[Git][security-tracker-team/security-tracker][master] bustre/stretch triage
Moritz Muehlenhoff
jmm at debian.org
Mon Jun 15 21:15:43 BST 2020
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
4856645b by Moritz Muehlenhoff at 2020-06-15T22:15:18+02:00
bustre/stretch triage
new kfreebsd issue
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -780,7 +780,9 @@ CVE-2020-13819
CVE-2020-13818 (In Zoho ManageEngine OpManager before 125144, when <cachestart> ...)
NOT-FOR-US: Zoho ManageEngine OpManager
CVE-2020-13817 (ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote att ...)
- - ntp 1:4.2.8p14+dfsg-1
+ - ntp 1:4.2.8p14+dfsg-1 (low)
+ [buster] - ntp <ignored> (Minor issue)
+ [stretch] - ntp <ignored> (Minor issue)
[jessie] - ntp <ignored> (Too intrusive to backport, requires new configuration)
NOTE: http://support.ntp.org/bin/view/Main/NtpBug3596
NOTE: https://bugs.ntp.org/show_bug.cgi?id=3596
@@ -931,6 +933,8 @@ CVE-2020-13791 (hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an o
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00831.html
CVE-2020-13790 (libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-r ...)
- libjpeg-turbo <unfixed> (bug #962829)
+ [buster] - libjpeg-turbo <no-dsa> (Minor issue)
+ [stretch] - libjpeg-turbo <no-dsa> (Minor issue)
[jessie] - libjpeg-turbo <ignored> (No package in Debian jessie uses the TurboJPEG API)
NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/433
NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/1bfb0b5247f4fc8f6677639781ce468543490216 (1.5.x)
@@ -1032,6 +1036,8 @@ CVE-2020-13758 (modules/security/classes/general.post_filter.php/post_filter.php
NOT-FOR-US: Bitrix24
CVE-2020-13757 (Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ...)
- python-rsa <unfixed> (bug #962142)
+ [buster] - python-rsa <no-dsa> (Minor issue)
+ [stretch] - python-rsa <no-dsa> (Minor issue)
[jessie] - python-rsa <no-dsa> (No reverse dependencies)
NOTE: https://github.com/sybrenstuvel/python-rsa/issues/146
CVE-2020-13756 (Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data ...)
@@ -1160,6 +1166,7 @@ CVE-2020-13697
CVE-2020-13696 (An issue was discovered in LinuxTV xawtv before 3.107. The function de ...)
{DLA-2246-1}
- xawtv <unfixed> (bug #962221)
+ [stretch] - xawtv <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2020/06/04/6
NOTE: Fixed by: https://git.linuxtv.org/xawtv3.git/commit/?id=31f31f9cbaee7be806cba38e0ff5431bd44b20a3
NOTE: Fixed by: https://git.linuxtv.org/xawtv3.git/commit/?id=36dc44e68e5886339b4a0fbe3f404fb1a4fd2292
@@ -1241,6 +1248,8 @@ CVE-2020-13660 (CMS Made Simple through 2.2.14 allows XSS via a crafted File Pic
NOT-FOR-US: CMS Made Simple
CVE-2020-13659 (address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer d ...)
- qemu <unfixed>
+ [buster] - qemu <postponed> (Minor issue)
+ [stretch] - qemu <postponed> (Minor issue)
NOTE: https://bugs.launchpad.net/qemu/+bug/1878259
NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg07313.html
CVE-2020-13658
@@ -4120,7 +4129,9 @@ CVE-2020-12430 (An issue was discovered in qemuDomainGetStatsIOThread in qemu/qe
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1804548
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1828190
CVE-2019-20792 (OpenSC before 0.20.0 has a double free in coolkey_free_private_data be ...)
- - opensc 0.20.0-1
+ - opensc 0.20.0-1 (low)
+ [buster] - opensc <no-dsa> (Minor issue)
+ [stretch] - opensc <no-dsa> (Minor issue)
[jessie] - opensc <postponed> (Minor issue but can be worth fixing later)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19208
NOTE: https://github.com/OpenSC/OpenSC/commit/c246f6f69a749d4f68626b40795a4f69168008f4
@@ -9837,6 +9848,7 @@ CVE-2020-10738 (A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before
CVE-2020-10737 (A race condition was found in the mkhomedir tool shipped with the oddj ...)
- oddjob 0.34.6-1 (bug #960089)
[buster] - oddjob <no-dsa> (Minor issue)
+ [stretch] - oddjob <no-dsa> (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1833042
NOTE: https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac
CVE-2020-10736 [authorization bypass in mons & mgrs]
@@ -39329,6 +39341,8 @@ CVE-2020-0199 (In TimeCheck::TimeCheckThread::threadLoop of TimeCheck.cpp, there
CVE-2020-0198 (In exif_data_load_data_content of exif-data.c, there is a possible UBS ...)
{DLA-2249-1}
- libexif 0.6.22-2 (bug #962345)
+ [buster] - libexif <no-dsa> (Minor issue)
+ [stretch] - libexif <no-dsa> (Minor issue)
NOTE: https://android.googlesource.com/platform/external/libexif/+/1e187b62682ffab5003c702657d6d725b4278f16%5E%21/#F0
NOTE: https://github.com/libexif/libexif/commit/ce03ad7ef4e8aeefce79192bf5b6f69fae396f0c
CVE-2020-0197 (In InitDataParser::parsePssh of InitDataParser.cpp, there is a possibl ...)
=====================================
data/dsa-needed.txt
=====================================
@@ -14,8 +14,12 @@ If needed, specify the release by adding a slash after the name of the source pa
--
chromium
--
+docker.io (jmm)
+--
ffmpeg (jmm)
--
+fwupd
+--
jruby/oldstable
--
libopenmpt
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4856645bc915fd9d1adac518df0f7b55fac72e24
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4856645bc915fd9d1adac518df0f7b55fac72e24
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200615/0d901e82/attachment.html>
More information about the debian-security-tracker-commits
mailing list