[Git][security-tracker-team/security-tracker][master] 9 commits: mark CVE-2020-14664 as no-dsa for Stretch

Thu Jul 23 13:31:23 BST 2020


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
617fccb0 by Thorsten Alteholz at 2020-07-23T13:39:33+02:00
mark CVE-2020-14664 as no-dsa for Stretch

- - - - -
2ca34ae2 by Thorsten Alteholz at 2020-07-23T13:48:56+02:00
mark CVE-2018-1311 as postponed for Stretch, no upstream approved patch yet

- - - - -
cb223d40 by Thorsten Alteholz at 2020-07-23T13:54:19+02:00
add slirp

- - - - -
e5a619a6 by Thorsten Alteholz at 2020-07-23T13:56:13+02:00
mark CVE-2020-1776 for otrs2 as no-dsa as it is in non-free

- - - - -
148d887e by Thorsten Alteholz at 2020-07-23T13:59:09+02:00
add node-lodash

- - - - -
8d93c0e8 by Thorsten Alteholz at 2020-07-23T14:25:07+02:00
mark CVE-2019-18222 for mbedtls as no-dsa

- - - - -
23401792 by Thorsten Alteholz at 2020-07-23T14:25:33+02:00
mark CVE-2020-10932 for mbedtls as no-dsa

- - - - -
f0e912a5 by Thorsten Alteholz at 2020-07-23T14:25:56+02:00
mark CVE-2020-10941 for mbedtls as no-dsa

- - - - -
c5730d03 by Thorsten Alteholz at 2020-07-23T14:31:01+02:00
add xrdp

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2779,6 +2779,7 @@ CVE-2020-14665 (Vulnerability in the Oracle Trade Management product of Oracle E
 	NOT-FOR-US: Oracle
 CVE-2020-14664 (Vulnerability in the Java SE product of Oracle Java SE (component: Jav ...)
 	- openjfx 11+26-1
+	[stretch] - openjfx <no-dsa> (Minor issue)
 	NOTE: Oracle CPU lists only 8.x as affected, so marking the first 11.x upload as fixed
 CVE-2020-14663 (Vulnerability in the MySQL Server product of Oracle MySQL (component:  ...)
 	- mysql-5.7 <not-affected> (Only affects MySQL 8)
@@ -13585,6 +13586,7 @@ CVE-2020-10942 (In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhos
 CVE-2020-10941 (Arm Mbed TLS before 2.6.15 allows attackers to obtain sensitive inform ...)
 	- mbedtls 2.16.5-1
 	[buster] - mbedtls <no-dsa> (Minor issue)
+	[stretch] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02
 CVE-2020-10940 (Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER ...)
 	NOT-FOR-US: PHOENIX CONTACT
@@ -13620,6 +13622,7 @@ CVE-2020-10933 (An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x throu
 CVE-2020-10932 (An issue was discovered in Arm Mbed TLS before 2.16.6 and 2.7.x before ...)
 	- mbedtls <unfixed> (bug #963159)
 	[buster] - mbedtls <no-dsa> (Minor issue)
+	[stretch] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-04
 CVE-2020-10930
@@ -37648,6 +37651,7 @@ CVE-2020-1777
 CVE-2020-1776 (When an agent user is renamed or set to invalid the session belonging  ...)
 	- otrs2 6.0.29-1
 	[buster] - otrs2 <no-dsa> (Non-free not supported)
+	[stretch] - otrs2 <no-dsa> (Non-free not supported)
 	NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-13/
 CVE-2020-1775 (BCC recipients in mails sent from OTRS are visible in article detail o ...)
 	- otrs2 <not-affected> (ONly affects 7.x and 8.x series)
@@ -43508,6 +43512,7 @@ CVE-2019-18223 (ZOOM International Call Recording 6.3.1 suffers from multiple au
 CVE-2019-18222 (The ECDSA signature implementation in ecdsa.c in Arm Mbed Crypto 2.1 a ...)
 	- mbedtls 2.16.4-1
 	[buster] - mbedtls <no-dsa> (Minor issue)
+	[stretch] - mbedtls <no-dsa> (Minor issue)
 	NOTE: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12
 	NOTE: Fixed upstream in 2.20.0, 2.16.4 and 2.7.13
 CVE-2019-18221 (CoreHR Core Portal before 27.0.7 allows stored XSS. ...)
@@ -148582,6 +148587,7 @@ CVE-2018-1312 (In Apache httpd 2.2.0 to 2.4.29, when generating an HTTP Digest a
 CVE-2018-1311 (The Apache Xerces-C 3.0.0 to 3.2.2 XML parser contains a use-after-fre ...)
 	- xerces-c <unfixed> (bug #947431)
 	[buster] - xerces-c <postponed> (Minor issue, revisit when fixed upstream)
+	[stretch] - xerces-c <postponed> (Minor issue, revisit when fixed upstream)
 	[jessie] - xerces-c <postponed> (slow upstream interest, proper fix likely to break ABI compatibility)
 	NOTE: http://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt
 	NOTE: https://issues.apache.org/jira/browse/XERCESC-2188


=====================================
data/dla-needed.txt
=====================================
@@ -107,6 +107,8 @@ mupdf (Thorsten Alteholz)
   NOTE: 20200708: Vulnerable to at least CVE-2019-13290. (lamby)
   NOTE: 20200719: testing package (thorsten)
 --
+node-lodash
+--
 nss (Adrian Bunk)
   NOTE: 20200706: from dsa-needed.txt: Roberto proposed an update including fixes for CVE-2018-12404 and CVE-2018-18508 (Beuc)
 --
@@ -136,6 +138,8 @@ salt (Thorsten Alteholz)
 samba (Roberto C. Sánchez)
   NOTE: 20200703: Check with security team so that there's no clash for Stretch update. (utkarsh)
 --
+slirp
+--
 sqlite3
   NOTE: 20200712: Vulnerable to at least CVE-2020-13630. (lamby)
 --
@@ -171,3 +175,5 @@ xcftools
   NOTE: 20200523: Proposed fix https://github.com/j-jorge/xcftools/pull/15 (gladk)
   NOTE: 20200605: Patch https://salsa.debian.org/lts-team/packages/xcftools/-/blob/fix/test-CVE-2019-5087/debian/patches/CVE-2019-5087.patch (gladk)
 --
+xrdp
+--



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/14ec1a28f3f1fdc8011b935f4b55ae4b6181da57...c5730d03f3ea4ca878c05c7afc442089bd336127

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/14ec1a28f3f1fdc8011b935f4b55ae4b6181da57...c5730d03f3ea4ca878c05c7afc442089bd336127
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200723/1a34f5ef/attachment-0001.html>
