[Git][security-tracker-team/security-tracker][master] one systemd issue unimportant

Moritz Muehlenhoff jmm at debian.org
Mon May 11 12:01:23 BST 2020 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ce08d76d by Moritz Muehlenhoff at 2020-05-11T13:00:53+02:00
one systemd issue unimportant
add tracking for fex issue
mark edk2 issues as ignored for stretch

- - - - -


2 changed files:

- data/CVE/list
- data/next-oldstable-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -13,6 +13,10 @@ CVE-2019-20795 (iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_n
 	[jessie] - iproute2 <not-affected> (Vulnerable code introduced later)
 	NOTE: Fixed by: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=9bf2c538a0eb10d66e2365a655bf6c52f5ba3d10 (v5.1.0)
 	NOTE: Introduced in: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=86bf43c7c2fdc33d7c021b4a1add1c8facbca51c (v4.15.0)
+CVE-2020-XXXX [unspecified fexsrv security issue]
+	- fex 20160919-2
+	[buster] - fex 20160919-2~deb10u1
+	[stretch] - fex <no-dsa> (Non-free not supported)
 CVE-2020-12771 (An issue was discovered in the Linux kernel through 5.6.11. btree_gc_c ...)
 	- linux <unfixed>
 	NOTE: https://lkml.org/lkml/2020/4/26/87
@@ -14330,11 +14334,10 @@ CVE-2020-7240 (** DISPUTED ** Meinberg Lantime M300 and M1000 devices allow atta
 CVE-2020-7239 (The conversation-watson plugin before 0.8.21 for WordPress has a DOM-b ...)
 	NOT-FOR-US: conversation-watson plugin for WordPress
 CVE-2019-20386 (An issue was discovered in button_open in login/logind-button.c in sys ...)
-	- systemd 243-5
-	[buster] - systemd <no-dsa> (Minor issue)
-	[stretch] - systemd <no-dsa> (Minor issue)
-	[jessie] - systemd <no-dsa> (Minor issue)
+	- systemd 243-5 (unimportant)
 	NOTE: https://github.com/systemd/systemd/commit/b2774a3ae692113e1f47a336a6c09bac9cfb49ad
+	NOTE: Negligible security impact, requires root or physical access to plug in a device,
+	NOTE: at which point you can just as well DoS the computer with a hammer instead
 CVE-2019-20385 (The CSV upload feature in /supervisor/procesa_carga.php on Logaritmo A ...)
 	NOT-FOR-US: Logaritmo Aware CallManager 2012 devices
 CVE-2019-20384 (Gentoo Portage through 2.3.84 allows local users to place a Trojan hor ...)
@@ -46416,13 +46419,13 @@ CVE-2019-14587
 	RESERVED
 	- edk2 0~20200229.4c0f6e34-1
 	[buster] - edk2 0~20181115.85588389-3+deb10u1
-	[stretch] - edk2 <no-dsa> (Minor issue)
+	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 CVE-2019-14586
 	RESERVED
 	- edk2 0~20200229.4c0f6e34-1
 	[buster] - edk2 0~20181115.85588389-3+deb10u1
-	[stretch] - edk2 <no-dsa> (Minor issue)
+	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 CVE-2019-14585
 	RESERVED
@@ -46448,7 +46451,7 @@ CVE-2019-14575 [DxeImageVerificationHandler() fails open in case of dbx signatur
 	RESERVED
 	- edk2 0~20200229.4c0f6e34-1 (low; bug #952935)
 	[buster] - edk2 0~20181115.85588389-3+deb10u1
-	[stretch] - edk2 <no-dsa> (Minor issue)
+	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1608
 CVE-2019-14574 (Out of bounds read in a subsystem for Intel(R) Graphics Driver version ...)
@@ -46477,7 +46480,7 @@ CVE-2019-14563 [numeric truncation in MdeModulePkg/PiDxeS3BootScriptLib]
 	RESERVED
 	- edk2 0~20200229.4c0f6e34-1 (low; bug #952934)
 	[buster] - edk2 0~20181115.85588389-3+deb10u1
-	[stretch] - edk2 <no-dsa> (Minor issue)
+	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://github.com/tianocore/edk2/commit/322ac05f8bbc1bce066af1dabd1b70ccdbe28891
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2001
@@ -46491,7 +46494,7 @@ CVE-2019-14559 [memory leak in ArpOnFrameRcvdDpc]
 	RESERVED
 	- edk2 0~20200229.4c0f6e34-1 (bug #952926; low)
 	[buster] - edk2 0~20181115.85588389-3+deb10u1
-	[stretch] - edk2 <no-dsa> (Minor issue)
+	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2550
 	NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2031
@@ -46499,7 +46502,7 @@ CVE-2019-14558
 	RESERVED
 	- edk2 0~20200229.4c0f6e34-1
 	[buster] - edk2 0~20181115.85588389-3+deb10u1
-	[stretch] - edk2 <no-dsa> (Minor issue)
+	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 CVE-2019-14557
 	RESERVED
@@ -89779,13 +89782,13 @@ CVE-2019-0162 (Memory access in virtual memory mapping for some microprocessors
 	NOT-FOR-US: F5
 CVE-2019-0161 (Stack overflow in XHCI for EDK II may allow an unauthenticated user to ...)
 	- edk2 0~20180803.dd4cae4d-1 (low)
-	[stretch] - edk2 <no-dsa> (Minor issue)
+	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://github.com/tianocore/edk2/commit/acebdf14c985c5c9f50b37ece0b15ada87767359
 	NOTE: https://github.com/tianocore/edk2/commit/72750e3bf9174f15c17e78f0f117b5e7311bb49f
 CVE-2019-0160 (Buffer overflow in system firmware for EDK II may allow unauthenticate ...)
 	- edk2 0~20181115.85588389-1 (low)
-	[stretch] - edk2 <no-dsa> (Minor issue)
+	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://github.com/tianocore/edk2/commit/4df8f5bfa28b8b881e506437e8f08d92c1a00370
 	NOTE: https://github.com/tianocore/edk2/commit/b9ae1705adfdd43668027a25a2b03c2e81960219
@@ -108684,7 +108687,7 @@ CVE-2018-12184
 CVE-2018-12183 (Stack overflow in DxeCore for EDK II may allow an unauthenticated user ...)
 	- edk2 0~20181115.85588389-1
 	[buster] - edk2 <no-dsa> (Minor issue)
-	[stretch] - edk2 <no-dsa> (Minor issue)
+	[stretch] - edk2 <ignored> (Minor issue)
 	[jessie] - edk2 <end-of-life> (non-free)
 	NOTE: https://github.com/tianocore/edk2/commit/0a0d5296e448fc350de1594c49b9c0deff7fad60
 CVE-2018-12182 (Insufficient memory write check in SMM service for EDK II may allow an ...)


=====================================
data/next-oldstable-point-update.txt
=====================================
@@ -82,3 +82,5 @@ CVE-2020-3898
 	[stretch] - cups 2.2.1-8+deb9u6
 CVE-2019-8842
 	[stretch] - cups 2.2.1-8+deb9u6
+CVE-2020-XXXX
+	[stretch] - fex 20160919-2~deb9u1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce08d76dcfc5adf5b0b2f6dd6462cc2852aec695

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce08d76dcfc5adf5b0b2f6dd6462cc2852aec695
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200511/02624b56/attachment.html>

More information about the debian-security-tracker-commits mailing list