[Git][security-tracker-team/security-tracker][master] 4 commits: add link for fix of CVE-2020-26870

Thorsten Alteholz alteholz at debian.org
Thu Oct 29 15:53:44 GMT 2020 


Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2841d98f by Thorsten Alteholz at 2020-10-29T16:16:41+01:00
add link for fix of CVE-2020-26870

- - - - -
f237bbbc by Thorsten Alteholz at 2020-10-29T16:17:53+01:00
this CVE-2019-16728 will be fixed with next upload

- - - - -
c2935a5c by Thorsten Alteholz at 2020-10-29T16:21:21+01:00
consistently fix libsndfile CVEs in all suites

- - - - -
f5dc715a by Thorsten Alteholz at 2020-10-29T16:53:30+01:00
Reserve DLA-2418-1 for libsndfile

- - - - -


2 changed files:

- data/CVE/list
- data/DLA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -2921,6 +2921,7 @@ CVE-2020-26871
 CVE-2020-26870 (Cure53 DOMPurify before 2.0.17 allows mutation XSS. This occurs becaus ...)
 	- dompurify.js <removed>
 	NOTE: https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/
+	NOTE: https://github.com/cure53/DOMPurify/commit/02724b8eb048dd219d6725b05c3000936f11d62d
 CVE-2020-26869 (An information exposure vulnerability exists in PcVue 12, allowing a n ...)
 	NOT-FOR-US: PcVue
 CVE-2020-26868 (A Denial Of Service vulnerability exists in PcVue from version 8.10 on ...)
@@ -75432,7 +75433,6 @@ CVE-2019-16730 (processCommandUpgrade() in libcommon.so in Petwant PF-103 firmwa
 	NOT-FOR-US: Petwant PF-103 and Petalk AI
 CVE-2019-16728 (DOMPurify before 2.0.1 allows XSS because of innerHTML mutation XSS (m ...)
 	- dompurify.js <removed>
-	[stretch] - dompurify.js <ignored> (Minor issue)
 	NOTE: https://research.securitum.com/dompurify-bypass-using-mxss/
 CVE-2019-16746 (An issue was discovered in net/wireless/nl80211.c in the Linux kernel  ...)
 	{DLA-2114-1 DLA-2068-1}
@@ -113445,7 +113445,6 @@ CVE-2019-3833 (Openwsman, versions up to and including 2.6.9, are vulnerable to
 CVE-2019-3832 (It was discovered the fix for CVE-2018-19758 (libsndfile) was not comp ...)
 	{DLA-1712-1}
 	- libsndfile 1.0.28-6 (bug #922372)
-	[stretch] - libsndfile <not-affected> (Incomplete fix for CVE-2018-19758 not applied)
 	NOTE: https://github.com/erikd/libsndfile/issues/456#issuecomment-463542436
 	NOTE: https://github.com/erikd/libsndfile/pull/460
 	NOTE: https://github.com/erikd/libsndfile/commit/6d7ce94c020cc720a6b28719d1a7879181790008
@@ -121382,7 +121381,6 @@ CVE-2018-19759 (There is a heap-based buffer over-read at stb_image_write.h (fun
 CVE-2018-19758 (There is a heap-based buffer over-read at wav.c in wav_write_header in ...)
 	{DLA-1632-1}
 	- libsndfile 1.0.28-5 (bug #917416)
-	[stretch] - libsndfile <ignored> (Minor issue)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1643812
 	NOTE: https://github.com/erikd/libsndfile/issues/435
 	NOTE: https://github.com/erikd/libsndfile/commit/42132c543358cee9f7c3e9e9b15bb6c1063a608e
@@ -121611,14 +121609,12 @@ CVE-2018-19663
 CVE-2018-19662 (An issue was discovered in libsndfile 1.0.28. There is a buffer over-r ...)
 	{DLA-1618-1}
 	- libsndfile 1.0.28-5 (low)
-	[stretch] - libsndfile <ignored> (Minor issue)
 	NOTE: https://github.com/erikd/libsndfile/issues/429
