[Git][security-tracker-team/security-tracker][master] buster triage

Mon Oct 12 18:46:34 BST 2020


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
116f39de by Moritz Muehlenhoff at 2020-10-12T19:45:22+02:00
buster triage
reviewed the status of some old issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1769,6 +1769,7 @@ CVE-2020-26116 (http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.
 	- python3.9 3.9.0~b5-1
 	- python3.8 3.8.5-1
 	- python3.7 <removed>
+	[buster] - python3.7 <no-dsa> (Minor issue)
 	- python3.5 <removed>
 	NOTE: https://bugs.python.org/issue39603
 	NOTE: https://python-security.readthedocs.io/vuln/http-header-injection-method.html
@@ -2606,6 +2607,7 @@ CVE-2020-25740
 CVE-2020-25739 (An issue was discovered in the gon gem before gon-6.4.0 for Ruby. Mult ...)
 	{DLA-2380-1}
 	- ruby-gon <unfixed> (bug #970938)
+	[buster] - ruby-gon <no-dsa> (Minor issue)
 	NOTE: https://github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7
 CVE-2020-25738
 	RESERVED
@@ -2825,6 +2827,7 @@ CVE-2020-25638
 CVE-2020-25637 (A double free memory issue was found to occur in the libvirt API, in v ...)
 	{DLA-2395-1}
 	- libvirt <unfixed> (bug #971555)
+	[buster] - libvirt <no-dsa> (Minor issue)
 	NOTE: Introduced by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=0977b8aa071de550e1a013d35e2c72615e65d520 (v1.2.14-rc1)
 	NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=955029bd0ad7ef96000f529ac38204a8f4a96401 (v6.8.0)
 	NOTE: Fixed by: https://libvirt.org/git/?p=libvirt.git;a=commit;h=50864dcda191eb35732dbd80fb6ca251a6bba923 (v6.8.0)
@@ -22336,11 +22339,13 @@ CVE-2020-16122
 	RESERVED
 	{DLA-2399-1}
 	- packagekit <unfixed>
+	[buster] - packagekit <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1882098
 CVE-2020-16121
 	RESERVED
 	{DLA-2399-1}
 	- packagekit <unfixed>
+	[buster] - packagekit <no-dsa> (Minor issue)
 	NOTE: https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug/1888887
 CVE-2020-16120
 	RESERVED
@@ -46935,6 +46940,7 @@ CVE-2020-7070 (In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x
 	{DLA-2397-1}
 	- php7.4 7.4.11-1
 	- php7.3 <removed>
+	[buster] - php7.3 <postponed> (Minor issue, likely to introduce tegressions, wait for one more 7.3 upstream release)
 	- php7.0 <removed>
 	NOTE: Fixed in PHP 7.4.11, 7.3.23, 7.2.34
 	NOTE: PHP Bug: https://bugs.php.net/79699
@@ -46942,8 +46948,7 @@ CVE-2020-7070 (In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x
 CVE-2020-7069 (In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below ...)
 	- php7.4 7.4.11-1
 	- php7.3 <removed>
-	- php7.0 <removed>
-	[stretch] - php7.0 <not-affected> (Affected code not present)
+	- php7.0 <not-affected> (Affected code not present)
 	NOTE: Fixed in PHP 7.4.11, 7.3.23, 7.2.34
 	NOTE: PHP Bug: https://bugs.php.net/79601
 	NOTE: https://git.php.net/?p=php-src.git;a=commit;h=0216630ea2815a5789a24279a1211ac398d4de79
@@ -51686,12 +51691,14 @@ CVE-2020-5218 (Affected versions of Sylius give attackers the ability to switch
 	NOT-FOR-US: Sylius
 CVE-2020-5217 (In Secure Headers (RubyGem secure_headers), a directive injection vuln ...)
 	- ruby-secure-headers 6.3.1-1 (bug #949999)
+	[buster] - ruby-secure-headers <no-dsa> (Minor issue)
 	NOTE: https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
 	NOTE: https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3
 	NOTE: https://github.com/twitter/secure_headers/issues/418
