[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Moritz Muehlenhoff jmm at debian.org
Mon May 25 18:29:22 BST 2020



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b07aa3fb by Moritz Muehlenhoff at 2020-05-25T19:28:57+02:00
buster/stretch triage

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -176,6 +176,7 @@ CVE-2019-20803 (Gila CMS before 1.11.6 has reflected XSS via the admin/content/p
 	NOT-FOR-US: Gila CMS
 CVE-2018-21234 (Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when ...)
 	- jodd <unfixed> (bug #961298)
+	[buster] - jodd <no-dsa> (Minor issue)
 	NOTE: https://github.com/oblac/jodd/commit/9bffc3913aeb8472c11bb543243004b4b4376f16
 	NOTE: https://github.com/oblac/jodd/issues/628
 CVE-2017-18868 (Digi XBee 2 devices do not have an effective protection mechanism agai ...)
@@ -397,6 +398,8 @@ CVE-2020-13254
 CVE-2020-13253 [sd: OOB access could crash the guest resulting in DoS]
 	RESERVED
 	- qemu <unfixed> (bug #961297)
+	[buster] - qemu <postponed> (Minor issue, can be fixed along in next DSA)
+	[stretch] - qemu <postponed> (Minor issue, can be fixed along in next DSA)
 	NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-05/msg05835.html
 CVE-2020-13252 (Centreon before 19.04.15 allows remote attackers to execute arbitrary  ...)
 	- centreon-web <itp> (bug #913903)
@@ -1553,10 +1556,11 @@ CVE-2020-12742 (The iubenda-cookie-law-solution plugin before 2.3.5 for WordPres
 CVE-2020-12741
 	RESERVED
 CVE-2020-12740 (tcprewrite in Tcpreplay through 4.3.2 has a heap-based buffer over-rea ...)
-	- tcpreplay <unfixed>
+	- tcpreplay <unfixed> (unimportant)
 	[jessie] - tcpreplay <not-affected> (Vulnerable code added later)
 	NOTE: https://github.com/appneta/tcpreplay/issues/576
 	NOTE: --fuzz-seed in PoC not present until version 4.2.0
+	NOTE: Crash in CLI tool, no security impact
 CVE-2020-12739
 	RESERVED
 CVE-2020-12738
@@ -2144,6 +2148,7 @@ CVE-2020-12475 (TP-Link Omada Controller Software 3.2.6 allows Directory Travers
 	NOT-FOR-US: TP-Link
 CVE-2020-12474 (Telegram Desktop through 2.0.1, Telegram through 6.0.1 for Android, an ...)
 	- telegram-desktop 2.1.0+ds-1
+	[buster] - telegram-desktop <no-dsa> (Minor issue)
 	NOTE: https://github.com/VijayT007/Vulnerability-Database/blob/master/Telegram:CVE-2020-12474
 CVE-2020-12473 (MonoX through 5.1.40.5152 allows admins to execute arbitrary programs  ...)
 	NOT-FOR-US: MonoX
@@ -7775,6 +7780,7 @@ CVE-2020-10738 (A flaw was found in Moodle versions 3.8 before 3.8.3, 3.7 before
 CVE-2020-10737 [oddjob: race condition in oddjob_selinux_mkdir function in mkhomedir.c can lead to symlink attack]
 	RESERVED
 	- oddjob <unfixed> (bug #960089)
+	[buster] - oddjob <no-dsa> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1833042
 	NOTE: https://pagure.io/oddjob/c/10b8aaa1564b723a005b53acc069df71313f4cac
 CVE-2020-10736 [authorization bypass in mons & mgrs]
@@ -17490,13 +17496,17 @@ CVE-2020-6633
 CVE-2020-6632 (In PrestaShop 1.7.6.2, XSS can occur during addition or removal of a Q ...)
 	NOT-FOR-US: PrestaShop
 CVE-2020-6631 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...)
-	- gpac <unfixed>
+	- gpac <unfixed> (low)
+	[buster] - gpac <no-dsa> (Minor issue)
+	[stretch] - gpac <no-dsa> (Minor issue)
 	[jessie] - gpac <postponed> (Minor issue, clean crash, MP42TS not shipped, incomplete patch)
 	NOTE: https://github.com/gpac/gpac/issues/1378
 	NOTE: https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521
 	NOTE: fix considered "ugly" by upstream and introduces abort(3)-based DoS
 CVE-2020-6630 (An issue was discovered in GPAC version 0.8.0. There is a NULL pointer ...)
-	- gpac <unfixed>
+	- gpac <unfixed> (low)
+	[buster] - gpac <no-dsa> (Minor issue)
+	[stretch] - gpac <no-dsa> (Minor issue)
 	[jessie] - gpac <postponed> (Minor issue, clean crash, MP42TS not shipped, incomplete patch)
 	NOTE: https://github.com/gpac/gpac/issues/1377
 	NOTE: https://github.com/gpac/gpac/commit/c7e46e948ebe2d4a532539c7e714cdf655b84521
@@ -30650,6 +30660,8 @@ CVE-2020-1775
 CVE-2020-1774 (When user downloads PGP or S/MIME keys/certificates, exported file has ...)
 	{DLA-2198-1}
 	- otrs2 6.0.28-1 (bug #959448)
+	[buster] - otrs2 <no-dsa> (Non-free not supported)
+	[stretch] - otrs2 <no-dsa> (Non-free not supported)
 	NOTE: https://otrs.com/release-notes/otrs-security-advisory-2020-11/
 	NOTE: Fixed in 7.0.17, 6.0.28
 	NOTE: OTRS6: https://github.com/OTRS/otrs/commit/ff725cbea77f03fa296bb13f93f5b07086920342
@@ -39992,8 +40004,9 @@ CVE-2019-17223 (There is HTML Injection in the Note field in Dolibarr ERP/CRM 10
 CVE-2019-17222 (An issue was discovered on Intelbras WRN 150 1.0.17 devices. There is  ...)
 	NOT-FOR-US: Intelbras WRN 150 devices
 CVE-2019-17221 (PhantomJS through 2.1.1 has an arbitrary file read vulnerability, as d ...)
-	- phantomjs <unfixed>
+	- phantomjs <unfixed> (unimportant)
 	NOTE: https://www.darkmatter.ae/blogs/breaching-the-perimeter-phantomjs-arbitrary-file-read/
+	NOTE: qtwebkit not covered by security support
 CVE-2019-17220 (Rocket.Chat before 2.1.0 allows XSS via a URL on a ![title] line. ...)
 	NOT-FOR-US: Rocket.Chat
 CVE-2019-17219 (An issue was discovered on V-Zug Combi-Steam MSLQ devices before Ether ...)


