[Git][security-tracker-team/security-tracker][master] stable triage

Moritz Muehlenhoff jmm at debian.org
Fri Jul 31 06:48:39 BST 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2fc91a81 by Moritz Muehlenhoff at 2020-07-31T07:48:12+02:00
stable triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -459,6 +459,7 @@ CVE-2020-15948
 	RESERVED
 CVE-2020-XXXX [RUSTSEC-2020-0026]
 	- rust-linked-hash-map <unfixed> (bug #966246)
+	[buster] - rust-linked-hash-map <no-dsa> (Minor issue)
 	NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0026.html
 CVE-2020-15947
 	RESERVED
@@ -803,6 +804,7 @@ CVE-2020-15804
 	RESERVED
 CVE-2020-15803 (Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4.x bef ...)
 	- zabbix 1:5.0.2+dfsg-1 (bug #966146)
+	[buster] - zabbix <no-dsa> (Minor issue)
 	NOTE: https://support.zabbix.com/browse/ZBX-18057
 CVE-2020-15802
 	RESERVED
@@ -2047,8 +2049,11 @@ CVE-2020-15305 (An issue was discovered in OpenEXR before 2.5.2. Invalid input c
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/730
 CVE-2020-15304 (An issue was discovered in OpenEXR before 2.5.2. An invalid tiled inpu ...)
 	- openexr <unfixed>
+	[buster] - openexr <not-affected> (Vulnerable code not present)
+	[stretch] - openexr <not-affected> (Vulnerable code not present)
 	[jessie] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/727
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/36e05c14c612a89c43d4e0b013669ecd7f8e3440
 CVE-2020-15303
 	RESERVED
 CVE-2020-15302 (In Argent RecoveryManager before 0xdc350d09f71c48c5D22fBE2741e4d6A0397 ...)
@@ -5326,9 +5331,11 @@ CVE-2020-14020
 	RESERVED
 CVE-2020-14019 (Open-iSCSI rtslib-fb through 2.1.72 has weak permissions for /etc/targ ...)
 	- python-rtslib-fb <unfixed>
+	[buster] - python-rtslib-fb <not-affected> (Introduced in 2.1.70)
 	[stretch] - python-rtslib-fb <not-affected> (vulnerable code introduced later, shutil.copyfile is not used)
 	[jessie] - python-rtslib-fb <not-affected> (vulnerable code introduced later, shutil.copyfile is not used)
 	NOTE: https://github.com/open-iscsi/rtslib-fb/pull/162
+	NOTE: https://github.com/open-iscsi/rtslib-fb/commit/75e73778dce1cb7a2816a936240ef75adfbd6ed9
 CVE-2020-14018 (An issue was discovered in Navigate CMS 2.9 r1433. There is a stored X ...)
 	NOT-FOR-US: Navigate CMS
 CVE-2020-14017 (An issue was discovered in Navigate CMS 2.9 r1433. Sessions, as well a ...)
@@ -11818,7 +11825,6 @@ CVE-2020-11759 (An issue was discovered in OpenEXR before 2.4.1. Because of inte
 	NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/b9997d0c045fa01af3d2e46e1a74b07cc4519446
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/acad98d6d3e787f36012a3737c23c42c7f43a00f
-	TODO: check completeness for upstream commits to cover CVE-2020-11759
 CVE-2020-11758 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...)
 	[experimental] - openexr 2.5.0-1
 	- openexr <unfixed> (bug #959444)
@@ -74521,7 +74527,7 @@ CVE-2019-8945 (Zimbra Collaboration 8.7.x - 8.8.11P2 contains persistent XSS. ..
 CVE-2019-8944 (An Information Exposure issue in the Terraform deployment step in Octo ...)
 	NOT-FOR-US: Terraform
 CVE-2019-8943 (WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An a ...)
-	- wordpress <unfixed> (bug #923583)
+	- wordpress <undetermined> (bug #923583)
 	[jessie] - wordpress <postponed> (requires privileged account, not directly exploitable as CVE-2019-8942 is fixed, no official patch)
 	NOTE: https://blog.ripstech.com/2019/wordpress-image-remote-code-execution/
 	NOTE: This CVE is explicitly for the mentioned Path Traversal in wp_crop_image().
@@ -99366,6 +99372,7 @@ CVE-2019-0194 (Apache Camel's File is vulnerable to directory traversal. Camel 2
 CVE-2019-0193 (In Apache Solr, the DataImportHandler, an optional but popular module  ...)
 	{DLA-1954-1}
 	- lucene-solr 3.6.2+dfsg-22 (low)
+	[buster] - lucene-solr <no-dsa> (Minor issue)
 	NOTE: https://issues.apache.org/jira/browse/SOLR-13669
 	NOTE: upstream recommends everybody upgrade or rework their configuration
 	NOTE: consider backporting enable.dih.dataConfigParam instead:
@@ -113600,6 +113607,7 @@ CVE-2018-14029 (CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6.
 	NOT-FOR-US: Creatiwity wityCMS
 CVE-2018-14028 (In WordPress 4.9.7, plugins uploaded via the admin area are not verifi ...)
 	- wordpress <unfixed> (bug #906565)
+	[buster] - wordpress <postponed> (Minor issue, revisit when fixed upstream)
 	[stretch] - wordpress <no-dsa> (Minor issue)
 	[jessie] - wordpress <postponed> (no sanctioned patch)
 	NOTE: https://core.trac.wordpress.org/ticket/44710


=====================================
data/dsa-needed.txt
=====================================
@@ -32,8 +32,12 @@ nginx
 rails (jmm)
   Sylvain Beucler proposed to help for the update, remaining CVEs to be done
 --
+ruby-kramdown
+--
 teeworlds (jmm)
 --
+thunderbird (jmm)
+--
 webkit2gtk
 --
 xcftools



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fc91a817f86e109b8769dd47ca48c3d3137e3b9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fc91a817f86e109b8769dd47ca48c3d3137e3b9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200731/dd96de25/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list