[Git][security-tracker-team/security-tracker][master] buster/stretch triage

Wed May 27 21:37:21 BST 2020


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c2e9bdff by Moritz Muehlenhoff at 2020-05-27T22:36:54+02:00
buster/stretch triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -50,6 +50,8 @@ CVE-2020-13615 (lib/QoreSocket.cpp in Qore before 0.9.4.2 lacks hostname verific
 	NOT-FOR-US: Qore
 CVE-2020-13614 (An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implem ...)
 	- axel 2.17.8-1
+	[buster] - axel <no-dsa> (Minor issue)
+	[stretch] - axel <no-dsa> (Minor issue)
 	NOTE: https://github.com/axel-download-accelerator/axel/issues/262
 CVE-2020-13613
 	RESERVED
@@ -5165,7 +5167,7 @@ CVE-2020-11763 (An issue was discovered in OpenEXR before 2.4.1. There is an std
 	- openexr <unfixed> (bug #959444)
 	[jessie] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
-	TODO: check fixing commit
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/pull/643/commits/d0303d1785d2a8cb994efee9efa81f8ee4be4c17
 CVE-2020-11762 (An issue was discovered in OpenEXR before 2.4.1. There is an out-of-bo ...)
 	[experimental] - openexr 2.5.0-1
 	- openexr <unfixed> (bug #959444)
@@ -5198,7 +5200,7 @@ CVE-2020-11758 (An issue was discovered in OpenEXR before 2.4.1. There is an out
 	- openexr <unfixed> (bug #959444)
 	[jessie] - openexr <no-dsa> (Minor issue)
 	NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=1987
-	TODO: check isolated commit to fix issue
+	NOTE: https://github.com/AcademySoftwareFoundation/openexr/commit/7a52d40ae23c148f27116cb1f6e897b9143b372c
 CVE-2020-11757
 	RESERVED
 CVE-2020-11756
@@ -5475,6 +5477,7 @@ CVE-2020-11654
 	RESERVED
 CVE-2020-11653 (An issue was discovered in Varnish Cache before 6.0.6 LTS, 6.1.x and 6 ...)
 	- varnish 6.4.0-1 (bug #956307)
+	[buster] - varnish <postponed> (Can be fixed along in next DSA)
 	[stretch] - varnish <not-affected> (Only affects 6.x)
 	[jessie] - varnish <not-affected> (Only affects 6.x)
 	NOTE: https://varnish-cache.org/security/VSV00005.html#vsv00005
@@ -6076,33 +6079,45 @@ CVE-2020-11527 (In Zoho ManageEngine OpManager before 12.4.181, an unauthenticat
 	NOT-FOR-US: Zoho
 CVE-2020-11526 (libfreerdp/core/update.c in FreeRDP versions > 1.1 through 2.0.0-rc ...)
 	- freerdp2 <unfixed>
+	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
+	[stretch] - freerdp <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-97jw-m5w5-xvf9
 	NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/192856cb59974ee4d7d3e72cbeafa676aa7565cf
 	NOTE: https://github.com/FreeRDP/FreeRDP/issues/6012
 CVE-2020-11525 (libfreerdp/cache/bitmap.c in FreeRDP versions > 1.0 through 2.0.0-r ...)
 	- freerdp2 <unfixed>
+	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
+	[stretch] - freerdp <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9755-fphh-gmjg
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/0b6b92a25a77d533b8a92d6acc840a81e103684e
 CVE-2020-11524 (libfreerdp/codec/interleaved.c in FreeRDP versions > 1.0 through 2. ...)
 	- freerdp2 <unfixed>
+	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
+	[stretch] - freerdp <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgw8-3mp2-p5qw
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/7b1d4b49391b4512402840431757703a96946820
 CVE-2020-11523 (libfreerdp/gdi/region.c in FreeRDP versions > 1.0 through 2.0.0-rc4 ...)
 	- freerdp2 <unfixed>
+	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
+	[stretch] - freerdp <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-4qrh-8cp8-4x42
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/ce21b9d7ecd967e0bc98ed31a6b3757848aa6c9e
 CVE-2020-11522 (libfreerdp/gdi/gdi.c in FreeRDP > 1.0 through 2.0.0-rc4 has an Out- ...)
 	- freerdp2 <unfixed>
+	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
+	[stretch] - freerdp <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-48wx-7vgj-fffh
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/907640a924fa7a9a99c80a48ac225e9d8e41548b
 CVE-2020-11521 (libfreerdp/codec/planar.c in FreeRDP version > 1.0 through 2.0.0-rc ...)
 	- freerdp2 <unfixed>
+	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
+	[stretch] - freerdp <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5cwc-6wc9-255w
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/17f547ae11835bb11baa3d045245dc1694866845
 CVE-2020-11520
@@ -7095,7 +7110,9 @@ CVE-2020-11059
 	RESERVED
 CVE-2020-11058 (In FreeRDP after 1.1 and before 2.0.0, a stream out-of-bounds seek in  ...)
