[Git][security-tracker-team/security-tracker][master] 2 commits: Remove no-dsa tags for upcoming poppler update in Stretch.
Markus Koschany
apo at debian.org
Sun Nov 8 22:38:35 GMT 2020
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ea35b6cf by Markus Koschany at 2020-11-08T23:36:34+01:00
Remove no-dsa tags for upcoming poppler update in Stretch.
- - - - -
2d21d90a by Markus Koschany at 2020-11-08T23:38:18+01:00
Reserve DLA-2440-1 for poppler
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -84855,7 +84855,6 @@ CVE-2019-14494 (An issue was discovered in Poppler through 0.78.0. There is a di
[experimental] - poppler 0.81.0-1
- poppler 0.85.0-2 (bug #933812)
[buster] - poppler <ignored> (Minor issue)
- [stretch] - poppler <ignored> (Minor issue)
[jessie] - poppler <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/802
NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/317
@@ -99042,7 +99041,6 @@ CVE-2019-10019 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the
- xpdf <not-affected> (xpdf in Debian uses poppler, which is not affected or fixed)
CVE-2019-10018 (An issue was discovered in Xpdf 4.01.01. There is an FPE in the functi ...)
- poppler 0.57.0-2 (low; bug #926133)
- [stretch] - poppler <ignored> (Minor issue)
[jessie] - poppler <ignored> (Minor issue)
NOTE: https://forum.xpdfreader.com/viewtopic.php?f=3&t=41276 (PostScriptFunction::exec at Function.cc:1374-42___FPE PoC)
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=101500
@@ -99168,7 +99166,6 @@ CVE-2019-9959 (The JPXStream::init function in Poppler 0.78.0 and earlier doesn'
[experimental] - poppler 0.81.0-1
- poppler 0.85.0-2 (low; bug #941776)
[buster] - poppler <ignored> (Minor issue)
- [stretch] - poppler <ignored> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/805
NOTE: Patch: https://gitlab.freedesktop.org/poppler/poppler/commit/68ef84e5968a4249c2162b839ca6d7975048a557 (poppler-0.79.0)
NOTE: Reproducer: https://gitlab.freedesktop.org/poppler/poppler/uploads/3f22837ebd503f87e730b51221b89742/raiter_issue5465.pdf
@@ -107383,7 +107380,6 @@ CVE-2019-7311 (An issue was discovered on Linksys WRT1900ACS 1.0.3.187766 device
CVE-2019-7310 (In Poppler 0.73.0, a heap-based buffer over-read (due to an integer si ...)
{DLA-1706-1}
- poppler 0.71.0-4 (bug #921215)
- [stretch] - poppler <ignored> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=12797
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/717
NOTE: https://gitlab.freedesktop.org/poppler/poppler/merge_requests/172
@@ -116449,7 +116445,6 @@ CVE-2018-20663 (The Reporting Addon (aka Reports Addon) through 2019-01-02 for C
CVE-2018-20662 (In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers to caus ...)
{DLA-1706-1}
- poppler 0.71.0-4 (low; bug #918158)
- [stretch] - poppler <no-dsa> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/706
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/7b4e372deeb716eb3fe3a54b31ed41af759224f9
CVE-2019-3580 (OpenRefine through 3.1 allows arbitrary file write because Directory T ...)
@@ -116677,7 +116672,6 @@ CVE-2018-20650 (A reachable Object::dictLookup assertion in Poppler 0.72.0 allow
[experimental] - poppler 0.81.0-1
- poppler 0.85.0-2 (low; bug #917974)
[buster] - poppler <ignored> (Minor issue)
- [stretch] - poppler <ignored> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/de0c0b8324e776f0b851485e0fc9622fc35695b7
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/704
CVE-2018-20649
@@ -128792,7 +128786,6 @@ CVE-2018-19058 (An issue was discovered in Poppler 0.71.0. There is a reachable
[experimental] - poppler 0.81.0-1
- poppler 0.85.0-2 (low; bug #913177)
[buster] - poppler <ignored> (Minor issue)
- [stretch] - poppler <ignored> (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/659
NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/6912e06d9ab19ba28991b5cab3319d61d856bd6d
CVE-2018-19057 (SimpleMDE 1.11.2 has XSS via an onerror attribute of a crafted IMG ele ...)
@@ -189015,7 +189008,6 @@ CVE-2017-14929 (In Poppler 0.59.0, memory corruption occurs in a call to Object:
NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=2c92c7b6a828c9db8a38f079ea7a3d51c12a481d
CVE-2017-14928 (In Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia ...)
- poppler 0.61.1-2 (low; bug #877231)
- [stretch] - poppler <ignored> (Minor issue)
[jessie] - poppler <not-affected> (Problematic code introduced in 0.36)
[wheezy] - poppler <not-affected> (Problematic code introduced in 0.36)
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102607
@@ -189029,7 +189021,6 @@ CVE-2017-14927 (In Poppler 0.59.0, a NULL Pointer Dereference exists in the Spla
NOTE: https://cgit.freedesktop.org/poppler/poppler/commit/?id=6472d8493f7e82cc78b41da20a2bf19fcb4e0a7d
CVE-2017-14926 (In Poppler 0.59.0, a NULL Pointer Dereference exists in AnnotRichMedia ...)
- poppler 0.61.1-2 (low; bug #877239)
- [stretch] - poppler <ignored> (Minor issue)
[jessie] - poppler <not-affected> (Problematic code introduced in 0.36)
[wheezy] - poppler <not-affected> (Problematic code introduced in 0.36)
NOTE: https://bugs.freedesktop.org/show_bug.cgi?id=102601
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[08 Nov 2020] DLA-2440-1 poppler - security update
+ {CVE-2017-14926 CVE-2017-14928 CVE-2018-19058 CVE-2018-20650 CVE-2018-20662 CVE-2019-7310 CVE-2019-9959 CVE-2019-10018 CVE-2019-14494}
+ [stretch] - poppler 0.48.0-2+deb9u4
[07 Nov 2020] DLA-2439-1 libexif - security update
{CVE-2020-0452}
[stretch] - libexif 0.6.21-2+deb9u5
=====================================
data/dla-needed.txt
=====================================
@@ -98,8 +98,6 @@ php-horde-trean
pluxml
NOTE: 20201011: issue is still open upstream. Also low priority for us (abhijith)
--
-poppler (Markus Koschany)
---
python3.5 (Thorsten Alteholz)
NOTE: 20201102: testing package
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/45e477b587760f5f9197b8ccb14f4f22ab42faa3...2d21d90ab3fb22cef4a41a900d3a32f7a9b21f93
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/45e477b587760f5f9197b8ccb14f4f22ab42faa3...2d21d90ab3fb22cef4a41a900d3a32f7a9b21f93
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201108/0816858d/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list