[Git][security-tracker-team/security-tracker][master] 7 commits: mark CVE-2020-13164 as postponed for Jessie

Fri May 22 12:05:32 BST 2020


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e46d2f4a by Thorsten Alteholz at 2020-05-22T12:51:59+02:00
mark CVE-2020-13164 as postponed for Jessie

- - - - -
7e9afce7 by Thorsten Alteholz at 2020-05-22T12:55:18+02:00
mark CVE-2020-12693 as not-affected for Jessie

- - - - -
7229f8a5 by Thorsten Alteholz at 2020-05-22T12:56:11+02:00
mark CVE-2020-12801 as no-dsa for Jessie

- - - - -
7b2706e3 by Thorsten Alteholz at 2020-05-22T13:00:56+02:00
mark CVE-2020-13112 CVE-2020-13113 CVE-2020-13114 as no-dsa for Jessie

- - - - -
911a4a6b by Thorsten Alteholz at 2020-05-22T13:02:21+02:00
add netqmail

- - - - -
9a61f30e by Thorsten Alteholz at 2020-05-22T13:03:34+02:00
add tomcat7

- - - - -
7be8d0b5 by Thorsten Alteholz at 2020-05-22T13:04:43+02:00
add nss

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -399,6 +399,7 @@ CVE-2020-13164 (In Wireshark 3.2.0 to 3.2.3, 3.0.0 to 3.0.10, and 2.6.0 to 2.6.1
 	- wireshark 3.2.4-1 (low)
 	[buster] - wireshark <postponed> (Can be fixed along in next 3.0.x DSA)
 	[stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0)
+	[jessie] - wireshark <postponed> (Can be fixed along with other CVEs)
 	NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16476
 	NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e6e98eab8e5e0bbc982cfdc808f2469d7cab6c5a
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-08.html
@@ -523,16 +524,19 @@ CVE-2020-13114 (An issue was discovered in libexif before 0.6.22. An unrestricte
 	- libexif <unfixed>
 	[buster] - libexif <no-dsa> (Minor issue)
 	[stretch] - libexif <no-dsa> (Minor issue)
+	[jessie] - libexif <no-dsa> (Minor issue)
 	NOTE: https://github.com/libexif/libexif/commit/e6a38a1a23ba94d139b1fa2cd4519fdcfe3c9bab (0.6.22)
 CVE-2020-13113 (An issue was discovered in libexif before 0.6.22. Use of uninitialized ...)
 	- libexif <unfixed>
 	[buster] - libexif <no-dsa> (Minor issue)
 	[stretch] - libexif <no-dsa> (Minor issue)
+	[jessie] - libexif <no-dsa> (Minor issue)
 	NOTE: https://github.com/libexif/libexif/commit/ec412aa4583ad71ecabb967d3c77162760169d1f (0.6.22)
 CVE-2020-13112 (An issue was discovered in libexif before 0.6.22. Several buffer over- ...)
 	- libexif <unfixed>
 	[buster] - libexif <no-dsa> (Minor issue)
 	[stretch] - libexif <no-dsa> (Minor issue)
+	[jessie] - libexif <no-dsa> (Minor issue)
 	NOTE: https://github.com/libexif/libexif/commit/435e21f05001fb03f9f186fa7cbc69454afd00d1 (0.6.22)
 CVE-2020-13111 (NaviServer 4.99.4 to 4.99.19 allows denial of service due to the nsd/d ...)
 	NOT-FOR-US: NaviServer
@@ -1181,6 +1185,7 @@ CVE-2020-12801 (If LibreOffice has an encrypted document open and crashes, that
 	- libreoffice 1:6.4.3-1 (low)
 	[buster] - libreoffice <no-dsa> (Minor issue)
 	[stretch] - libreoffice <no-dsa> (Minor issue)
+	[jessie] - libreoffice <no-dsa> (Minor issue)
 	NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2020-12801
 CVE-2020-12800
 	RESERVED
@@ -1449,6 +1454,7 @@ CVE-2020-12693
 	- slurm-llnl <unfixed>
 	[buster] - slurm-llnl <no-dsa> (Minor issue)
 	[stretch] - slurm-llnl <no-dsa> (Minor issue)
+	[jessie] - slurm-llnl <not-affected> (Message Aggregation added in 14.11)
 	NOTE: https://www.schedmd.com/news.php?id=236
 	NOTE: https://lists.schedmd.com/pipermail/slurm-announce/2020/000036.html
 	NOTE: Issue affects systems with Message Aggregation enabled


=====================================
data/dla-needed.txt
=====================================
@@ -74,9 +74,14 @@ mumble (Abhijith PA)
   NOTE: 20200420: Upstream patch is incomplete. Version in stretch is also vulnerable (abhijith)
   NOTE: 20200504: discussion going on with team at security.debian.org and mumble maintainer (abhijith)
 --
+netqmail
+--
 nginx (Mike Gabriel)
   NOTE: 20200505: Patch for CVE-2020-11724 appears to be fairly invasive and, alas, no tests. (lamby)
 --
+nss
+  NOTE: 20200521: bug report is not yet public, so probably Jessie is not affected
+--
 opendmarc (Thorsten Alteholz)
   NOTE: 20200420: still testing package, original patch does not seem to be enough, still ongoing (thorsten)
   NOTE: 20200511: new CVEs arrived (thorsten)
@@ -96,6 +101,8 @@ squid3 (Markus Koschany)
   NOTE: 20200518: Ongoing work on squid3 in Stretch which will be used for Jessie
   NOTE: 20200518: and Stretch.
 --
+tomcat7
+--
 tomcat8 (Markus Koschany)
   NOTE: 20200521: One patch resulted to have a bug that had to be fixed; new CVE also released. (roberto)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b641f1134effc15480ad7da19af569dc3c7b386e...7be8d0b59fb6447b446e404d368af25e8709c4eb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b641f1134effc15480ad7da19af569dc3c7b386e...7be8d0b59fb6447b446e404d368af25e8709c4eb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200522/a57248c0/attachment-0001.html>