 	NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f
 	NOTE: similar to CVE-2017-17456/CVE-2017-17457 (but not duplicate)
 CVE-2018-19661 (An issue was discovered in libsndfile 1.0.28. There is a buffer over-r ...)
 	{DLA-1618-1}
 	- libsndfile 1.0.28-5 (low)
-	[stretch] - libsndfile <ignored> (Minor issue)
 	NOTE: https://github.com/erikd/libsndfile/issues/429
 	NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f
 	NOTE: similar to CVE-2017-17456/CVE-2017-17457 (but not duplicate)
@@ -187408,7 +187404,6 @@ CVE-2017-14650 (A Remote Code Execution vulnerability has been found in the Hord
 CVE-2017-14634 (In libsndfile 1.0.28, a divide-by-zero error exists in the function do ...)
 	{DLA-1618-1}
 	- libsndfile 1.0.28-5 (bug #876783)
-	[stretch] - libsndfile <ignored> (Minor issue)
 	[wheezy] - libsndfile <no-dsa> (Minor issue)
 	NOTE: https://github.com/erikd/libsndfile/issues/318
 	NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/85c877d5072866aadbe8ed0c3e0590fbb5e16788
@@ -188557,14 +188552,12 @@ CVE-2017-14247 (SQL Injection exists in the EyesOfNetwork web interface (aka eon
 CVE-2017-14246 (An out of bounds read in the function d2ulaw_array() in ulaw.c of libs ...)
 	{DLA-1618-1}
 	- libsndfile 1.0.28-5 (low; bug #876682)
-	[stretch] - libsndfile <ignored> (Minor issue)
 	[wheezy] - libsndfile <no-dsa> (Minor issue)
 	NOTE: https://github.com/erikd/libsndfile/issues/317
 	NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f
 CVE-2017-14245 (An out of bounds read in the function d2alaw_array() in alaw.c of libs ...)
 	{DLA-1618-1}
 	- libsndfile 1.0.28-5 (low; bug #876682)
-	[stretch] - libsndfile <ignored> (Minor issue)
 	[wheezy] - libsndfile <no-dsa> (Minor issue)
 	NOTE: https://github.com/erikd/libsndfile/issues/317
 	NOTE: https://github.com/erikd/libsndfile/commit/8ddc442d539ca775d80cdbc7af17a718634a743f
@@ -211325,7 +211318,6 @@ CVE-2017-6893
 CVE-2017-6892 (In libsndfile version 1.0.28, an error in the "aiff_read_chanmap()" fu ...)
 	{DLA-985-1}
 	- libsndfile 1.0.28-1 (bug #864704)
-	[stretch] - libsndfile <ignored> (Minor issue)
 	[jessie] - libsndfile <no-dsa> (Minor issue)
 	NOTE: Fixed by: https://github.com/erikd/libsndfile/commit/f833c53cb596e9e1792949f762e0b33661822748
 CVE-2017-6891 (Two errors in the "asn1_find_node()" function (lib/parser_aux.c) withi ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[29 Oct 2020] DLA-2418-1 libsndfile - security update
+	{CVE-2017-6892 CVE-2017-14245 CVE-2017-14246 CVE-2017-14634 CVE-2018-19661 CVE-2018-19662 CVE-2018-19758 CVE-2019-3832}
+	[stretch] - libsndfile 1.0.27-3+deb9u1
 [27 Oct 2020] DLA-2417-1 linux-4.19 - security update
 	{CVE-2020-12351 CVE-2020-12352 CVE-2020-25211 CVE-2020-25643 CVE-2020-25645}
 	[stretch] - linux-4.19 4.19.152-1~deb9u1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ac158ec0242194c38ac6337d99f3af702ffe63df...f5dc715ad56733f8ca16c467ba0d870b1c393bf6

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ac158ec0242194c38ac6337d99f3af702ffe63df...f5dc715ad56733f8ca16c467ba0d870b1c393bf6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201029/dedfb8ba/attachment.html>

More information about the debian-security-tracker-commits mailing list