[Git][security-tracker-team/security-tracker][master] buster triage
Moritz Muehlenhoff
jmm at debian.org
Thu Oct 8 18:47:30 BST 2020
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
01469a67 by Moritz Muehlenhoff at 2020-10-08T19:47:05+02:00
buster triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -623,6 +623,7 @@ CVE-2020-26576
RESERVED
CVE-2020-26575 (In Wireshark through 3.2.7, the Facebook Zero Protocol (aka FBZERO) di ...)
- wireshark <unfixed>
+ [buster] - wireshark <postponed> (Minor issue, can be fixed along in next DSA)
NOTE: https://gitlab.com/wireshark/wireshark/-/commit/3ff940652962c099b73ae3233322b8697b0d10ab
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16887
NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/467
@@ -24112,7 +24113,7 @@ CVE-2020-15401 (IOBit Malware Fighter Pro 8.0.2.547 allows local users to gain p
NOT-FOR-US: IOBit Malware Fighter Pro
CVE-2020-15400 (CakePHP before 4.0.6 mishandles CSRF token generation. This might be r ...)
- cakephp <unfixed>
- [buster] - cakephp <no-dsa> (Minor issue)
+ [buster] - cakephp <ignored> (Minor issue)
[stretch] - cakephp <no-dsa> (Minor issue)
CVE-2020-15399
RESERVED
@@ -49789,7 +49790,7 @@ CVE-2020-5967 (NVIDIA Linux GPU Display Driver, all versions, contains a vulnera
- nvidia-graphics-drivers-legacy-390xx 390.138-1 (bug #963908)
[buster] - nvidia-graphics-drivers-legacy-390xx 390.138-1~deb10u1
- nvidia-graphics-drivers-legacy-340xx <unfixed>
- [buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
+ [buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported)
[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-304xx <unfixed>
[stretch] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
@@ -49811,7 +49812,7 @@ CVE-2020-5963 (NVIDIA Windows GPU Display Driver, all versions, contains a vulne
- nvidia-graphics-drivers-legacy-390xx 390.138-1 (bug #963908)
[buster] - nvidia-graphics-drivers-legacy-390xx 390.138-1~deb10u1
- nvidia-graphics-drivers-legacy-340xx <unfixed>
- [buster] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
+ [buster] - nvidia-graphics-drivers-legacy-340xx <ignored> (Non-free not supported)
[stretch] - nvidia-graphics-drivers-legacy-340xx <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-legacy-304xx <unfixed>
[stretch] - nvidia-graphics-drivers-legacy-304xx <no-dsa> (Non-free not supported)
@@ -55211,7 +55212,7 @@ CVE-2019-19925 (zipfileUpdate in ext/misc/zipfile.c in SQLite 3.30.1 mishandles
NOTE: https://github.com/sqlite/sqlite/commit/54d501092d88c0cf89bec4279951f548fb0b8618
CVE-2019-19924 (SQLite 3.30.1 mishandles certain parser-tree rewriting, related to exp ...)
- sqlite3 3.30.1+fossil191229-1
- [buster] - sqlite3 <no-dsa> (Minor issue)
+ [buster] - sqlite3 <ignored> (Minor issue)
[stretch] - sqlite3 <not-affected> (Vulnerable code introduced later)
[jessie] - sqlite3 <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/sqlite/sqlite/commit/8654186b0236d556aa85528c2573ee0b6ab71be3
@@ -73287,7 +73288,7 @@ CVE-2019-16371 (LogMeIn LastPass before 4.33.0 allows attackers to construct a c
NOT-FOR-US: LogMeIn LastPass
CVE-2019-16370 (The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algori ...)
- gradle <unfixed> (low; bug #941186)
- [buster] - gradle <no-dsa> (Minor issue)
+ [buster] - gradle <ignored> (Minor issue)
[stretch] - gradle <no-dsa> (Minor issue)
[jessie] - gradle <postponed> (Minor issue, old gradle mainly used for building Debian packages with apt signatures)
NOTE: https://github.com/gradle/gradle/commit/425b2b7a50cd84106a77cdf1ab665c89c6b14d2f
@@ -75775,12 +75776,12 @@ CVE-2019-15555 (FredReinink Wellness-app before 2019-06-19 allows SQL injection,
NOT-FOR-US: FredReinink Wellness-app
CVE-2019-15554 (An issue was discovered in the smallvec crate before 0.6.10 for Rust. ...)
