[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2019-13225,libonig: Stretch is not affected

Markus Koschany apo at debian.org
Tue Nov 3 22:49:23 GMT 2020 


Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0e29830f by Markus Koschany at 2020-11-03T23:45:09+01:00
CVE-2019-13225,libonig: Stretch is not affected

Actually the issue was introduced in a later version

- - - - -
01c6a669 by Markus Koschany at 2020-11-03T23:48:32+01:00
libonig: remove no-dsa tags for stretch release

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -65839,7 +65839,6 @@ CVE-2019-19246 (Oniguruma through 6.9.3, as used in PHP 7.3.x and other products
 	{DLA-2020-1}
 	- libonig 6.9.4-1 (low; bug #946344)
 	[buster] - libonig <no-dsa> (Minor issue)
-	[stretch] - libonig <no-dsa> (Minor issue)
 	NOTE: https://bugs.php.net/bug.php?id=78559
 	NOTE: https://github.com/kkos/oniguruma/commit/d3e402928b6eb3327f8f7d59a9edfa622fec557b
 CVE-2019-19245 (NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication S ...)
@@ -65956,14 +65955,12 @@ CVE-2019-19204 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In th
 	{DLA-2020-1}
 	- libonig 6.9.4-1 (low; bug #945313)
 	[buster] - libonig <no-dsa> (Minor issue)
-	[stretch] - libonig <no-dsa> (Minor issue)
 	NOTE: https://github.com/kkos/oniguruma/issues/162
 	NOTE: https://github.com/kkos/oniguruma/commit/6eb4aca6a7f2f60f473580576d86686ed6a6ebec (v6.9.4_rc2)
 	NOTE: Only exploitable with attacker-provided pattern
 CVE-2019-19203 (An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the func ...)
 	- libonig 6.9.4-1 (low; bug #945312)
 	[buster] - libonig <no-dsa> (Minor issue)
-	[stretch] - libonig <no-dsa> (Minor issue)
 	[jessie] - libonig <ignored> (Minor issue, not reproducible, non-trivial backport)
 	NOTE: https://github.com/kkos/oniguruma/issues/163
 	NOTE: https://github.com/kkos/oniguruma/commit/aa0188eaedc056dca8374ac03d0177429b495515 (v6.9.4_rc2)
@@ -66520,7 +66517,6 @@ CVE-2019-19012 (An integer overflow in the search_in_range function in regexec.c
 	{DLA-2020-1}
 	- libonig 6.9.4-1 (low; bug #944959)
 	[buster] - libonig <no-dsa> (Minor issue)
-	[stretch] - libonig <no-dsa> (Minor issue)
 	NOTE: https://github.com/kkos/oniguruma/issues/164
 	NOTE: https://github.com/kkos/oniguruma/commit/0463e21432515631a9bc925ce5eb95b097c73719
 	NOTE: https://github.com/kkos/oniguruma/commit/778a43dd56925ed58bbe26e3a7bb8202d72c3f3f
@@ -77579,7 +77575,6 @@ CVE-2019-16163 (Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c beca
 	{DLA-1918-1}
 	- libonig 6.9.4-1 (low; bug #939988)
 	[buster] - libonig <no-dsa> (Minor issue)
-	[stretch] - libonig <no-dsa> (Minor issue)
 	NOTE: https://github.com/kkos/oniguruma/issues/147
 	NOTE: https://github.com/kkos/oniguruma/commit/4097828d7cc87589864fecf452f2cd46c5f37180
 CVE-2019-16162 (Onigmo through 6.2.0 has an out-of-bounds read in parse_char_class bec ...)
@@ -88016,14 +88011,13 @@ CVE-2019-13233 (In arch/x86/lib/insn-eval.c in the Linux kernel before 5.1.9, th
 CVE-2019-13225 (A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9 ...)
 	- libonig 6.9.2-1 (low; bug #931878)
 	[buster] - libonig <no-dsa> (Minor issue)
-	[stretch] - libonig <no-dsa> (Minor issue)
+	[stretch] - libonig <no-affected> (vulnerable code was introduced later)
 	[jessie] - libonig <not-affected> (vulnerable code was introduced later)
 	NOTE: https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
 CVE-2019-13224 (A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 a ...)
 	{DLA-1854-1}
 	- libonig 6.9.2-1 (low; bug #931878)
 	[buster] - libonig <no-dsa> (Minor issue)
-	[stretch] - libonig <no-dsa> (Minor issue)
 	NOTE: https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
 CVE-2019-13223 (A reachable assertion in the lookup1_values function in stb_vorbis thr ...)
 	- libstb 0.0~git20190817.1.052dce1-1 (bug #934966)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/edc800fea9ca9fcb6cf963b9ca24c2fe2ee5d4b7...01c6a66937c85cb4cd8f0c76d22b7beb1a52cf16

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/edc800fea9ca9fcb6cf963b9ca24c2fe2ee5d4b7...01c6a66937c85cb4cd8f0c76d22b7beb1a52cf16
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201103/192839e1/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list