=====================================
data/DSA/list
=====================================
@@ -87,7 +87,7 @@
 	{CVE-2019-9511 CVE-2019-9513 CVE-2019-9514 CVE-2019-15604 CVE-2019-15605 CVE-2019-15606}
 	[buster] - nodejs 10.19.0~dfsg1-1
 [28 Apr 2020] DSA-4668-1 openjdk-8 - security update
-	{CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2773 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805}
+	{CVE-2020-2754 CVE-2020-2755 CVE-2020-2756 CVE-2020-2757 CVE-2020-2773 CVE-2020-2781 CVE-2020-2800 CVE-2020-2803 CVE-2020-2805 CVE-2020-2830}
 	[stretch] - openjdk-8 8u252-b09-1~deb9u1
 [28 Apr 2020] DSA-4667-1 linux - security update
 	{CVE-2020-2732 CVE-2020-8428 CVE-2020-10942 CVE-2020-11565 CVE-2020-11884}


=====================================
data/dsa-needed.txt
=====================================
@@ -38,6 +38,8 @@ squid3/oldstable
 --
 teeworlds/stable (jmm)
 --
+unbound
+--
 xcftools
   Hugo proposed to work on this update
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b07aa3fbfc8774a5289e97f3bf781b04516ed7ca

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b07aa3fbfc8774a5289e97f3bf781b04516ed7ca
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200525/e4a898ef/attachment.html>


More information about the debian-security-tracker-commits mailing list