[Git][security-tracker-team/security-tracker][master] Update version information for libjpeg-turbo

Adrian Bunk bunk at debian.org
Mon Jul 27 15:35:12 BST 2020 


Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1b915665 by Adrian Bunk at 2020-07-27T17:34:32+03:00
Update version information for libjpeg-turbo

- CVE-2020-13790 is fixed in 2.0.5
- CVE-2019-2201 fix is now in unstable
- CVE-2018-14498 fix is now in unstable
- CVE-2018-11813 is fixed in 2.0.0
- CVE-2018-1152 fix is now in unstable
- CVE-2017-15232 fix is now in unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -5440,7 +5440,7 @@ CVE-2020-13791 (hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an o
 	NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/1
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00831.html
 CVE-2020-13790 (libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-r ...)
-	- libjpeg-turbo <unfixed> (bug #962829)
+	- libjpeg-turbo 1:2.0.5-1 (bug #962829)
 	[buster] - libjpeg-turbo <no-dsa> (Minor issue)
 	[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
 	[jessie] - libjpeg-turbo <ignored> (No package in Debian jessie uses the TurboJPEG API)
@@ -92300,8 +92300,7 @@ CVE-2019-2203 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible
 CVE-2019-2202 (In CryptoPlugin::decrypt of CryptoPlugin.cpp, there is a possible out  ...)
 	NOT-FOR-US: Android media framework
 CVE-2019-2201 (In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, there is ...)
-	[experimental] - libjpeg-turbo 1:2.0.3-1~exp1
-	- libjpeg-turbo <unfixed> (low)
+	- libjpeg-turbo 1:2.0.3-1~exp1 (low)
 	[buster] - libjpeg-turbo <no-dsa> (Minor issue)
 	[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
 	[jessie] - libjpeg-turbo <ignored> (No package in Debian jessie uses the TurboJPEG API)
@@ -111611,8 +111610,7 @@ CVE-2018-14499 (An issue was found in HYBBS through 2016-03-08. There is an XSS
 	NOT-FOR-US: HYBBS
 CVE-2018-14498 (get_8bit_row in rdbmp.c in libjpeg-turbo through 1.5.90 and MozJPEG th ...)
 	{DLA-1719-1}
-	[experimental] - libjpeg-turbo 1:2.0.2-1~exp1
-	- libjpeg-turbo <unfixed> (low; bug #924678)
+	- libjpeg-turbo 1:2.0.2-1~exp1 (low; bug #924678)
 	[buster] - libjpeg-turbo <no-dsa> (Minor issue)
 	[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
 	- mozjpeg <itp> (bug #741487)
@@ -118652,7 +118650,7 @@ CVE-2018-11814
 	RESERVED
 CVE-2018-11813 (libjpeg 9c has a large loop because read_pixel in rdtarga.c mishandles ...)
 	- libjpeg9 1:9d-1 (unimportant; bug #904719)
-	- libjpeg-turbo <unfixed> (unimportant)
+	- libjpeg-turbo 1:2.0.2-1~exp1 (unimportant)
 	NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/909a8cfc7bca9b2e6707425bdb74da997e8fa499
 	NOTE: Infinite loop in CLI tool, no security impact
 CVE-2018-11812
@@ -149337,8 +149335,7 @@ CVE-2018-1153 (Burp Suite Community Edition 1.7.32 and 1.7.33 fail to validate t
 	NOT-FOR-US: Burp Suite (different from src:burp)
 CVE-2018-1152 (libjpeg-turbo 1.5.90 is vulnerable to a denial of service vulnerabilit ...)
 	{DLA-1638-1}
-	[experimental] - libjpeg-turbo 1:2.0.2-1~exp1
-	- libjpeg-turbo <unfixed> (low; bug #902950)
+	- libjpeg-turbo 1:2.0.2-1~exp1 (low; bug #902950)
 	[buster] - libjpeg-turbo <no-dsa> (Minor issue)
 	[stretch] - libjpeg-turbo <no-dsa> (Minor issue)
 	NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/43e84cff1bb2bd8293066f6ac4eb0df61ddddbc6
@@ -158565,8 +158562,7 @@ CVE-2017-15234
 CVE-2017-15233
 	RESERVED
 CVE-2017-15232 (libjpeg-turbo 1.5.2 has a NULL Pointer Dereference in jdpostct.c and j ...)
-	[experimental] - libjpeg-turbo 1:2.0.2-1~exp1
-	- libjpeg-turbo <unfixed> (unimportant; bug #878567)
+	- libjpeg-turbo 1:2.0.2-1~exp1 (unimportant; bug #878567)
 	- libjpeg6b <not-affected> (Vulnerable code not present)
 	- libjpeg8 <not-affected> (Vulnerable code not present)
 	- libjpeg9 <not-affected> (Vulnerable code not present)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b91566598fc7c33afb7f3b18d17310147152b80

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b91566598fc7c33afb7f3b18d17310147152b80
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200727/071803b1/attachment.html>

More information about the debian-security-tracker-commits mailing list