[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff
jmm at debian.org
Tue Jul 21 08:55:14 BST 2020
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
4bb1bbe5 by Moritz Muehlenhoff at 2020-07-21T09:54:49+02:00
buster triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -5600,6 +5600,7 @@ CVE-2020-13626
CVE-2020-13625 (PHPMailer before 6.1.6 contains an output escaping bug when the name o ...)
{DLA-2244-1}
- libphp-phpmailer 6.1.6-1 (bug #962827)
+ [buster] - libphp-phpmailer <no-dsa> (Minor issue)
NOTE: https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-f7hx-fqxw-rvvj
NOTE: https://github.com/PHPMailer/PHPMailer/commit/c2796cb1cb99d7717290b48c4e6f32cb6c60b7b3
CVE-2020-13624
@@ -6427,7 +6428,7 @@ CVE-2020-13254 (An issue was discovered in Django 2.2 before 2.2.13 and 3.0 befo
NOTE: Regression https://code.djangoproject.com/ticket/31654
CVE-2020-13253 (sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, wh ...)
- qemu 1:5.0-8 (bug #961297)
- [buster] - qemu <postponed> (Minor issue, can be fixed along in next DSA)
+ [buster] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[stretch] - qemu <postponed> (Minor issue, can be fixed along in next DSA)
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05835.html
NOTE: https://www.openwall.com/lists/oss-security/2020/05/27/2
@@ -7274,12 +7275,14 @@ CVE-2020-12867 (A NULL pointer dereference in sanei_epson_net_read in SANE Backe
{DLA-2231-1}
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends <unfixed> (bug #961302)
+ [buster] - sane-backends <no-dsa> (Minor issue)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-1-ghsl-2020-075-null-pointer-dereference-in-sanei_epson_net_read
NOTE: https://alioth-lists.debian.net/pipermail/sane-announce/2020/000041.html
CVE-2020-12866 (A NULL pointer dereference in SANE Backends before 1.0.30 allows a mal ...)
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends <unfixed> (bug #961302)
+ [buster] - sane-backends <no-dsa> (Minor issue)
[jessie] - sane-backends <not-affected> (epsonds backend was added in 1.0.25)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-2-ghsl-2020-079-null-pointer-dereference-in-epsonds_net_read
@@ -7287,6 +7290,7 @@ CVE-2020-12866 (A NULL pointer dereference in SANE Backends before 1.0.30 allows
CVE-2020-12865 (A heap buffer overflow in SANE Backends before 1.0.30 may allow a mali ...)
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends <unfixed> (bug #961302)
+ [buster] - sane-backends <no-dsa> (Minor issue)
[jessie] - sane-backends <not-affected> (epsonds backend was added in 1.0.25)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-9-ghsl-2020-084-buffer-overflow-in-esci2_img
@@ -7294,6 +7298,7 @@ CVE-2020-12865 (A heap buffer overflow in SANE Backends before 1.0.30 may allow
CVE-2020-12864 (An out-of-bounds read in SANE Backends before 1.0.30 may allow a malic ...)
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends <unfixed> (bug #961302)
+ [buster] - sane-backends <no-dsa> (Minor issue)
[jessie] - sane-backends <not-affected> (epsonds backend was added in 1.0.25)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-4-ghsl-2020-081-reading-uninitialized-data-in-epsonds_net_read
@@ -7301,6 +7306,7 @@ CVE-2020-12864 (An out-of-bounds read in SANE Backends before 1.0.30 may allow a
CVE-2020-12863 (An out-of-bounds read in SANE Backends before 1.0.30 may allow a malic ...)
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends <unfixed> (bug #961302)
+ [buster] - sane-backends <no-dsa> (Minor issue)
[jessie] - sane-backends <not-affected> (epsonds backend was added in 1.0.25)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-7-ghsl-2020-083-out-of-bounds-read-in-esci2_check_header
@@ -7308,6 +7314,7 @@ CVE-2020-12863 (An out-of-bounds read in SANE Backends before 1.0.30 may allow a
CVE-2020-12862 (An out-of-bounds read in SANE Backends before 1.0.30 may allow a malic ...)
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends <unfixed> (bug #961302)
+ [buster] - sane-backends <no-dsa> (Minor issue)
[jessie] - sane-backends <not-affected> (epsonds backend was added in 1.0.25)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-5-ghsl-2020-082-out-of-bounds-read-in-decode_binary
@@ -7315,6 +7322,7 @@ CVE-2020-12862 (An out-of-bounds read in SANE Backends before 1.0.30 may allow a
CVE-2020-12861 (A heap buffer overflow in SANE Backends before 1.0.30 allows a malicio ...)
[experimental] - sane-backends 1.0.30-1~experimental1
- sane-backends <unfixed> (bug #961302)
+ [buster] - sane-backends <no-dsa> (Minor issue)
[jessie] - sane-backends <not-affected> (epsonds backend was added in 1.0.25)
NOTE: https://gitlab.com/sane-project/backends/-/issues/279
NOTE: https://gitlab.com/sane-project/backends/-/issues/279#issue-3-ghsl-2020-080-heap-buffer-overflow-in-epsonds_net_read
@@ -7390,6 +7398,7 @@ CVE-2020-12829
[stretch] - qemu <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1808510
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1786026
+ NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=b15a22bbcbe6a78dc3d88fe3134985e4cdd87de4
CVE-2020-12828 (An issue was discovered in AnchorFree VPN SDK before 1.3.3.218. The VP ...)
