[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Tue Mar 10 19:50:32 GMT 2020


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e1ed8c71 by Moritz Muehlenhoff at 2020-03-10T20:50:08+01:00
buster/stretch triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -1022,6 +1022,7 @@ CVE-2020-10019
 	RESERVED
 CVE-2020-10018 (accessibility/AXObjectCache.cpp in WebKit, as used in WebKitGTK throug ...)
 	- webkit2gtk <unfixed>
+	[buster] - webkit2gtk <postponed> (Hold back until next update round)
 	[stretch] - webkit2gtk <ignored> (Not covered by security support in stretch)
 	[jessie] - webkit2gtk <ignored> (Not covered by security support in jessie)
 CVE-2020-10017
@@ -1662,7 +1663,9 @@ CVE-2020-9479
 CVE-2019-20485 [potential DoS by holding a monitor job while querying QEMU guest-agent]
 	RESERVED
 	[experimental] - libvirt 6.0.0-1
-	- libvirt <unfixed> (bug #953078)
+	- libvirt <unfixed> (low; bug #953078)
+	[buster] - libvirt <no-dsa> (Minor issue)
+	[stretch] - libvirt <no-dsa> (Minor issue)
 	[jessie] - libvirt <not-affected> (Vulnerable code not present)
 	NOTE: https://libvirt.org/git/?p=libvirt.git;a=commitdiff;h=a663a860819287e041c3de672aad1d8543098ecc (v6.0.0-rc1)
 CVE-2013-7487
@@ -1938,7 +1941,8 @@ CVE-2020-9371 (Stored XSS exists in the Appointment Booking Calendar plugin befo
 CVE-2020-9370 (HUMAX HGA12R-02 BRGCAA 1.1.53 devices allow Session Hijacking. ...)
 	NOT-FOR-US: HUMAX HGA12R-02 BRGCAA devices
 CVE-2020-9369 (Sympa 6.2.38 through 6.2.52 allows remote attackers to cause a denial  ...)
-	- sympa 6.2.40~dfsg-4 (bug #952428)
+	- sympa 6.2.40~dfsg-4 (low; bug #952428)
+	[buster] - sympa <no-dsa> (Minor issue)
 	[stretch] - sympa <not-affected> (Vulnerability introduced later in 6.2.38)
 	[jessie] - sympa <not-affected> (Vulnerability introduced later in 6.2.38)
 	NOTE: https://github.com/sympa-community/sympa/issues/886
@@ -2176,6 +2180,8 @@ CVE-2020-9275
 CVE-2020-9274 (An issue was discovered in Pure-FTPd 1.0.49. An uninitialized pointer  ...)
 	{DLA-2123-1}
 	- pure-ftpd 1.0.49-4 (bug #952666)
+	[buster] - pure-ftpd <no-dsa> (Minor issue)
+	[stretch] - pure-ftpd <no-dsa> (Minor issue)
 	NOTE: https://github.com/jedisct1/pure-ftpd/commit/8d0d42542e2cb7a56d645fbe4d0ef436e38bcefa
 	NOTE: though the CVE description does not specifically say, the issue seems to be an
 	NOTE: out-of-bounds memory read which may result in information disclosure;
@@ -3229,7 +3235,8 @@ CVE-2018-21034
 	RESERVED
 CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext HTTP, a ...)
 	- lxc-templates <unfixed>
-	- lxc 1:3.0.3-1
+	- lxc 1:3.0.3-1 (low)
+	[stretch] - lxc <no-dsa> (Minor issue)
 	[jessie] - lxc <ignored> (https://lists.debian.org/debian-lts/2020/02/msg00102.html)
 	NOTE: LXC 3.0.2 split the templates out to separate lxc-templates.
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1661447
@@ -5002,7 +5009,7 @@ CVE-2020-8015
 CVE-2020-8014
 	RESERVED
 CVE-2020-8013 (A UNIX Symbolic Link (Symlink) Following vulnerability in chkstat of S ...)
-	TODO: check
+	NOT-FOR-US: chkstat
 CVE-2020-8012 (CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below cont ...)
