[Git][security-tracker-team/security-tracker][master] 11 commits: add clamav

Sun Jul 26 22:17:24 BST 2020


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
25135bba by Thorsten Alteholz at 2020-07-26T23:16:49+02:00
add clamav

- - - - -
bf0257a7 by Thorsten Alteholz at 2020-07-26T23:16:51+02:00
mark CVE-2019-1020014 as not-affected for Stretch

- - - - -
e38dd9d5 by Thorsten Alteholz at 2020-07-26T23:16:52+02:00
mark CVE-2019-19794 as no-dsa for Stretch

- - - - -
c1e0263e by Thorsten Alteholz at 2020-07-26T23:16:53+02:00
mark CVE-2013-7489 as no-dsa for Stretch

- - - - -
03bacde4 by Thorsten Alteholz at 2020-07-26T23:16:54+02:00
mark CVE-2019-20162 as no-dsa for Stretch

- - - - -
022a319a by Thorsten Alteholz at 2020-07-26T23:16:55+02:00
mark CVE-2019-20161 as no-dsa for Stretch

- - - - -
c9fe7000 by Thorsten Alteholz at 2020-07-26T23:16:56+02:00
mark CVE-2019-15605 as ignored for Stretch

- - - - -
04f7ced9 by Thorsten Alteholz at 2020-07-26T23:16:58+02:00
mark CVE-2020-11022 as no-dsa for Stretch

- - - - -
5917ab87 by Thorsten Alteholz at 2020-07-26T23:16:59+02:00
mark CVE-2020-11023 as no-dsa for Stretch

- - - - -
9c479c6d by Thorsten Alteholz at 2020-07-26T23:16:59+02:00
add libapache2-mod-auth-openidc

- - - - -
7dc657cd by Thorsten Alteholz at 2020-07-26T23:17:00+02:00
mark CVE-2020-14040 as no-dsa for Stretch