- rust-smallvec 0.6.10-1
- [buster] - rust-smallvec <no-dsa> (Minor issue)
+ [buster] - rust-smallvec <ignored> (Minor issue)
NOTE: https://github.com/servo/rust-smallvec/issues/149
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0012.html
CVE-2019-15553 (An issue was discovered in the memoffset crate before 0.5.0 for Rust. ...)
- rust-memoffset 0.5.1-1 (bug #936025)
- [buster] - rust-memoffset <no-dsa> (Minor issue)
+ [buster] - rust-memoffset <ignored> (Minor issue)
NOTE: https://github.com/Gilnaa/memoffset/issues/9#issuecomment-505461490
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0011.html
CVE-2019-15552 (An issue was discovered in the libflate crate before 0.1.25 for Rust. ...)
@@ -75790,7 +75791,7 @@ CVE-2019-15552 (An issue was discovered in the libflate crate before 0.1.25 for
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0010.html
CVE-2019-15551 (An issue was discovered in the smallvec crate before 0.6.10 for Rust. ...)
- rust-smallvec 0.6.10-1
- [buster] - rust-smallvec <no-dsa> (Minor issue)
+ [buster] - rust-smallvec <ignored> (Minor issue)
NOTE: https://github.com/servo/rust-smallvec/issues/148
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0009.html
CVE-2019-15550 (An issue was discovered in the simd-json crate before 0.1.15 for Rust. ...)
@@ -76659,7 +76660,7 @@ CVE-2019-15238 (The cforms2 plugin before 15.0.2 for WordPress has CSRF related
NOT-FOR-US: Wordpress plugin
CVE-2019-15237 (Roundcube Webmail through 1.3.9 mishandles Punycode xn-- domain names, ...)
- roundcube <unfixed> (low; bug #949629)
- [buster] - roundcube <no-dsa> (Minor issue)
+ [buster] - roundcube <ignored> (Minor issue)
[stretch] - roundcube <no-dsa> (Minor issue)
NOTE: https://github.com/roundcube/roundcubemail/issues/6891
CVE-2019-15236
@@ -78237,11 +78238,11 @@ CVE-2019-14857 (A flaw was found in mod_auth_openidc before version 2.4.0.1. An
NOTE: https://groups.google.com/forum/#!topic/mod_auth_openidc/boy1Ba3Gdk4
CVE-2019-14855 (A flaw was found in the way certificate signatures could be forged usi ...)
- gnupg2 2.2.19-1 (low; bug #945859)
- [buster] - gnupg2 <no-dsa> (Minor issue)
+ [buster] - gnupg2 <ignored> (Minor issue)
[stretch] - gnupg2 <no-dsa> (Minor issue)
[jessie] - gnupg2 <ignored> (No backport to version << 2.2.x, low impact, danger of breaking things)
- gnupg1 <unfixed> (low)
- [buster] - gnupg1 <no-dsa> (Minor issue)
+ [buster] - gnupg1 <ignored> (Minor issue)
[stretch] - gnupg1 <no-dsa> (Minor issue)
- gnupg <removed> (low)
[jessie] - gnupg <ignored> (No backport to version << 2.2.x, low impact, danger of breaking things)
@@ -116086,9 +116087,9 @@ CVE-2019-2201 (In generate_jsimd_ycc_rgb_convert_neon of jsimd_arm64_neon.S, the
NOTE: https://android.googlesource.com/platform/external/libjpeg-turbo/+/d3db2a2634c422286f75c4b38af98837f3d2f0ff
NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/361
NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/2a9e3bd7430cfda1bc812d139e0609c6aca0b884
- NOTE: https://github.com/clearlinux-pkgs/libjpeg-turbo/commit/0a5d06c3dd4a64754d7e6ffa081fd9132714f74c
NOTE: The description text is wrong, this CVE is about gigapixel images not ARM NEON SIMD code.
NOTE: See https://bugs.gentoo.org/show_bug.cgi?id=699830#c12
+ NOTE: Followup fix for tjbench: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/c30b1e72dac76343ef9029833d1561de07d29bad
CVE-2019-2200 (In updatePermissions of PermissionManagerService.java, it may be possi ...)
NOT-FOR-US: Android
CVE-2019-2199 (In createSessionInternal of PackageInstallerService.java, there is a p ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01469a67ff4a748679977d2e797242033ec93acd
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01469a67ff4a748679977d2e797242033ec93acd
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201008/36947b88/attachment.html>
More information about the debian-security-tracker-commits
mailing list