 	NOT-FOR-US: CA Unified Infrastructure Management (Nimsoft/UIM)
 CVE-2020-8011 (CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below cont ...)
@@ -6774,6 +6781,8 @@ CVE-2019-20383
 	RESERVED
 CVE-2019-20382 (QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle. ...)
 	- qemu 1:4.2-1
+	[buster] - qemu <postponed> (Minor, can be fixed along in future DSA)
+	[stretch] - qemu <postponed> (Minor, can be fixed along in future DSA)
 	- qemu-kvm <removed>
 	NOTE: https://www.openwall.com/lists/oss-security/2020/03/05/1
 	NOTE: https://git.qemu.org/?p=qemu.git;a=commitdiff;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0
@@ -7169,14 +7178,18 @@ CVE-2020-7064
 CVE-2020-7063 (In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below ...)
 	- php7.4 7.4.3-1
 	- php7.3 7.3.15-1
+	[buster] - php7.3 <postponed> (Minor issue, can be fixed along in a future DSA)
 	- php7.0 <removed>
+	[stretch] - php7.0 <postponed> (Minor issue, can be fixed along in a future DSA)
 	- php5 <removed>
 	NOTE: Fixed in PHP 7.4.3, 7.3.15, 7.2.28
 	NOTE: PHP Bug: http://bugs.php.net/79082
 CVE-2020-7062 (In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below ...)
 	- php7.4 7.4.3-1
 	- php7.3 7.3.15-1
+	[buster] - php7.3 <postponed> (Minor issue, can be fixed along in a future DSA)
 	- php7.0 <removed>
+	[stretch] - php7.0 <postponed> (Minor issue, can be fixed along in a future DSA)
 	- php5 <removed>
 	NOTE: Fixed in PHP 7.4.3, 7.3.15, 7.2.28
 	NOTE: PHP Bug: http://bugs.php.net/79221
@@ -7253,15 +7266,18 @@ CVE-2020-7044 (In Wireshark 3.2.x before 3.2.1, the WASSP dissector could crash.
 	NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=f90a3720b73ca140403315126e2a478c4f70ca03
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-01.html
 CVE-2020-7043 (An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL  ...)
-	- openfortivpn 1.12.0-1
+	- openfortivpn 1.12.0-1 (unimportant)
 	NOTE: https://github.com/adrienverge/openfortivpn/issues/536
 	NOTE: https://github.com/adrienverge/openfortivpn/commit/6328a070ddaab16faaf008cb9a8a62439c30f2a8
+	NOTE: No version of openfortivpn was shipped with OpenSSL < 1.0.2, marking as unimportant
 CVE-2020-7042 (An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL  ...)
 	- openfortivpn 1.12.0-1
+	[buster] - openfortivpn <no-dsa> (Minor issue)
 	NOTE: https://github.com/adrienverge/openfortivpn/issues/536
 	NOTE: https://github.com/adrienverge/openfortivpn/commit/9eee997d599a89492281fc7ffdd79d88cd61afc3
 CVE-2020-7041 (An issue was discovered in openfortivpn 1.11.0 when used with OpenSSL  ...)
 	- openfortivpn 1.12.0-1
+	[buster] - openfortivpn <no-dsa> (Minor issue)
 	NOTE: https://github.com/adrienverge/openfortivpn/issues/536
 	NOTE: https://github.com/adrienverge/openfortivpn/commit/60660e00b80bad0fadcf39aee86f6f8756c94f91
 CVE-2020-7040 (storeBackup.pl in storeBackup through 3.5 relies on the /tmp/storeBack ...)
@@ -9652,7 +9668,7 @@ CVE-2020-5959
 CVE-2020-5958
 	RESERVED
 CVE-2020-5957 (NVIDIA Windows GPU Display Driver, all versions, contains a vulnerabil ...)
-	TODO: check
+	NOT-FOR-US: Nvidia driver for Windows
 CVE-2019-20358 (Trend Micro Anti-Threat Toolkit (ATTK) versions 1.62.0.1218 and below  ...)
