt-bootstrap 1.1.0 allows local users to discover a root passw
- virt-bootstrap <itp> (bug #871621)
CVE-2019-13313 (libosinfo 1.5.0 allows local users to discover credentials by listing ...)
- libosinfo 1.6.0-1 (bug #931479)
- [buster] - libosinfo <no-dsa> (Minor issue)
- [stretch] - libosinfo <no-dsa> (Minor issue)
+ [buster] - libosinfo <ignored> (Minor issue)
+ [stretch] - libosinfo <ignored> (Minor issue)
[jessie] - libosinfo <postponed> (Minor issue, local transient password leak in `ps`, affected binary not used by other packages)
NOTE: https://www.redhat.com/archives/libosinfo/2019-July/msg00026.html
CVE-2019-13312 (block_cmp() in libavcodec/zmbvenc.c in FFmpeg 4.1.3 has a heap-based b ...)
@@ -41803,12 +41806,12 @@ CVE-2019-11505 (In GraphicsMagick from version 1.3.8 to 1.4 snapshot-20190403 Q8
CVE-2019-11504 (Zotonic before version 0.47 has mod_admin XSS. ...)
NOT-FOR-US: Zotonic
CVE-2019-11503 (snap-confine as included in snapd before 2.39 did not guard against sy ...)
- - snapd <unfixed> (low; bug #928052)
+ - snapd 2.40-1 (low; bug #928052)
[buster] - snapd <no-dsa> (Minor issue)
[stretch] - snapd <no-dsa> (Minor issue)
NOTE: https://github.com/snapcore/snapd/pull/6642
CVE-2019-11502 (snap-confine in snapd before 2.38 incorrectly set the ownership of a s ...)
- - snapd <unfixed> (low; bug #928052)
+ - snapd 2.40-1 (low; bug #928052)
[buster] - snapd <no-dsa> (Minor issue)
[stretch] - snapd <no-dsa> (Minor issue)
NOTE: https://github.com/snapcore/snapd/commit/bdbfeebef03245176ae0dc323392bb0522a339b1
@@ -45905,7 +45908,7 @@ CVE-2019-10045 (The "action" get_sess_id in the web application of Pydio through
- ajaxplorer <itp> (bug #668381)
CVE-2019-10044 (Telegram Desktop before 1.5.12 on Windows, and the Telegram applicatio ...)
- telegram-desktop 1.8.4-1 (bug #927711)
- [buster] - telegram-desktop <no-dsa> (Minor issue)
+ [buster] - telegram-desktop <ignored> (Minor issue)
NOTE: https://github.com/blazeinfosec/advisories/blob/master/telegram-advisory.txt
CVE-2019-10043
RESERVED
@@ -63989,7 +63992,7 @@ CVE-2018-20534 (** DISPUTED ** There is an illegal address access at ext/testcas
NOTE: Only affects the test suite
CVE-2018-20533 (There is a NULL pointer dereference at ext/testcase.c (function testca ...)
- libsolv 0.6.36-1 (low; bug #923002)
- [buster] - libsolv <no-dsa> (Minor issue)
+ [buster] - libsolv <ignored> (Minor issue)
[stretch] - libsolv <ignored> (Minor issue)
[jessie] - libsolv <ignored> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652599
@@ -63997,7 +64000,7 @@ CVE-2018-20533 (There is a NULL pointer dereference at ext/testcase.c (function
NOTE: https://github.com/openSUSE/libsolv/commit/4830af9d979d3685de538b80fbeba51ad590525e
CVE-2018-20532 (There is a NULL pointer dereference at ext/testcase.c (function testca ...)
- libsolv 0.6.36-1 (low; bug #923002)
- [buster] - libsolv <no-dsa> (Minor issue)
+ [buster] - libsolv <ignored> (Minor issue)
[stretch] - libsolv <ignored> (Minor issue)
[jessie] - libsolv <ignored> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652605
=====================================
data/dsa-needed.txt
=====================================
@@ -24,6 +24,8 @@ jruby/oldstable
--
libexif (carnil)
--
+libidn2/stable
+--
libopenmpt
--
linux (carnil)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ade6a252d795fe6fa82b000896ca6b5f1da8252
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/8ade6a252d795fe6fa82b000896ca6b5f1da8252
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200122/b832f643/attachment.html>
More information about the debian-security-tracker-commits
mailing list