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1419,6 +1419,7 @@ CVE-2020-15354
 CVE-2013-7489 (The Beaker library through 1.11.0 for Python is affected by deserializ ...)
 	- beaker <unfixed> (bug #966197)
 	[buster] - beaker <no-dsa> (Minor issue)
+	[stretch] - beaker <no-dsa> (Minor issue)
 	NOTE: https://github.com/bbangert/beaker/issues/191
 	NOTE: https://www.openwall.com/lists/oss-security/2020/05/14/11
 CVE-2020-15353
@@ -4691,6 +4692,7 @@ CVE-2020-14040 (The x/text package before 0.3.3 for Go has a vulnerability in en
 	- golang-golang-x-text 0.3.3-1 (bug #964272)
 	- golang-x-text <unfixed> (bug #964271)
 	[buster] - golang-x-text <no-dsa> (Minor issue)
+	[stretch] - golang-x-text <no-dsa> (Minor issue)
 	NOTE: https://github.com/golang/go/issues/39491
 	NOTE: https://go.googlesource.com/text/+/23ae387dee1f90d29a23c0e87ee0b46038fbed0e
 	NOTE: https://groups.google.com/forum/#!topic/golang-announce/bXVeAmGOqz0
@@ -13442,6 +13444,7 @@ CVE-2020-11023 (In jQuery versions greater than or equal to 1.0.3 and before 3.5
 	{DSA-4693-1}
 	- jquery <removed>
 	[buster] - jquery <no-dsa> (Minor issue)
+	[stretch] - jquery <no-dsa> (Minor issue)
 	[jessie] - jquery <not-affected> (Vulnerable code note present)
 	- drupal7 <removed>
 	[jessie] - drupal7 <not-affected> (Vulnerable code not embedded)
@@ -13452,6 +13455,7 @@ CVE-2020-11022 (In jQuery versions greater than or equal to 1.2 and before 3.5.0
 	{DSA-4693-1}
 	- jquery <removed>
 	[buster] - jquery <no-dsa> (Minor issue)
+	[stretch] - jquery <no-dsa> (Minor issue)
 	[jessie] - jquery <not-affected> (Vulnerable code note present)
 	- node-jquery 3.5.0+dfsg-2
 	- drupal7 <removed>
@@ -28556,12 +28560,14 @@ CVE-2019-20162 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-developm
 	{DLA-2072-1}
 	- gpac <unfixed>
 	[buster] - gpac <no-dsa> (Minor issue)
+	[stretch] - gpac <no-dsa> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/issues/1327
 	NOTE: https://github.com/gpac/gpac/commit/3c0ba42546c8148c51169c3908e845c308746c77
 CVE-2019-20161 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
 	{DLA-2072-1}
 	- gpac <unfixed>
 	[buster] - gpac <no-dsa> (Minor issue)
+	[stretch] - gpac <no-dsa> (Minor issue)
 	NOTE: https://github.com/gpac/gpac/issues/1320
 	NOTE: https://github.com/gpac/gpac/commit/7a09732d4978586e6284e84caa9c301b2fa5e956
 CVE-2019-20160 (An issue was discovered in GPAC version 0.8.0 and 0.9.0-development-20 ...)
@@ -32740,6 +32746,7 @@ CVE-2019-19795 (samurai 0.7 has a heap-based buffer overflow in canonpath in uti
 CVE-2019-19794 (The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6. ...)
 	- golang-github-miekg-dns 1.1.26-1 (bug #947403)
 	[buster] - golang-github-miekg-dns <no-dsa> (Minor issue)
+	[stretch] - golang-github-miekg-dns <no-dsa> (Minor issue)
 	NOTE: https://github.com/coredns/coredns/issues/3519
 	NOTE: https://github.com/miekg/dns/commit/8ebf2e419df7857ac8919baa05248789a8ffbf33
 	NOTE: https://github.com/miekg/dns/issues/1043
@@ -51902,6 +51909,7 @@ CVE-2019-15605 (HTTP request smuggling in Node.js 10, 12, and 13 causes maliciou
 	[experimental] - http-parser 2.9.3-1
 	- http-parser <unfixed>
 	[buster] - http-parser <no-dsa> (Minor issue)
+	[stretch] - http-parser <ignored> (Invasive patch, requires prior content-length support and public struct changes that break ABI)
 	[jessie] - http-parser <ignored> (Invasive patch, requires prior content-length support and public struct changes that break ABI)
 	NOTE: https://hackerone.com/reports/735748
 	NOTE: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b (http-parser)
@@ -56860,6 +56868,7 @@ CVE-2019-1020015 (graphql-engine (aka Hasura GraphQL Engine) before 1.0.0-beta.3
 CVE-2019-1020014 (docker-credential-helpers before 0.6.3 has a double free in the List f ...)
 	- golang-github-docker-docker-credential-helpers 0.6.1-3 (bug #933801)
 	[buster] - golang-github-docker-docker-credential-helpers <no-dsa> (Minor issue, can be fixed in point release)
+	[stretch] - golang-github-docker-docker-credential-helpers <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/docker/docker-credential-helpers/commit/1c9f7ede70a5ab9851f4c9cb37d317fd89cd318a
 CVE-2019-1020013 (parse-server before 3.6.0 allows account enumeration. ...)
 	NOT-FOR-US: parse-server


=====================================
data/dla-needed.txt
=====================================
@@ -37,6 +37,8 @@ cimg
   NOTE: 20200709: method (vs "load_network") but is still missing the argument
   NOTE: 20200709: sanitisation. (lamby)
 --
+clamav
+--
 condor (Roberto C. Sánchez)
   NOTE: 20200502: Upstream has only released workarounds; complete fix is still embargoed (roberto)
   NOTE: 20200521: Still embargoed (eg. https://research.cs.wisc.edu/htcondor/security/vulnerabilities/HTCONDOR-2020-0004.html). (lamby)
@@ -82,6 +84,8 @@ json-c
 jupyter-notebook
   NOTE: 20200711: Vulnerable to (at least) CVE-2018-19351. (lamby)
 --
+libapache2-mod-auth-openidc (Thorsten Alteholz)
+--
 libjpeg-turbo (Adrian Bunk)
 --
 libopenmpt (Utkarsh Gupta)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d18f81c15453de8a850f43ee27b2b68a007bc77d...7dc657cd29e46b9222c34ee599ceb1fd437110b3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d18f81c15453de8a850f43ee27b2b68a007bc77d...7dc657cd29e46b9222c34ee599ceb1fd437110b3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200726/9390d534/attachment-0001.html>
