[Git][security-tracker-team/security-tracker][master] new ntp issue
Moritz Muehlenhoff
jmm at debian.org
Thu May 28 18:03:23 BST 2020
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c39d1a54 by Moritz Muehlenhoff at 2020-05-28T19:02:51+02:00
new ntp issue
NFUs
add and take ffmpeg
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -119642,7 +119642,13 @@ CVE-2018-8958
CVE-2018-8957 (CoverCMS v1.1.6 has XSS via the fourth input box to index.php, related ...)
NOT-FOR-US: CoverCMS
CVE-2018-8956 (ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remote att ...)
- TODO: check
+ - ntp <unfixed> (low)
+ [buster] - ntp <no-dsa> (Minor issue)
+ [stretch] - ntp <no-dsa> (Minor issue)
+ NOTE: MISC:https://arxiv.org/abs/2005.01783
+ NOTE: MISC:https://nikhiltripathi.in/NTP_attack.pdf
+ NOTE: MISC:https://tools.ietf.org/html/rfc5905
+ TODO: check ntpsec
CVE-2018-8955 (The installer for BitDefender GravityZone relies on an encoded string ...)
NOT-FOR-US: BitDefender GravityZone
CVE-2018-8954 (CA Workload Control Center before r11.4 SP6 allows remote attackers to ...)
@@ -229757,7 +229763,7 @@ CVE-2015-7948
CVE-2015-7947
REJECTED
CVE-2015-7946 (Information Exposure vulnerability in Unity8 as used on the Ubuntu pho ...)
- TODO: check
+ NOT-FOR-US: Unity8 (predates Lomiri)
CVE-2015-7945 (The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti befo ...)
{DSA-3431-1}
- ganeti 2.15.2-1 (bug #809538)
@@ -274934,7 +274940,7 @@ CVE-2014-1424 (apparmor_parser in the apparmor package before 2.8.95~2430-0ubunt
NOTE: affected one that we ever had in Debian (2.8.96~2652) did not
NOTE: include the faulty patch.
CVE-2014-1423 (signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch ...)
- TODO: check
+ NOT-FOR-US: signond from Ubuntu Touch
CVE-2014-1422
RESERVED
CVE-2014-1421 (mountall 1.54, as used in Ubuntu 14.10, does not properly handle the u ...)
@@ -292528,7 +292534,7 @@ CVE-2013-1868 (Multiple buffer overflows in VideoLAN VLC media player 2.0.4 and
CVE-2013-1867 (Gemalto Tokend 2013 has an Arbitrary File Creation/Overwrite Vulnerabi ...)
NOT-FOR-US: Gemalto Tokend
CVE-2013-1866 (OpenSC OpenSC.tokend has an Arbitrary File Creation/Overwrite Vulnerab ...)
- TODO: check
+ NOT-FOR-US: OpenSC.tokend (different from src:opensc)
CVE-2013-1865 (OpenStack Keystone Folsom (2012.2) does not properly perform revocatio ...)
- keystone <not-affected> (only affects folsom)
NOTE: fixed in experimental with keystone/2012.2.3-2
=====================================
data/dsa-needed.txt
=====================================
@@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa
--
chromium
--
+ffmpeg (jmm)
+--
jruby/oldstable
--
libopenmpt
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c39d1a5463ac7d451a8b4cc349ca60dcf387ed9f
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c39d1a5463ac7d451a8b4cc349ca60dcf387ed9f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200528/65a6fd40/attachment.html>
More information about the debian-security-tracker-commits
mailing list