 	NOT-FOR-US: Trend Micro
 CVE-2019-20357 (A Persistent Arbitrary Code Execution vulnerability exists in the Tren ...)
@@ -11193,6 +11209,7 @@ CVE-2020-5244 (In BuddyPress before 5.1.2, requests to a certain REST API endpoi
 	NOT-FOR-US: BuddyPress
 CVE-2020-5243 (uap-core before 0.7.3 is vulnerable to a denial of service attack when ...)
 	- uap-core <unfixed> (bug #952649)
+	[buster] - uap-core <no-dsa> (Minor issue)
 	NOTE: https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
 	NOTE: https://github.com/ua-parser/uap-core/commit/a679b131697e7371f0441f4799940779efa2f27e
 	NOTE: https://github.com/ua-parser/uap-core/commit/dd279cff09546dbd4174bd05d29c0e90c2cffa7c
@@ -11245,7 +11262,9 @@ CVE-2020-5226 (Cross-site scripting in SimpleSAMLphp before version 1.18.4. The
 	NOTE: https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-mj9p-v2r8-wf8w
 	NOTE: https://simplesamlphp.org/security/202001-01
 CVE-2020-5225 (Log injection in SimpleSAMLphp before version 1.18.4. The www/errorepo ...)
-	- simplesamlphp 1.18.4-1
+	- simplesamlphp 1.18.4-1 (low)
+	[buster] - simplesamlphp <no-dsa> (Minor issue)
+	[stretch] - simplesamlphp <no-dsa> (Minor issue)
 	[jessie] - simplesamlphp <no-dsa> (Minor issue)
 	NOTE: https://github.com/simplesamlphp/simplesamlphp/security/advisories/GHSA-6gc6-m364-85ww
 	NOTE: https://simplesamlphp.org/security/202001-02
@@ -22402,12 +22421,12 @@ CVE-2019-18934 (Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec
 CVE-2019-18933 (In Zulip Server versions from 1.7.0 to before 2.0.7, a bug in the new  ...)
 	NOT-FOR-US: Zulip
 CVE-2019-18932 (log.c in Squid Analysis Report Generator (sarg) through 2.3.11 allows  ...)
-	- sarg 2.4.0-1 (bug #951390)
-	[jessie] - sarg <no-dsa> (Minor issue)
+	- sarg 2.4.0-1 (unimportant; bug #951390)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/01/20/6
 	NOTE: The sarg-reports as shipped in Debian has already safe use of mktemp for
 	NOTE: use of temporary files and directories.
 	NOTE: Fixed by: https://sourceforge.net/p/sarg/code/ci/8ec6d20be8c0da3c885aba78e63251f2e5080748
+	NOTE: Neutralised by kernel hardening
 CVE-2019-18931 (Western Digital My Cloud EX2 Ultra firmware 2.31.195 allows a Buffer O ...)
 	NOT-FOR-US: Western Digital My Cloud EX2 Ultra firmware
 CVE-2019-18930 (Western Digital My Cloud EX2 Ultra firmware 2.31.183 allows web users  ...)
@@ -41461,6 +41480,7 @@ CVE-2019-13612 (MDaemon Email Server 19 skips SpamAssassin checks by default for
 	NOT-FOR-US: MDaemon Email Server
 CVE-2019-13611 (An issue was discovered in python-engineio through 3.8.2. There is a C ...)
 	- python-engineio 3.11.1-1 (bug #932538)
+	[buster] - python-engineio <no-dsa> (Minor issue)
 	NOTE: https://github.com/miguelgrinberg/python-engineio/issues/128
 	NOTE: https://github.com/miguelgrinberg/python-engineio/security/advisories/GHSA-j3jp-gvr5-7hwq
 CVE-2019-13610
@@ -48900,6 +48920,8 @@ CVE-2019-11323 (HAProxy before 1.9.7 mishandles a reload with rotated keys, whic
 	NOTE: Fixed by: https://git.haproxy.org/?p=haproxy.git;a=commit;h=8ef706502aa2000531d36e4ac56dbdc7c30f718d
 CVE-2019-11324 (The urllib3 library before 1.24.2 for Python mishandles certain cases  ...)