 	- freerdp2 <unfixed>
+	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
+	[stretch] - freerdp <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wjg2-2f82-466g
 	NOTE: https://github.com/FreeRDP/FreeRDP/commit/3627aaf7d289315b614a584afb388f04abfb5bbf
 	NOTE: https://github.com/FreeRDP/FreeRDP/issues/6011
@@ -7120,25 +7137,33 @@ CVE-2020-11050 (In Java-WebSocket less than or equal to 1.4.1, there is an Impro
 	NOT-FOR-US: Java-WebSocket, different from src:websocket-api
 CVE-2020-11049 (In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bound read o ...)
 	- freerdp2 <unfixed>
+	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
+	[stretch] - freerdp <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-wwh7-r2r8-xjpr
 	NOTE: Fixed with: https://github.com/FreeRDP/FreeRDP/pull/6019
 	NOTE: https://github.com/FreeRDP/FreeRDP/issues/6008
 CVE-2020-11048 (In FreeRDP after 1.0 and before 2.0.0, there is an out-of-bounds read. ...)
 	- freerdp2 <unfixed>
+	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
+	[stretch] - freerdp <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hv8w-f2hx-5gcv
 	NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/9301bfe730c66180263248b74353daa99f5a969b
 	NOTE: https://github.com/FreeRDP/FreeRDP/issues/6007
 CVE-2020-11047 (In FreeRDP after 1.1 and before 2.0.0, there is an out-of-bounds read  ...)
 	- freerdp2 <unfixed>
+	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
+	[stretch] - freerdp <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9fw6-m2q8-h5pw
 	NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/f5e73cc7c9cd973b516a618da877c87b80950b65
 	NOTE: https://github.com/FreeRDP/FreeRDP/issues/6009
 CVE-2020-11046 (In FreeRDP after 1.0 and before 2.0.0, there is a stream out-of-bounds ...)
 	- freerdp2 <unfixed>
+	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
+	[stretch] - freerdp <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hx48-wmmm-mr5q
 	NOTE: Fixed  by: https://github.com/FreeRDP/FreeRDP/commit/ed53cd148f43cbab905eaa0f5308c2bf3c48cc37
 	NOTE: https://github.com/FreeRDP/FreeRDP/issues/6006
@@ -7150,6 +7175,7 @@ CVE-2020-11045 (In FreeRDP after 1.0 and before 2.0.0, there is an out-of-bound
 	NOTE: https://github.com/FreeRDP/FreeRDP/issues/6005
 CVE-2020-11044 (In FreeRDP greater than 1.2 and before 2.0.0, a double free in update_ ...)
 	- freerdp2 <unfixed>
+	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <not-affected> (Vulnerable code introduced later)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cgqh-p732-6x2w
 	NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/67c2aa52b2ae0341d469071d1bc8aab91f8d2ed8
@@ -7158,7 +7184,9 @@ CVE-2020-11043
 	RESERVED
 CVE-2020-11042 (In FreeRDP greater than 1.1 and before 2.0.0, there is an out-of-bound ...)
 	- freerdp2 <unfixed>
+	[buster] - freerdp2 <no-dsa> (Minor issue)
 	- freerdp <removed>
+	[stretch] - freerdp <no-dsa> (Minor issue)
 	NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9jp6-5vf2-cx2q
 	NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/6b2bc41935e53b0034fe5948aeeab4f32e80f30f
 	NOTE: https://github.com/FreeRDP/FreeRDP/issues/6010
@@ -29960,9 +29988,9 @@ CVE-2020-2027
 CVE-2020-2026
 	RESERVED
 CVE-2020-2025 (Kata Containers before 1.11.0 on Cloud Hypervisor persists guest files ...)
-	TODO: check
+	NOT-FOR-US: Kata Containers
 CVE-2020-2024 (An improper link resolution vulnerability affects Kata Containers vers ...)
-	TODO: check
+	NOT-FOR-US: Kata Containers
 CVE-2020-2023
 	RESERVED
 CVE-2020-2022
@@ -30577,7 +30605,7 @@ CVE-2020-1899
 CVE-2020-1898
 	RESERVED
 CVE-2020-1897 (A use-after-free is possible due to an error in lifetime management in ...)
-	TODO: check
+	NOT-FOR-US: Facebook Proxygen
 CVE-2020-1896
 	RESERVED
 CVE-2020-1895 (A large heap overflow could occur in Instagram for Android when attemp ...)
@@ -32935,7 +32963,8 @@ CVE-2019-18862 (maidag in GNU Mailutils before 3.8 is installed setuid and allow
 CVE-2019-18861
 	RESERVED
 CVE-2019-18860 (Squid before 4.9, when certain web browsers are used, mishandles HTML  ...)