 	NOTE: https://github.com/twitter/secure_headers/pull/421
 CVE-2020-5216 (In Secure Headers (RubyGem secure_headers), a directive injection vuln ...)
 	- ruby-secure-headers 6.3.1-1 (bug #949998)
+	[buster] - ruby-secure-headers <no-dsa> (Minor issue)
 	NOTE: https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg
 	NOTE: https://github.com/twitter/secure_headers/commit/301695706f6a70517c2a90c6ef9b32178440a2d0
 CVE-2020-5215 (In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Pytho ...)
@@ -129333,8 +129340,9 @@ CVE-2018-16849 (A flaw was found in openstack-mistral. By manipulating the SSH p
 	[stretch] - mistral 3.0.0-4+deb9u1
 	NOTE: https://bugs.launchpad.net/mistral/+bug/1783708
 CVE-2018-16848 (A Denial of Service (DoS) condition is possible in OpenStack Mistral i ...)
-	- mistral <undetermined>
+	- mistral 10.0.0~rc1-2
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1645332
+	NOTE: https://bugs.launchpad.net/mistral/%2Bbug/1785657
 CVE-2018-16847 (An OOB heap buffer r/w access issue was found in the NVM Express Contr ...)
 	- qemu 1:3.1+dfsg-1 (bug #912655)
 	[stretch] - qemu <not-affected> (support for Controller Memory Buffers added later)
@@ -139479,7 +139487,6 @@ CVE-2018-12888
 CVE-2018-12887
 	RESERVED
 CVE-2018-12886 (stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in fu ...)
-	- gcc-snapshot <unfixed>
 	- gcc-8 <unfixed>
 	[buster] - gcc-8 <ignored> (Too intrusive to backport)
 	- gcc-7 <unfixed>
@@ -150745,9 +150752,7 @@ CVE-2018-8833 (Heap-based buffer overflow vulnerabilities in Advantech WebAccess
 CVE-2018-8832 (enhavo 0.4.0 has XSS via a user-group that contains executable JavaScr ...)
 	NOT-FOR-US: enhavo
 CVE-2018-8831 (A Persistent XSS vulnerability exists in Kodi (formerly XBMC) through  ...)
-	- kodi <unfixed> (low)
-	[buster] - kodi <ignored> (Minor issue)
-	[stretch] - kodi <ignored> (Minor issue)
+	- kodi <not-affected> (Chorus not included in Kodi as shipped in Debian)
 	- xbmc <removed>
 	[jessie] - xbmc <no-dsa> (Minor issue)
 	[wheezy] - xbmc <no-dsa> (Minor issue)
@@ -154067,9 +154072,8 @@ CVE-2018-7579 (\application\admin\controller\update_urls.class.php in YzmCMS 3.6
 CVE-2018-7578
 	RESERVED
 CVE-2018-7577 (Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Go ...)
-	- snappy <undetermined>
+	- tensorflow <itp> (bug #804612)
 	NOTE: https://github.com/tensorflow/tensorflow/blob/master/tensorflow/security/advisory/tfsa-2018-005.md
-	NOTE: There are no useful details, could just as well be a misuse of snappy by Tensorflow
 CVE-2018-7576 (Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Deref ...)
 	- tensorflow <itp> (bug #804612)
 CVE-2018-7575 (Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow v ...)
@@ -202334,8 +202338,7 @@ CVE-2017-8762 (GeniXCMS 1.0.2 has XSS triggered by an authenticated user who sub
 	NOT-FOR-US: GenixCMS
 CVE-2017-8761 [Swift tempurl middleware reveals signatures in the logfiles]
 	RESERVED
-	- swift <unfixed>
-	[buster] - swift <no-dsa> (Minor issue)
+	- swift 2.17.0-2
 	[stretch] - swift <no-dsa> (Minor issue)
 	[jessie] - swift <end-of-life> (Not supported in Jessie LTS)
 	NOTE: https://bugs.launchpad.net/swift/+bug/1685798



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/116f39deb878e8f3e0f104a828b01af22df712c3

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/116f39deb878e8f3e0f104a828b01af22df712c3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201012/8d8ef714/attachment-0001.html>
