[Git][security-tracker-team/security-tracker][master] 5 commits: add gupnp

Thorsten Alteholz alteholz at debian.org
Sun Jun 28 16:32:28 BST 2020



Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
dc05c308 by Thorsten Alteholz at 2020-06-28T17:22:18+02:00
add gupnp

- - - - -
dbe05ae3 by Thorsten Alteholz at 2020-06-28T17:25:44+02:00
mark three CVEs of openexr as no-dsa

- - - - -
c4e63057 by Thorsten Alteholz at 2020-06-28T17:26:48+02:00
add tomcat8

- - - - -
3da4b44d by Thorsten Alteholz at 2020-06-28T17:30:33+02:00
add shiro

- - - - -
816c1084 by Thorsten Alteholz at 2020-06-28T17:32:08+02:00
mark several CVEs of pillow as no-dsa for Jessie

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -118,12 +118,15 @@ CVE-2020-15307
 	RESERVED
 CVE-2020-15306 (An issue was discovered in OpenEXR before v2.5.2. Invalid chunkCount a ...)
 	- openexr <unfixed>
+	[jessie] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/738
 CVE-2020-15305 (An issue was discovered in OpenEXR before 2.5.2. Invalid input could c ...)
 	- openexr <unfixed>
+	[jessie] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/730
 CVE-2020-15304 (An issue was discovered in OpenEXR before 2.5.2. An invalid tiled inpu ...)
 	- openexr <unfixed>
+	[jessie] - openexr <no-dsa> (Minor issue)
 	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/727
 CVE-2020-15303
 	RESERVED
@@ -10471,6 +10474,7 @@ CVE-2020-11539 (An issue was discovered on Tata Sonata Smart SF Rush 1.12 device
 	NOT-FOR-US: Tata Sonata Smart SF Rush 1.12 devices
 CVE-2020-11538 (In libImaging/SgiRleDecode.c in Pillow through 7.0.0, a number of out- ...)
 	- pillow <unfixed>
+	[jessie] - pillow <no-dsa> (Minor issue)
 	NOTE: https://github.com/python-pillow/Pillow/pull/4504
 	NOTE: https://github.com/python-pillow/Pillow/pull/4538
 	NOTE: Fixed in 7.1.0
@@ -11874,6 +11878,7 @@ CVE-2020-10995 (PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not
 	NOTE: https://www.openwall.com/lists/oss-security/2020/05/19/3
 CVE-2020-10994 (In libImaging/Jpeg2KDecode.c in Pillow before 7.0.0, there are multipl ...)
 	- pillow <unfixed>
+	[jessie] - pillow <no-dsa> (Minor issue)
 	NOTE: https://github.com/python-pillow/Pillow/pull/4505
 	NOTE: https://github.com/python-pillow/Pillow/pull/4538
 	NOTE: Fixed in 7.1.0
@@ -13772,10 +13777,12 @@ CVE-2020-10380 (RMySQL through 0.10.19 allows SQL Injection. ...)
 	NOTE: Test: https://github.com/r-dbi/RMySQL/commit/6137ce887c1e36b278f11656a9a9fc1cae6a5f40
 CVE-2020-10379 (In Pillow before 6.2.3 and 7.x before 7.0.1, there are two Buffer Over ...)
 	- pillow <unfixed>
+	[jessie] - pillow <no-dsa> (Minor issue)
 	NOTE: https://github.com/python-pillow/Pillow/pull/4538
 	NOTE: Fixed in 6.2.3 and 7.1.0
 CVE-2020-10378 (In libImaging/PcxDecode.c in Pillow before 6.2.3 and 7.x before 7.0.1, ...)
 	- pillow <unfixed>
+	[jessie] - pillow <no-dsa> (Minor issue)
 	NOTE: https://github.com/python-pillow/Pillow/pull/4538
 	NOTE: Fixed in 6.2.3 and 7.1.0
 CVE-2020-10377 (A weak encryption vulnerability in Mitel MiVoice Connect Client before ...)
@@ -14241,6 +14248,7 @@ CVE-2020-10178
 	REJECTED
 CVE-2020-10177 (Pillow before 6.2.3 and 7.x before 7.0.1 has multiple out-of-bounds re ...)
 	- pillow <unfixed>
+	[jessie] - pillow <no-dsa> (Minor issue)
 	NOTE: https://github.com/python-pillow/Pillow/pull/4503
 	NOTE: https://github.com/python-pillow/Pillow/pull/4538
 	NOTE: Fixed in 6.2.3 and 7.1.0


=====================================
data/dla-needed.txt
=====================================
@@ -51,6 +51,8 @@ freerdp
 --
 glib-networking
 --
+gupnp
+--
 imagemagick (Markus Koschany)
   NOTE: 20200622: Ongoing work
 --
@@ -119,6 +121,8 @@ rails (Sylvain Beucler)
 ruby-rack
   NOTE: probably not affected (parse_cookies_header() is not available in Jessie, but code might hide somewhere else) (thorsten)
 --
+shiro
+--
 sqlite3 (Abhijith PA)
   NOTE: 20200620: WIP (abhijith)
 --
@@ -140,6 +144,8 @@ sympa
   NOTE: 20200604: the non-public patch is being discussed internally. (utkarsh)
   NOTE: 20200604: shall process the upload once the confirmation is given. (utkarsh)
 --
+tomcat8
+--
 tzdata
   NOTE: 20200514: LTS update must wait on oldstable update first (via point release) to prevent newer version in LTS (roberto)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e87981c831d55f748ec99db9e691211c076f6359...816c1084a77d04c3faa99e70302383518de5a339

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e87981c831d55f748ec99db9e691211c076f6359...816c1084a77d04c3faa99e70302383518de5a339
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200628/dc3a34ae/attachment-0001.html>


More information about the debian-security-tracker-commits mailing list