-	- squid 4.9-1
+	- squid 4.9-1 (low)
+	[buster] - squid <no-dsa> (Minor issue)
 	- squid3 <removed>
 	NOTE: https://github.com/squid-cache/squid/pull/504
 	NOTE: https://github.com/squid-cache/squid/commit/5cc4b155cee1a4968109737f6eba2ef29d51034d (SQUID_5_0_1)
@@ -47589,13 +47618,13 @@ CVE-2019-14877 (In the __mdiff function of the newlib libc library, all versions
 	[stretch] - newlib <no-dsa> (Minor issue)
 	[jessie] - newlib <ignored> (Minor issue)
 	NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/
-	TODO: picolibc might be affected, not yet in the archive
+	TODO: picolibc might be affected
 CVE-2019-14876 (In the __lshift function of the newlib libc library, all versions prio ...)
 	- newlib 3.3.0-1
 	[buster] - newlib <no-dsa> (Minor issue)
 	[stretch] - newlib <no-dsa> (Minor issue)
 	[jessie] - newlib <ignored> (Minor issue)
-	- picolibc <unfixed> (low)
+	- picolibc <unfixed> (unimportant)
 	NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/
 CVE-2019-14875 (In the __multiply function of the newlib libc library, all versions pr ...)
 	- newlib 3.3.0-1
@@ -47609,7 +47638,7 @@ CVE-2019-14874 (In the __i2b function of the newlib libc library, all versions p
 	[buster] - newlib <no-dsa> (Minor issue)
 	[stretch] - newlib <no-dsa> (Minor issue)
 	[jessie] - newlib <ignored> (Minor issue)
-	- picolibc <unfixed> (low)
+	- picolibc <unfixed> (unimportant)
 	NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/
 CVE-2019-14873 (In the __multadd function of the newlib libc library, prior to version ...)
 	- newlib 3.3.0-1
@@ -47617,21 +47646,21 @@ CVE-2019-14873 (In the __multadd function of the newlib libc library, prior to v
 	[stretch] - newlib <no-dsa> (Minor issue)
 	[jessie] - newlib <ignored> (Minor issue)
 	NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/
-	TODO: picolibc might be affected, not yet in the archive
+	TODO: picolibc might be affected
 CVE-2019-14872 (The _dtoa_r function of the newlib libc library, prior to version 3.3. ...)
 	- newlib 3.3.0-1
 	[buster] - newlib <no-dsa> (Minor issue)
 	[stretch] - newlib <no-dsa> (Minor issue)
 	[jessie] - newlib <ignored> (Minor issue)
 	NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/
-	TODO: picolibc might be affected, not yet in the archive
+	TODO: picolibc might be affected
 CVE-2019-14871 (The REENT_CHECK macro (see newlib/libc/include/sys/reent.h) as used by ...)
 	- newlib 3.3.0-1
 	[buster] - newlib <no-dsa> (Minor issue)
 	[stretch] - newlib <no-dsa> (Minor issue)
 	[jessie] - newlib <ignored> (Minor issue)
 	NOTE: https://census-labs.com/news/2020/01/31/multiple-null-pointer-dereference-vulnerabilities-in-newlib/
-	TODO: picolibc might be affected, not yet in the archive
+	TODO: picolibc might be affected
 CVE-2019-14870 (All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11 ...)
 	- samba 2:4.11.3+dfsg-1
 	[buster] - samba <no-dsa> (Minor issue)
@@ -62870,6 +62899,7 @@ CVE-2019-10065 (An issue was discovered in Open Ticket Request System (OTRS) 7.0
 CVE-2019-10064 (hostapd before 2.6, in EAP mode, makes calls to the rand() and random( ...)
 	{DLA-2138-1}
 	- wpa 2:2.6-7
+	[stretch] - wpa <no-dsa> (Minor issue)
 	NOTE: https://www.openwall.com/lists/oss-security/2020/02/27/1
 	NOTE: Comment from upstream: https://www.openwall.com/lists/oss-security/2020/02/27/2
 	NOTE: Issue fixed in conjunction with CVE-2016-10743.
@@ -70607,6 +70637,7 @@ CVE-2019-7548 (SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter c
 	{DLA-1718-1}
 	[experimental] - sqlalchemy 1.3.0~b3+ds1-1
 	- sqlalchemy 1.2.18+ds1-2 (bug #922669)
+	[stretch] - sqlalchemy <no-dsa> (Minor issue)
 	NOTE: https://github.com/sqlalchemy/sqlalchemy/issues/4481
 	NOTE: https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414
 CVE-2019-7547 (An issue was discovered in SIDU 6.0. Because the database name is not  ...)
@@ -71685,6 +71716,7 @@ CVE-2019-7164 (SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL In
 	{DLA-1718-1}
 	[experimental] - sqlalchemy 1.3.0~b3+ds1-1
 	- sqlalchemy 1.2.18+ds1-2 (bug #922669)
+	[stretch] - sqlalchemy <no-dsa> (Minor issue)
 	NOTE: https://github.com/sqlalchemy/sqlalchemy/issues/4481
 	NOTE: https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414
 CVE-2019-7163 (The web interface of Alcatel LINKZONE MW40-V-V1.0 MW40_LU_02.00_02 dev ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2e9bdff2314441ad8dcd1c3f5c0d53ec908709a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2e9bdff2314441ad8dcd1c3f5c0d53ec908709a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200527/b799e8ea/attachment-0001.html>
