[Git][security-tracker-team/security-tracker][master] 11 commits: add clamav
Thorsten Alteholz
alteholz at debian.org
Sun Jul 26 22:17:24 BST 2020
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker
Commits:
25135bba by Thorsten Alteholz at 2020-07-26T23:16:49+02:00
add clamav
- - - - -
bf0257a7 by Thorsten Alteholz at 2020-07-26T23:16:51+02:00
mark CVE-2019-1020014 as not-affected for Stretch
- - - - -
e38dd9d5 by Thorsten Alteholz at 2020-07-26T23:16:52+02:00
mark CVE-2019-19794 as no-dsa for Stretch
- - - - -
c1e0263e by Thorsten Alteholz at 2020-07-26T23:16:53+02:00
mark CVE-2013-7489 as no-dsa for Stretch
- - - - -
03bacde4 by Thorsten Alteholz at 2020-07-26T23:16:54+02:00
mark CVE-2019-20162 as no-dsa for Stretch
- - - - -
022a319a by Thorsten Alteholz at 2020-07-26T23:16:55+02:00
mark CVE-2019-20161 as no-dsa for Stretch
- - - - -
c9fe7000 by Thorsten Alteholz at 2020-07-26T23:16:56+02:00
mark CVE-2019-15605 as ignored for Stretch
- - - - -
04f7ced9 by Thorsten Alteholz at 2020-07-26T23:16:58+02:00
mark CVE-2020-11022 as no-dsa for Stretch
- - - - -
5917ab87 by Thorsten Alteholz at 2020-07-26T23:16:59+02:00
mark CVE-2020-11023 as no-dsa for Stretch
- - - - -
9c479c6d by Thorsten Alteholz at 2020-07-26T23:16:59+02:00
add libapache2-mod-auth-openidc
- - - - -
7dc657cd by Thorsten Alteholz at 2020-07-26T23:17:00+02:00
mark CVE-2020-14040 as no-dsa for Stretch
- - - - -
2 changed files:
- data/CVE/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -1419,6 +1419,7 @@ CVE-2020-15354
CVE-2013-7489 (The Beaker library through 1.11.0 for Python is affected by deserializ ...)
- beaker <unfixed> (bug #966197)
[buster] - beaker <no-dsa> (Minor issue)
+ [stretch] - beaker <no-dsa> (Minor issue)
NOTE: https://github.com/bbangert/beaker/issues/191
NOTE: https://www.openwall.com/lists/oss-security/2020/05/14/11
CVE-2020-15353
@@ -4691,6 +4692,7 @@ CVE-2020-14040 (The x/text package before 0.3.3 for Go has a vulnerability in en
- golang-golang-x-text 0.3.3-1 (bug #964272)
- golang-x-text <unfixed> (bug #964271)
[buster] - golang-x-text <no-dsa> (Minor issue)
+ [stretch] - golang-x-text <no-dsa> (Minor issue)
NOTE: https://github.com/golang/go/issues/39491
NOTE: https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
NOTE: https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0
@@ -13442,6 +13444,7 @@ CVE-2020-11023 (In jQuery versions greater than or equal to 1.0.3 and before 3.5
{DSA-4693-1}
- jquery <removed>
[buster] - jquery <no-dsa> (Minor issue)
+ [stretch] - jquery <no-dsa> (Minor issue)
[jessie] - jquery <not-affected> (Vulnerable code note present)
- drupal7 <removed>
[jessie] - drupal7 <not-affected> (Vulnerable code not embedded)
@@ -13452,6 +13455,7 @@ CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 3.5.0
{DSA-4693-1}
- jquery <removed>
[buster] - jquery <no-dsa> (Minor issue)
+ [stretch] - jquery <no-dsa> (Minor issue)
[jessie] - jquery <not-affected> (Vulnerable code note present)
- node-jquery 3.5.0+dfsg-2
- drupal7 <removed>
@@ -28556,12 +28560,14 @@ CVE-2019-20162 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm
{DLA-2072-1}
- gpac <unfixed>
[buster] - gpac <no-dsa> (Minor issue)
+ [stretch] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1327
NOTE: https://github.com/gpac/gpac/commit/3c0ba42546c8148c51169c3908e845c308746c77
CVE-2019-20161 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
{DLA-2072-1}
- gpac <unfixed>
[buster] - gpac <no-dsa> (Minor issue)
+ [stretch] - gpac <no-dsa> (Minor issue)
NOTE: https://github.com/gpac/gpac/issues/1320
NOTE: https://github.com/gpac/gpac/commit/7a09732d4978586e6284e84caa9c301b2fa5e956
CVE-2019-20160 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
@@ -32740,6 +32746,7 @@ CVE-2019-19795 (samurai 0.7 has a heap-based buffer overflow in canonpath in uti
CVE-2019-19794 (The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6. ...)
- golang-github-miekg-dns 1.1.26-1 (bug #947403)
[buster] - golang-github-miekg-dns <no-dsa> (Minor issue)
+ [stretch] - golang-github-miekg-dns <no-dsa> (Minor issue)
NOTE: https://github.com/coredns/coredns/issues/3519
NOTE: https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33
NOTE: https://github.com/miekg/dns/issues/1043
@@ -51902,6 +51909,7 @@ CVE-2019-15605 (HTTP request smuggling in Node.js 10, 12, and 13 causes maliciou
[experimental] - http-parser 2.9.3-1
- http-parser <unfixed>
[buster] - http-parser <no-dsa> (Minor issue)
+ [stretch] - http-parser <ignored> (Invasive patch, requires prior content-length support and public struct changes that break ABI)
[jessie] - http-parser <ignored> (Invasive patch, requires prior content-length support and public struct changes that break ABI)
NOTE: https://hackerone.com/reports/735748
NOTE: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b (http-parser)
@@ -56860,6 +56868,7 @@ CVE-2019-1020015 (graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3
CVE-2019-1020014 (docker-credential-helpers before 0.6.3 has a double free in the List f ...)
- golang-github-docker-docker-credential-helpers 0.6.1-3 (bug #933801)
[buster] - golang-github-docker-docker-credential-helpers <no-dsa> (Minor issue, can be fixed in point release)
+ [stretch] - golang-github-docker-docker-credential-helpers <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/docker/docker-credential-helpers/commit/1c9f7ede70a5ab9851f4c9cb37d317fd89cd318a
CVE-2019-1020013 (parse-server before 3.6.0 allows account enumeration. ...)
NOT-FOR-US: parse-server
=====================================
data/dla-needed.txt
=====================================
@@ -37,6 +37,8 @@ cimg
NOTE: 20200709: method (vs "load_network") but is still missing the argument
NOTE: 20200709: sanitisation. (lamby)
--
+clamav
+--
condor (Roberto C. Sánchez)
NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
@@ -82,6 +84,8 @@ json-c
jupyter-notebook
NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby)
--
+libapache2-mod-auth-openidc (Thorsten Alteholz)
+--
libjpeg-turbo (Adrian Bunk)
--
libopenmpt (Utkarsh Gupta)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d18f81c15453de8a850f43ee27b2b68a007bc77d...7dc657cd29e46b9222c34ee599ceb1fd437110b3
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d18f81c15453de8a850f43ee27b2b68a007bc77d...7dc657cd29e46b9222c34ee599ceb1fd437110b3
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200726/9390d534/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list