 	- python-urllib3 <unfixed> (bug #927412)
+	[buster] - python-urllib3 <no-dsa> (Minor issue)
+	[stretch] - python-urllib3 <no-dsa> (Minor issue)
 	[jessie] - python-urllib3 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/urllib3/urllib3/compare/a6ec68a...1efadf4
 	NOTE: https://www.openwall.com/lists/oss-security/2019/04/17/3
@@ -49125,6 +49147,8 @@ CVE-2019-11236 (In the urllib3 library through 1.24.1 for Python, CRLF injection
 	{DLA-1828-1}
 	[experimental] - python-urllib3 1.25.6-1
 	- python-urllib3 <unfixed> (bug #927172)
+	[buster] - python-urllib3 <no-dsa> (Minor issue)
+	[stretch] - python-urllib3 <no-dsa> (Minor issue)
 	NOTE: https://github.com/urllib3/urllib3/issues/1553
 	NOTE: https://github.com/urllib3/urllib3/commit/9b76785331243689a9d52cef3db05ef7462cb02d
 	NOTE: https://github.com/urllib3/urllib3/commit/efddd7e7bad26188c3b692d1090cba768afa9162
@@ -50374,6 +50398,8 @@ CVE-2019-10785 (dojox is vulnerable to Cross-site Scripting in all versions befo
 	NOTE: https://github.com/dojo/dojox/pull/315
 CVE-2019-10784 (phppgadmin through 7.12.1 allows sensitive actions to be performed wit ...)
 	- phppgadmin <unfixed>
+	[buster] - phppgadmin <no-dsa> (Minor issue)
+	[stretch] - phppgadmin <no-dsa> (Minor issue)
 	NOTE: https://snyk.io/vuln/SNYK-PHP-PHPPGADMINPHPPGADMIN-543885
 	NOTE: https://github.com/phppgadmin/phppgadmin/issues/94
 CVE-2019-10783 (All versions including 0.0.4 of lsof npm module are vulnerable to Comm ...)
@@ -66210,12 +66236,16 @@ CVE-2019-5165 (An exploitable authentication bypass vulnerability exists in the
 	NOT-FOR-US: Moxa
 CVE-2019-5164 (An exploitable code execution vulnerability exists in the ss-manager b ...)
 	- shadowsocks-libev 3.3.3+ds-2
+	[buster] - shadowsocks-libev <no-dsa> (Minor issue)
+	[stretch] - shadowsocks-libev <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0958
 	NOTE: https://github.com/shadowsocks/shadowsocks-libev/issues/2537
 	NOTE: Mitigation: Using a unix socket with ss-manager via --manager-socket.
 	NOTE: Exposing ss-manager to pubic is always dangerous.
 CVE-2019-5163 (An exploitable denial-of-service vulnerability exists in the UDPRelay  ...)
 	- shadowsocks-libev 3.3.3+ds-2
+	[buster] - shadowsocks-libev <no-dsa> (Minor issue)
+	[stretch] - shadowsocks-libev <no-dsa> (Minor issue)
 	NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2019-0956
 	NOTE: https://github.com/shadowsocks/shadowsocks-libev/issues/2536
 CVE-2019-5162 (An exploitable improper access control vulnerability exists in the iw_ ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -31,6 +31,10 @@ linux (carnil)
 --
 mercurial/oldstable
 --
+netkit-telnet
+--
+netkit-telnet-ssl
+--
 nodejs
 --
 nss/oldstable (jmm)
@@ -40,6 +44,8 @@ poppler (jmm)
 --
 python-reportlab (hle)
 --
+qbittorrent
+--
 smarty3/oldstable
 --
 squid/stable



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1ed8c71230b58e2a454a53ffc45c5115d8a2c19

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1ed8c71230b58e2a454a53ffc45c5115d8a2c19
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200310/08efb403/attachment-0001.html>