NOT-FOR-US: AnchorFree VPN SDK
CVE-2020-12827 (MJML prior to 4.6.3 contains a path traversal vulnerability when proce ...)
@@ -9690,9 +9699,11 @@ CVE-2020-11935
CVE-2020-11934
RESERVED
- snapd 2.45.2-1
+ [buster] - snapd <no-dsa> (Minor issue)
+ NOTE: https://github.com/snapcore/snapd/commit/06342a31878f1cf99d56da5483e71b9af61f46ad
CVE-2020-11933
RESERVED
- - snapd 2.45.2-1
+ NOT-FOR-US: cloud-init in some Ubuntu images
CVE-2020-11932 (It was discovered that the Subiquity installer for Ubuntu Server logge ...)
NOT-FOR-US: Subiquity installer for Ubuntu
CVE-2020-11931 (An Ubuntu-specific modification to Pulseaudio to provide security medi ...)
@@ -13176,6 +13187,7 @@ CVE-2020-11024 (In Moonlight iOS/tvOS before 4.0.1, the pairing process is vulne
CVE-2020-11023 (In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, pa ...)
{DSA-4693-1}
- jquery <removed>
+ [buster] - jquery <no-dsa> (Minor issue)
[jessie] - jquery <not-affected> (Vulnerable code note present)
- drupal7 <removed>
[jessie] - drupal7 <not-affected> (Vulnerable code not embedded)
@@ -13185,6 +13197,7 @@ CVE-2020-11023 (In jQuery versions greater than or equal to 1.0.3 and before 3.5
CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 3.5.0, pass ...)
{DSA-4693-1}
- jquery <removed>
+ [buster] - jquery <no-dsa> (Minor issue)
[jessie] - jquery <not-affected> (Vulnerable code note present)
- node-jquery 3.5.0+dfsg-2
- drupal7 <removed>
@@ -17824,6 +17837,7 @@ CVE-2020-9272 (ProFTPD 1.3.7 has an out-of-bounds (OOB) read vulnerability in mo
CVE-2019-20479 (A flaw was found in mod_auth_openidc before version 2.4.1. An open red ...)
{DLA-2130-1}
- libapache2-mod-auth-openidc 2.4.1-1
+ [buster] - libapache2-mod-auth-openidc <no-dsa> (Minor issue)
NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/02431c0adfa30f478cf2eb20ed6ea51fdf446be7
NOTE: https://github.com/zmartzone/mod_auth_openidc/pull/453
CVE-2019-20478 (In ruamel.yaml through 0.16.7, the load method allows remote code exec ...)
@@ -18900,6 +18914,7 @@ CVE-2018-21034 (In Argo versions prior to v1.5.0-rc1, it was possible for authen
NOT-FOR-US: Argo
CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext HTTP, a ...)
- lxc-templates <unfixed>
+ [buster] - lxc-templates <ignored> (Minor issue)
- lxc 1:3.0.3-1 (low)
[stretch] - lxc <no-dsa> (Minor issue)
[jessie] - lxc <ignored> (https://lists.debian.org/debian-lts/2020/02/msg00102.html)
@@ -19391,6 +19406,7 @@ CVE-2020-8608 (In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snpr
[stretch] - qemu <postponed> (Minor issue)
- qemu-kvm <removed>
- slirp <unfixed>
+ [buster] - slirp <no-dsa> (Minor issue)
- slirp4netns 1.0.1-1
[buster] - slirp4netns <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/slirp/libslirp/commit/68ccb8021a838066f0951d4b2817eb6b6f10a843
@@ -51620,6 +51636,7 @@ CVE-2019-15605 (HTTP request smuggling in Node.js 10, 12, and 13 causes maliciou
[jessie] - nodejs <end-of-life> (Nodejs in jessie not covered by security support)
[experimental] - http-parser 2.9.3-1
- http-parser <unfixed>
+ [buster] - http-parser <no-dsa> (Minor issue)
[jessie] - http-parser <ignored> (Invasive patch, requires prior content-length support and public struct changes that break ABI)
NOTE: https://hackerone.com/reports/735748
NOTE: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b (http-parser)
@@ -63674,7 +63691,7 @@ CVE-2019-12068 (In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.
CVE-2019-12067 [ide: ahci: add check to avoid null dereference]
RESERVED
- qemu <unfixed> (low)
- [buster] - qemu <postponed> (Minor issue, can be fixed along in future update)
+ [buster] - qemu <postponed> (Minor issue, revisit when fixed upstream)
[stretch] - qemu <postponed> (Minor issue, can be fixed along in future update)
[jessie] - qemu <postponed> (Minor issue, can be fixed along in future update)
- qemu-kvm <removed>
@@ -67343,7 +67360,7 @@ CVE-2019-10786 (network-manager through 1.0.2 allows remote attackers to execute
CVE-2019-10785 (dojox is vulnerable to Cross-site Scripting in all versions before ver ...)
{DLA-2127-1}
- dojo 1.15.2+dfsg1-1 (bug #952771)
- [buster] - dojo 1.15.0+dfsg1-1+deb10u1
+ [buster] - dojo 1.14.2+dfsg1-1+deb10u1
NOTE: https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr
NOTE: https://snyk.io/vuln/SNYK-JS-DOJOX-548257
NOTE: https://github.com/dojo/dojox/pull/315
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bb1bbe59ece7c35ef7b68a3490e0bb576a4fc0a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bb1bbe59ece7c35ef7b68a3490e0bb576a4fc0a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200721/121d9e90/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list